I have searched the forum and Google but there was nothing that would give me a clue what's wrong with my code. I'm just starting PHP and I'm trying a few things. :)
I have a page with login. Logging in works wonderfully, storing sessions with username does too. However, each user also has a user group assigned (stored in database), so I can control what the users can access.
I'm getting the group value from the DB and into the session name. When I (admin) log in, the session is set correctly to 'admin' right after. However, on the next page and upon refresh, the session changed to 'user'. Any ideas what is causing this?
index.php
<?php include("includes/header.php"); ?>
<form name="login" method="post" action="login.php"> <table width=35% border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td width="300" align="right">Username:</td>
<td width="200"><input name="username" type="text" id="username" size="20"></td>
</tr>
<tr><td align="right">Password:</td>
<td width="294"><input name="password" type="password" id="password" size="20"></td>
</tr>
</table>
<br />
<input type="submit" name="Submit" value="Login"> <input type="reset" name="reset" value="REset">
</form>
<?php include("includes/footer.php"); ?>
login.php
<?php
include ("includes/config.php") ; //file with database info, password, etc.
$tbl_name = 'user';
/* data from login form */
$myusername = $_POST['username'];
$mypassword = $_POST['password'];
/* pass is encrypted */
$encrypted_mypassword = md5($mypassword);
/* for mysql injection */
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
/* mysql query */
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$encrypted_mypassword'";
$result=mysql_query($sql);
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
$row = mysql_fetch_array($result);
$mygroup = $row['group'];
/* If ok, set sessions */
if ($count == 1){
session_start();
$_SESSION['username'] = $myusername;
$_SESSION['group'] = $mygroup;
//echo $_SESSION['group']; -> gives me the right group
header("Location: start.php");
}
else {
echo "Wrong Username or Password";
}?>
start.php
<?php
session_start(); // start session
if(isset($_SESSION['username']) && isset($_SESSION['group'])) {
$loggedin = "Already logged in as <b>".$_SESSION['username'] . "</b> (" . $_SESSION['group'] . "). <a href='logout.php'>Logout.</a>";
}
else {
header( "Location: index.php" );
}
/* if user belongs to 'user group', has restricted access */
if ($_SESSION['group'] = "user") {
$menu = "<ul><li><a href='start.php'>Start</a></li><li><a href='menu1.php'>Menu 1</a></li><li><a href='menu2.php'>Menu 2</a></li></ul>";
}
/* if they are admin, they have all access */
else {
$menu = "<ul><li><a href='start.php'>Start</a></li><li><a href='menu1.php'>Menu 1</a></li><li><a href='menu2.php'>Menu 2</a></li><li><a href='restricted1.php'>Restricted 1</a></li><li><a href='restricted2.php'>Restricted 2</a></li></ul>";
}
include("includes/header.php"); // header, HTML + $loggedin annoucement
?>
<h2>Startpage</h2>
<?php echo $_SESSION['group']; ?> //if logging as admin, it gives me 'user'
<?php include("includes/footer.php"); ?>
Any help greatly appreciated!