0

I'm trying to do one page admin panel using case, switch and session.

my code is:

<?php
    if (isset($_SERVER['QUERY_STRING'])) {
        switch ($_SERVER['QUERY_STRING']) {
            case "logout":
                break;
            case "restpassword":
                break;
            // Default Page
            default:
                session_start();
                if (isset($_POST['username']) && isset($_POST['password']) && $_POST['username']) {
                    $username = $_POST['username'];
                    $password = $_POST['password'];
                    $userid = login($username, $password);

                    if ($userid != "0") {
                        //Correct username and password set session & redirect
                        if (isset($_SESSION['user_id'])) {
                            $userid = $_SESSION['user_id'];
                            $username = $_SESSION['username'];
                            echo "Welcome " . $username;
                        }
                        break;
                    } else {
                        $msg = "Incorrect username or password";
                    }
                }
                ?>
                <html>
                    <head>

                    </head>
                    <body>
                        <form method="post">
                            <?php
                                //Print error message
                                if (isset($msg)) {
                                    echo $msg;
                                }
                            ?>
                            <label>Username:</label>
                            <input name="username" type="text" required="true"/>
                            <label>Password :</label>
                            <input name="password" type="password" required="true"/>
                            <input type="submit" name="submit" value="Login" required="true"/>
                        </form>
                    </body>
                </html>
                <?php
                break;
        }
    }
?>

The problem is if i re enter to the page it does not save any session and I had to login again.

How should I solve it and is it secure that way ?

thanks a lot

mitkosoft
  • 5,221
  • 1
  • 12
  • 31
Markos
  • 33
  • 7
  • 2
    move `session_start()` on very top of your page, not to be part of `switch` code. – mitkosoft May 17 '16 at 10:40
  • From your login link, i'll recommend you pass a variable. Like www.login.com?user=access. This way, if $_GET[user] = access, then you can run a login function, do checks and save session. Then for logout link, a different variable that's runs your logout function. Hope you get the idea,thats if you still want to stick to a single page – Mueyiwa Moses Ikomi May 17 '16 at 10:40
  • can do give me an example code how to do it , thanks – Markos May 17 '16 at 10:53
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard May 17 '16 at 12:36
  • thanks , do you have an example ? – Markos May 17 '16 at 13:40

2 Answers2

0

Move session_start() to the very top of your page. The first line after the php opening tag...

Mueyiwa Moses Ikomi
  • 1,049
  • 2
  • 12
  • 26
-1

session_start() needed to add in the very top of the page. I think this will work.

Md. Saidur Rahman Milon
  • 2,453
  • 21
  • 28