Okay I dont know what mistake I'm doing. I've used SESSION variables in past too without any problem but it doesnt seem to work this time.
Here is code from my protected_page.php (page where user is redirected after login is successful).
<?php if (login_check($mysqli) == true) : ?>
<p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
<p>
This is an example protected page. To access this page, users
must be logged in. At some stage, we'll also check the role of
the user, so pages will be able to determine the type of user
authorised to access the page.
</br></br>
<a href="add/home.php">Add new user!</a>
</p>
<p>Logout & return to <a href="includes/logout.php">login page</a></p>
<?php else : ?>
<p>
<span class="error">You are not authorized to access this page.</span> Please <a href="includes/logout.php">login</a>.
</p>
<?php endif; ?>
The function login_check() checks weather user has logged in properly with right credentials or not. If yes, it returns true.
There is another function namely login() which is called during login process and matches credentials with entered credentials. If true, it then stores 'username' in $_SESSION variable.
When I click on "Add new user!" It sends me to add/home.php page, but there is o $_SESSION variable.
if (login_check($mysqli) == true) : ?>
<p>Welcome <?php echo htmlentities($_SESSION['username']); ?>!</p>
<h1>Add user!</h1>
<?php
if (!empty($error_msg)) {
echo $error_msg;
}
?>
<ul>
<li>Emails must have a valid email format</li>
</ul>
<form action="<?php echo esc_url($_SERVER['PHP_SELF']); ?>"
method="post"
name="registration_form">
Full Name: <input type='text'
name='fullname'
id='fullname' /><br>
Email: <input type="text" name="email" id="email" /><br>
Project Name: <input type="text"
name="project"
id="project"/><br>
Phone Number: <input type="text"
name="phone"
id="phone" /><br>
<input type="submit"
value="Submit" />
</form>
<p>Logout & return to <a href="../includes/logout.php">login page</a></p>
<?php else : echo "7"; ?>
<p>
<span class="error">You are not authorized to access this page.</span> Please <a href="../includes/logout.php">login</a>.
</p>
<?php endif; ?>
It always prints I dont ve enough credentials to view this page.
I also ve introduced sec_session_start() function atop both pages. (protected_page.php & add/home.php). sec_session_start() is user defined custom session starting function.
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
I don't know what I'm doing wrong this time. Must be a silly mistake. Thanks in advance. :)
For any further details do inform me.
