My website automatically creates a session of a user saved in a database

Question

I've created a login script using php and I use MySQL database to store user data. Everything was working fine until I got to know that one of my friend ( whose account is also created like me in the database ) called me and said that my profile was automatically loaded on his phone. How can this be even possible as my session data or anyone's session cannot be created without the filling of the login form with their respective credentials!?

Help me with this! As this is a major loop with the security of a user data as without their consent, how could it be accessible from someone else phone!!

Session creation through login.php

session_start();
if (isset($_POST['email']) and isset($_POST['password'])){
$email = $_POST['email'];
$password = $_POST['password'];
$query = "SELECT * FROM `users` WHERE email='$email' and password='$password'";
$result = mysql_query($query) or die(mysql_error());
if(mysql_num_rows($result) > 0){
$_SESSION['email'] = $email;
$_SESSION['id'] = $id;
echo "You are logged in.";
header("Location: index.php?log=success");
unset($_POST);
}
else{
echo " Something went wrong ";
}
}

You should only set session data once the user has successfully logged in... from your code it shows that u just set session once email and password are given irrespective of they are stored or not — Masivuye Cokile, May 21 '19 at 14:18
Seems like anyone can login with any email and password from your login form just by typing any email and password! — Did, May 21 '19 at 14:21
This is not the complete code, I do check in the actual code I use in my website whether the user is stored or not and then create the session ids! — Abhimanyu Sharma, May 21 '19 at 14:21
I forgot to write that code, I did start the session.. check the complete code now.. — Abhimanyu Sharma, May 21 '19 at 14:32
There is nothing wrong in the code ( i assume ) as it works completely fine when I or anyone else login.. but the problem I am facing is with the automatically session creation of a id and auto login, how do I fix that? — Abhimanyu Sharma, May 21 '19 at 14:34
**Do not roll your own security like this**. You have serious, serious problems with this login code. — random_user_name, May 21 '19 at 16:36
Additionally, format your code with proper indenting, etc. It makes it much much easier for you (and others) to read and maintain. — random_user_name, May 21 '19 at 16:39
**NEVER** use `mysql_`. Use PDO, or mysqli: https://stackoverflow.com/q/12859942/870729 — random_user_name, May 21 '19 at 16:40
**Do NOT** store the password in plain text, as you are currently doing. [Properly hash and salt](https://www.php.net/manual/en/faq.passwords.php) your passwords in the database. — random_user_name, May 21 '19 at 16:41

Mark · Answer 1 · 2019-05-21T16:27:01.630

You're assigning $_SESSION['id'] with a value of $id yet nowhere in your code are you specifying what the value of $id is. This is what's causing your sessions to mix-up as everyone is being given the same ID of null.

Get the actual User ID from the database and use that value within $_SESSION['id'] and your problem is fixed. See below for example:

/* Start the session */
session_start();

/* Check if the user has submitted the login form $_POST */
if (isset($_POST['email']) and isset($_POST['password'])){

    /* Get the values of $_POST */
    $email = $_POST['email'];
    $password = $_POST['password'];

    /* Create the SQL query - Note: you should use bindings to prevent SQL injection */
    $query = "SELECT * FROM `users` WHERE email='$email' and password='$password'";

    /* Get the MySQL result */
    $result = mysql_query($query) or die(mysql_error());

    /* Check if the user was found */
    if(mysql_num_rows($result) > 0){

        /* Get the User ID from the database */
        while($row = mysql_fetch_assoc($result)){
            $id = $row['THE NAME OF YOUR ID COLUMN']; // replace with the name of your ID column in your DB
        }

        /* Set the session values */
        $_SESSION['email'] = $email;
        $_SESSION['id'] = $id;

        /* Print output */
        echo "You are logged in.";

        /* Redirect to login page */
        header("Location: index.php?log=success");

        /* Unset POSTS */
        unset($_POST);

    } else {
        /* Show login error message */
        echo " Something went wrong ";
    }
}

Also, your code is currently susceptible to SQL injection attacks. To prevent such attacks I would advise you bind your parameters to your SQL query rather than inputting them directly. SQL Injection Info

I'd recommend completely altering the focus of your answer to be **primarily** about the security implications, as-is, it's mentioned in a sort of "afterthought" mode. — random_user_name, May 21 '19 at 16:38

My website automatically creates a session of a user saved in a database

1 Answers1