I have website where I am using login and logout functionality using php.
So, for login, first I call following function :
function sec_session_start() {
$session_name = 'happiechef_session_ids'; // Set a custom session name
$secure = false;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location:index");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(true); // regenerated the session, delete the old one.
}
and then I call following function to check user login information from mysql database :
function admin_login($email, $pass) {
global $conn;
$query = mysqli_query($conn, "SELECT a_email, a_pass, a_id FROM admin_profile WHERE a_email = '$email' LIMIT 1");
$query_result = mysqli_fetch_array($query);
$a_id = (int) $query_result['a_id'];
$db_hash = htmlspecialchars($query_result['a_pass']);
$num = mysqli_num_rows($query);
if($num == 1) {
if (checkbrute($email) == true) {
// if true account is locked
return false;
} else {
if(verify($pass, $db_hash)) {
$a_id = preg_replace("/[^0-9]+/", "", $a_id);
$email = validate_data($email);
$user_browser = $_SERVER['HTTP_USER_AGENT'];
$_SESSION['logged_admin_user'] = $email;
$_SESSION['logged_admin_id'] = $a_id;
$_SESSION['login_string'] = hash('sha512', $db_hash . $user_browser);
return true;
} else {
$time = time();
$query = mysqli_query($conn, "INSERT INTO login_attempt VALUES('', '$email', '$time')");
return false;
}
}
} else {
return false;
}
}
Well, when I refresh the page multiple time using F5 key
from Keyboard it's automatically logged out and sometime when I visit other page it's asking me to login! Somehow it's destroyed the PHP session.
Can anyone tell me what is the problem in my code ?
Thanks In advance.
Update :
Here is the function to check if user is logged or not :
function admin_login_check() {
// Check if all session variables are set
if (isset($_SESSION['logged_admin_user'], $_SESSION['logged_admin_id'], $_SESSION['login_string'])) {
global $conn;
$user_id = $_SESSION['logged_admin_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['logged_admin_user'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if($query = mysqli_query($conn, "SELECT a_pass FROM admin_profile WHERE a_email = '$username' ")) {
$num = mysqli_num_rows($query);
if($num == 1) {
$result = mysqli_fetch_array($query);
$password = htmlspecialchars($result['a_pass']);
// if hash equals function is not exist
if(!function_exists('hash_equals')){
function hash_equals($str1, $str2){
if(strlen($str1) != strlen($str2)){
return false;
} else {
$res = $str1 ^ $str2;
$ret = 0;
for($i = strlen($res) - 1; $i >= 0; $i--) {
$ret |= ord($res[$i]);
}
return !$ret;
}
}
}
$login_check = hash('sha512', $password.$user_browser);
if (hash_equals($login_check, $login_string) ){
return true;
} else {
return false;
}
} else {
return false;
}
} else {
return false;
}
} else {
return false;
}
}