Can somebody explain to me where I’m going wrong with this login setup? I’ve outlined the process below and included the code I am using. Everything works except for the fact that session variables never seem to get set.

The page I am forwarding them to dumps out the session variables onto the page, except by the time you get to the next page, the session variable doesn’t seem to exist. If I actually return the $_SESSION variable as part of the json response to the AJAX call, it returns the proper values, but as soon as the page changes, the values seem to go away.

Process:

1. Login Form Submitted

2. AJAX call made to login.php

3. login.php checks username and password against the database.
   If the user is found, sets $_SESSION variables for the session,
   runs some other SQL and returns success, if not returns the appropriate error.

4. AJAX function receives result from login.php, if success forwards user to
   customer page, if not shows error from result.

Actual Code:

jQuery AJAX call made by login form:

$("#login_form_header").submit(function(event){

    event.preventDefault();

    $.ajax({
        url: 'xhr/login.php',
        data: $(this).serialize(),
        type: 'post',
        dataType: 'json',
        success: function(result){
            if (result.success){
                window.location = "logged.php";
                return false;
            };
        },
        error: function(e){console.log("Could not retrieve login information")}
    });

    return false;
});

Login.php:

<?PHP   

# Start the user session
if(!isset($_SESSION)) {
    session_start();
};

# Make sure form data was passed to the script
IF (isset($_POST['username']) && isset($_POST['password'])){

    # Connect to the database
    REQUIRE('../../../../db_oystrr.php');

    # Define variables
    $given_username = $_POST['username'];
    $given_password = $_POST['password'];
    $given_username = stripslashes($given_username);
    $given_password = stripslashes($given_password);
    $given_username = mysql_real_escape_string($given_username);
    $given_password = mysql_real_escape_string($given_password);
    $matched_username = "";
    $matched_password = "";


    # See if there is matching info in the database
    $sql = 'SELECT username, pass FROM users WHERE username="'.$given_username.'"';
    $result = mysql_query($sql);
    while($row = mysql_fetch_assoc($result)){
        $pass_hash = *********;
        if ($pass_hash == $row['pass']){
            $matched_username = $row['username'];
            $matched_password = $row['pass'];
        };
    };


    # If there was a match
    IF ($matched_username != "" && $matched_password != ""){

        # If there is only one result returned
        $session_sql = 'SELECT * FROM users WHERE username="'.$matched_username.'" AND pass="'.$matched_password.'";';
        $session_result = mysql_query($session_sql);
        $returned_row = mysql_fetch_assoc($session_result);
        $user_check = mysql_num_rows($returned_row);

        IF(count($user_check) > 0  &&  count($user_check) < 2){

            # Set our session values
            $_SESSION['id'] = $returned_row['id'];
            $_SESSION['last_login'] = $returned_row['last_login'];
            $_SESSION['username'] = $returned_row['username'];
            $_SESSION['signup_date'] = $returned_row['signup_date']; 

            session_write_close();

            # Set users last login date and time and re-hash their password to this login
            $this_login = **********;
            $hashed_password = **********;
            $update_sql = '************';
            mysql_query($update_sql);

            echo json_encode(array("success"=>"user logged in", "session"=>$_SESSION));
        }ELSE 
            echo json_encode(array("error"=>"More than one user with the same information.  What did you do?!"));
    }ELSE
        echo json_encode(array("error"=>"Invalid login provided."));
}ELSE
    echo json_encode(array("error"=>"You must enter a username and Password."))

?>