So I'm working on an application that requires a user to login before accessing any 'sensitive material'.
The login script works like this: User enters U/P->Script validates data->If valid, SESSION variables are set.
This is a very strange problem, since SESSIONS are handled by the server.
The problem: When first opening the script in a new window or tab, submitting the login form takes you right back to the login form. All subsequent requests work as expected!
Any ideas?
$5 says $auth->userAuth() is where session values are getting set, and guessing that was supposed to be !$auth->userAuth() for a "password doesn't match" case. The logic is kind of overlapping itself though.
Try this instead, just sorting the logic into separate blocks:
if ($action == 'login') {
// all of the pre-authentication error checking first
if (!$auth->emailExists($username)) {
header('Location: index.php?action=unknownuser');
} else if (!$auth->isAccountActive($username)) {
header('Location: index.php?action=inactive');
}
// then actual authentication here - any errors have already redirected
$_SESSION['loggedin'] = $auth->userAuth($username, $password);
// opinionated bonus: adds clarity & keeps superglobals out of your classes
// (you'll have to take them out yourself though)
// and finally redirect on success/failure
if (!$_SESSION['loggedin']) header('Location: index.php?action=authfailed');
else header('Location: services.php');
}