I am trying to set sessions using PHP in my login script although it doesn’t seem to be setting any sessions. I’m setting all sessions to be written to the path ‘/’. I am using AJAX to log in.
Start_secure_session function:
function start_secure_session() {
$session_name = "CodeCluster";
$http_only = true;
$https = false;
ini_set("session.use_only_cookies", 1);
$cookie_parameters = session_get_cookie_params();
session_set_cookie_params($cookie_parameters['lifetime'], "/", $cookie_parameters['domain'], $https, $http_only);
session_name($session_name);
session_start();
session_regenerate_id(true);
}
Login Function :
function login($email, $password, $database) {
try {
$query = $database -> prepare("SELECT id, email, password, salt, activated FROM members WHERE email = :email LIMIT 1");
$query -> execute(
array(
"email" => $email
)
);
$info = $query -> fetch();
if(strlen($info[0]) > 0) {
if(account_is_locked($info['id'], $database)) {
echo "<response>Your account is locked, please try again in two hours!</response>";
exit();
} else {
if($info['activated'] == 1) {
$password = hash('sha512', $password.$info['salt']);
if($password === $info['password']) {
$_SESSION['cc_id'] = $info['id'];
$_SESSION['cc_email'] = $info['email'];
$_SESSION['cc_login_string'] = hash('sha512', $password.$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
$last_login = time();
$query = $database -> prepare("UPDATE members SET last_login = :last_login WHERE id = :id LIMIT 1");
$query -> execute(
array(
"last_login" => $last_login,
"id" => $info['id']
)
);
return true;
exit();
} else {
$query = $database -> prepare("INSERT INTO login_attempts(user_id, ip_address, attempt_time) VALUES (:id, :ip, :time)");
$query -> execute(
array(
"id" => $info['id'],
"ip" => $_SERVER['REMOTE_ADDR'],
"time" => time()
)
);
echo "<response>Email or password is incorrect! Please check your credentials!</response>";
exit();
}
} else {
echo "<response>Please activate your account! You should have received an email with an activation link!</response>";
exit();
}
}
} else {
echo "<response>Account with those details does not exist!</response>";
exit();
}
} catch(PDOException $e) {
echo "<response>We could not log you in; A report of the error has been sent to tech support!</response>";
mail("codecluster.official@gmail.com", "CodeCluster Login Error", "Login Error; Timestamp @ " . time() . " ; IP Address : " . $_SERVER['REMOTE_ADDR'] . " ;\r\n" . $e);
exit();
}
}
is_user_logged_in function :
function is_user_logged_in($database) {
if(isset($_SESSION['cc_id'], $_SESSION['cc_email'], $_SESSION['cc_login_string'])) {
try {
foreach ($_SESSION as $session) {
strip_tags($session);
}
$query = $database -> prepare("SELECT password FROM members WHERE id = :id AND email = :email LIMIT 1");
$query -> execute(
array(
"id" => $_SESSION['cc_id'],
"email" => $_SESSION['cc_email']
)
);
if(strlen($query -> fetch()) > 0) {
$password = $query -> fetch();
$password = hash("sha512", $password.$_SERVER['REMOTE_ADDR'].$_SERVER['HTTP_USER_AGENT']);
if($password == $_SESSION['cc_login_string']) {
return true;
} else {
return false;
}
} else {
return false;
}
} catch(PDOException $e) {
mail("codecluster.official@gmail.com", "Code-Cluster Error", "Error occured whilst checking users logged in status; Timestamp @ ". time() . " ; \r\n" . $e);
return false;
exit();
}
} else {
return false;
}
}
When I do if(is_user_logged_in($database)) {header("Location: home.php"); exit();} it does not redirect me. I have tested and it seems that the script can’t find the sessions which lead me to believe that they’re null.
Is there any reason why this is acting like this?
EDIT: I just did a var_dump on $_SESSION on the index.php and it printed out :
array(3) { [“cc_id”]=> string(1) “6” [“cc_email”]=> string(24) “toxiclogic@hotmail.co.uk” [“cc_login_string”]=> string(128) “This is redacted because it is a hashed password” }
EDIT: This is not being resolved by the ‘Headers being sent’ question.
Do not output anything before using
header()andsession_start().Check for whitespaces as well.
Encode your files into
UTF-8 without BOM.