Issue regarding PHP $_SESSION variables

Question

I have a login form grabbing hashed passwords from a database. If a "submit checking" <input type="hidden"> is equal to 1 (the sample below will explain this better) then the page content is revealed, if it is not equal to 1 the login form is displayed. The form is as follows:

<div id="login" style="<?php echo $style ?>"> //$style is by default "visibility:visible;" but will change to "visibility:hidden;" when correct login info is given
<p>Log in</p>
<form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>">
<input type="text" id ="username" name="username" value="Username" onfocus="if (this.value == 'Username') this.value=''">
<input type="password" id="password" name="password" value="passpass" onfocus="if (this.value == 'passpass') this.value=''">
<br>
<input type="submit" name="submit" value="Log Ind">
<input type="hidden" name="_submit_check" value="1"> //Submit checker. if set, process login information
</form>
</div>
<p>No user? Make one <a href="register.php">here.</a></p>
</div>

This works great with my PHP sample but there is one little annoying thing... You have to login every simple time you view the page. Therefore I did this in my PHP script:

<?php

    session_start();

    $db = DB::connect('mysql://username:pass@host/database');
    if (DB::isError($db)){
        die("Can't connect: " . $db->getMessage());
    }
$style = "visibility:visible;";

$passwordHash = sha1($_POST['password']);
$_SESSION['login'] = $_POST['_submit_check']; //This is the submit checker I mentioned before

$sql = 'SELECT username FROM user WHERE username = ? AND passwordHash = ?';
$result = $db->query($sql, array($_POST['username'], $passwordHash));
if ($_SESSION['login'] == 1) {
    if ($result->numRows() < 1)
    {
        echo '<p>Correct your username and password please</p>';
    }
    else {
        $style = "visibility: hidden;";
        echo '<p>This is the page content</p>';
    }
}
?>

Shouldn't the fact that I add the $_POST['_submit_check'] value to a $_SESSION[] variable called 'login' make the users only require to login every 24th minute? That's what I want to, but it's not happening...

I hope you understand my question, if not, leave a comment about what you don't understand. I had a hard time explaining my thoughts in this question ;)

Answer 1

I'm not 100% sure because there's no other code given, but you seem to be missing a call to session_start() that's required to start or load the session. Sadly $_SESSION isn't magical enough to start the session on your behalf. Without this call, $_SESSION will be empty at the beginning of each script and will never be initialised to the session data.

Having said that, it is possible to configure PHP to start sessions automatically for every script, using the session.auto_start php.ini directive, assuming you have enough control to change this.

Answer 2

You are overwriting the $_SESSION['login'] every request, because you're assigning the $_POST value without checking if it is really set.

if(isset($_POST['_check_submit'])) {
   $_SESSION['login'] = $_POST['_check_submit'];
}