How to set up a login session through PHP, MySQL and HTML

I’m not sure. Here is a screenshot of the table structure.

I have a password confirmation column so that the user can confirm the password during the registration process.

Yes, it is. I just wondered if you had taken into account that it needs to be that long.

I don’t there’s any point storing it twice. If you ask the user for it twice during registration, and separately hash it twice, I believe it will give different values even if the passwords are the same.

Okay. I can delete that column if needed. My thought process was that I would need that second password column because during registration, I’m wanting the user to confirm their password before they complete registration. If the passwords they entered matched, then they can see the database. If PHP can take care of that, it makes more sense to delete that column.

In theory you can password_verify() against either of them, but once the user is past the registration process the second one isn’t much use.

Okay… after placing exit() statements after the error messages, all of them are rendering a blank page after the form is submitted. I guess none of my error messages are registering?

Get rid of the password confirm column. If you think about it, it makes no sense at all to have it. The comparison is done in code between the two post variables password and password confirm fields.

I have already deleted the pwdconfirm column from my table.

Have you changed your code to echo the error messages just before you exit? All you do above is assign error messages to variables, you don’t display them.

I’ve added echo statements and all of the errors now appear. However, when I enter real (correct) credentials, this appears:

The password you entered was not valid.

I think it’s the SQL statement in the code:

if(empty($username_err) && empty($password_err)){ 
// Prepare a select statement 
$sql = "SELECT id, username, password FROM admins WHERE username = :username";

Well, add some more echo statements to narrow it down.

That error message appears if the password_verify() call fails, so you need to find out why it might be failing. Presumably you stored the password using password_hash()?

if($stmt->rowCount() == 1){
                    if($row = $stmt->fetch()){
                        $id = $row["id"];
                        $username = $row["username"];
                        $hashed_password = $row["password"];
                        if(password_verify($password, $hashed_password)){
                            // Password is correct, so start a new session
                            // Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["id"] = $id;
                            $_SESSION["username"] = $username;                            
                            // Redirect user to welcome page
                            header("location: index.php");
                        } else{
                            // Display an error message if password is not valid
                            $password_err = "The password you entered was not valid.";
							echo $password_err;

There is a $hashed_password variable in this line of code.

I know there is. The error message you said appeared, will appear if your password_verify() returns false, so you need to figure out why it is returning that.

What I was asking was - when you stored the user details in your database table, did you hash the password using password_hash() or have you used some other hashing method, or stored it plain? If you didn’t use password_hash() to store the hashed password, then password_verify() will not work with it.

Or another way - what is in $hashed_password?

It is not being hashed in the database.

Well, that explains why password_verify() is rejecting it then, since that will match the password entered by the user to the hashed password you should be storing.

You need to modify the registration code so that it hashes the password before it stores it.

Also forgive me for stating the obvious but once you have added the password_hash function on your signup page you will need to re sign up as all of the existing plain text password data won’t work.

On your signup page you could use…

$password = password_hash($password, PASSWORD_DEFAULT);

Then when you login password_verify will check that the hash matches your password and authenticate accordingly.

Did you manage to get your $_SESSION data working on your index page?

No, I still see the unidentified index error. I’m assuming that it has something to do with the login page as there are lots of problems in the login script. I think a login rewrite may be necessary…

Ok. Following my other post, Is your login script now working? I.e does it authenticate with the password_verify and redirect you to the index.php page?

If so stick this in the head of your index.php page and any other pages you want only logged in users to see:-

// Initialize the session

$username = $_SESSION["username"];
// Check if the user is logged in, if not then redirect him to login page
if(isset($_SESSION["loggedin"]) || $_SESSION["loggedin"] == true){

else {
    header("location: /login.php?msg=ok&err=not_logged_in");

Then wherever you want to call the username you can put

<h2> Welcome back <?php echo $username ?> </h2>

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.