Session variables not working? (PHP)

Question

I am having an issue with 2 files: login_config.php and profile.php .

• login_config.php consists of a log in system, which sets $_SESSION['key'] true upon the completion of several forms of authentication.
• profile.php is the page the user is redirected to after success.

I want data on profile.php to only be accessible with $_SESSION['key'] set (upon successful login).

My question: What is incorrect with my code? Furthermore, why am I presented with the error upon login submission that is only supposed to return if $_SESSION['key'] is false/not set, as opposed to the targeted profile.php page?

CODE: (login_config.php)

<?php

// POST VARIABLES
$submit = $_POST['login_submit'];
$username = $_POST['login_username'];
$password = $_POST['login_password'];
$email = $_POST['login_email'];

require 'password_config.php';

if(isset($submit)){

    require 'db/connect.php';

    // PASSWORD VERIFYING
    $pass_query = "SELECT password FROM users WHERE email='$email'";
    $queried = mysql_query($pass_query);
    while($row = mysql_fetch_array($queried)){
        $user_pass = $row['password'];
        $veri_password = password_verify($password, $user_pass);
    }
    if(!$veri_password === true){$errors[] = '-Account does not exist ';}

    // CHECKING NUM ROWS
    $sql = "SELECT id, username FROM users WHERE password='$user_pass' AND email='$email'";
    $entered_user = mysql_query($sql);
    $num_rows = mysql_num_rows($entered_user);


    // ERRS ARRAY ESTABLISHED
    $errors = array();

    // FURTHER VERIFYING
    if( empty($password) || empty($email) )
    {
        $errors[] = 'Please do not leave fields empty';
    }
    elseif( $num_rows != 1 )
    {
        $errors[] = '-Account does not exist ';
    }
    elseif( $num_rows == 1 )
    {
        session_start();
        $_SESSION['key'] === true;

        while($row = mysql_fetch_array($entered_user)){
            $_SESSION['id'] = $row['id'];
            $_SESSION['email'] = $email;
            $_SESSION['user'] = $row['username'];
            $_SESSION['pass'] = $password;
            header('Location: profile.php');
            exit();
        }

    }
}   

CODE: (profile.php)

<?php

session_start();

if($_SESSION['key'] !== true){
    die ("please <a href='login.php'>log in</a> to view this page");
}
?>
<html>
<head>
    <title>Profile</title>
    <link href='css/main.css' rel='stylesheet' />
</head>
<body>
    <div id='container'>
        <?php require 'include/header.php'; ?>
        <?= 'NJM ID # ==>'.$_SESSION['id'].'<br />'.'Username ==>'.$_SESSION['user'].'<br/>'.'Password ==>'.$_SESSION['pass'].'<br/>'.'<br />' ?>
        <a href='logout.php'>Log out!</a>
        <br />
        -OR-
        <br />
        <p>Try our beta mode<a href='forum.php'> forum</a></p>
        <?php require 'include/footer.php'; ?>
    </div>
</body>
</html>

Note: I am aware I am vulnerable to SQL attacks at the current state of code, I will be fixing this later, also I am stuck with the deprecated version of MySQL.

Answer 1

In profile.php you have to call session_start(); before using $_SESSION . session_start() doesn't just start a new session, but will also continue an existing session (it will 'start' the session handling functionality, if you will). Without calling it, you cannot use $_SESSION .

Answer 2

1st: I would use termary operators for checking the existence of the values I need, for avoiding the "undefined index 'login_username'" error. Like this:

$username = isset($_POST['login_username']) ? $_POST['login_username'] : '';
$password = isset($_POST['login_password']) ? $_POST['login_password']) : '';
$email = isset($_POST['login_email']) ? $_POST['login_email'] : '';

2nd: I would use PDO for connecting with the MySQL server, for security reasons, and not only.

session_start();

if (isset($submit)){
    // select all data from db for the current user
    $st = $db->prepare('SELECT * FROM users WHERE email=?');
    $st->execute([$email]);
    //$rows = count_rows_here
    if($rows == 1){
        $row = $stmt->fetch();
        if(password_verify($password, $row['pass'])){
            $_SESSION['key'] = true; // notice the '=', and not '==='
            $_SESSION['id'] = $row['id'];
            $_SESSION['email'] = $row['email'];
            $_SESSION['user'] = $row['username'];
            $_SESSION['pass'] = $row['password'];
            header('Location: profile.php');
       } else {
           echo 'Error!';
       }
   }
}

Answer 3

I would try first to remove the exit() call after you have headered to the next PHP page. It isn't necessary as you have no code below it and it might be affecting the session (I don't think so though)

If this doesn't work (probably wont) add to profile.php after you have started the session var_dump($_SESSION) and have a look/post its contents.

Answer 4

I have fixed this by assigning the $_SESSION['key'] a variable with a value.

$_SESSION['key'] = $check = 'check';

Then to test this in profile.php, I have entered the following code:

if(isset(!$_SESSION['key'])){die ('example')}