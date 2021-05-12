In the login code, the only value you should store in a session variable is the user’s id. You would then use this value to query on each page request to get any other user data, such as the user’s name, permissions, … The reason for doing this is so that any changes made to the user’s data, either by the user or by a moderator/administrator, will take effect on the very next page request. When you store these values in session variable(s) when the user logs in, they won’t change until the user logs in again.

epicexchange20: epicexchange20: header('location: ../login.php?incorrect');

This redirect indicates that your form and form processing code are not on the same page. This requires that you write a bunch of extra logic for error messaging and it provides a bad user experience since you cannot re-populate the form fields with their existing values upon an error, requiring the visitor to keep re-entering all the data values over and over.

The only redirect you should have in your form processing code is upon successful completing, with no errors, to the exact same url of the current page, to cause a get request for that page. This will prevent the browser from trying to re-submit the form data if you refresh or browse away from and back to that page.

You should also have an exit/die statement, consistently, after every header() redirect to stop php code execution. A header() statement only tells the browser something. It has no affect on php code execution.