As noted in the title my session is not created, is it possible that it is the fact that I am a subdomain of a domain already having a session?
Here is my php code:
if(isset($_POST['login']))
{
global $conn;
$id = trim ($_POST ['identifiant']);
$pass = trim ($_POST ['pass']);
$pass = strip_tags ($pass);
$pass = htmlspecialchars ($pass);
$password = (hash ('sha1', $pass));
$query = $conn->query("SELECT id, identifiant, password FROM tablename WHERE identifiant='$id'");
$data = $query->fetch(PDO::FETCH_ASSOC);
$count = $query->rowCount();
if(($count == 1) && ($data['password']==$password))
{
session_start();
$_SESSION['user'] = $id;
header("Location: home.php");
}
else
{
echo 'Erreur';
}
}
Here is my html code:
<form class="form-login" method="post" wfd-id="5">
<center><img src="assets/img/logo.png" class="form-login-heading"></center>
<div class="form-group">
<input type="text" name="identifiant" class="form-control" placeholder="Identifiant" style="text-align: center;" maxlength="6"; required="">
</div>
<div class="form-group">
<input type="password" name="pass" class="form-control" placeholder="Mot de passe" required="" style="text-align: center;">
</div>
<div class="form-group">
<button type="submit" name="login" class="btn btn-login btn-block">Connexion</button>
</div>
</form>
home.php:
if(!isset($_SESSION['user'])){
//header('Location: index.php');
echo 'Session:'.$_SESSION['user'];
}
I see a few problems with your code, one of which will be responsible ... probably the last one.
You're open to sql injections. trim doesn't prevent that. please learn about prepared statements. I cannot stress this enough, especially with a login form.
Also please use password_hash to create the hash for storing the value in the database and password_verify to verify the password you get is the right one. If your user table is compromised (which is likely, given you have an sql injection), a rainbow table will give easy (easier?) access to your user's accounts.
fetch plus rowCount. You absolutely shouldn't need both. What are your assumptions?
If you think that there might be more than 1 result row, then your database schema is flawed. The field should be marked UNIQUE. If you select on a unique field, there can only ever be no or one result. (also identificant suggests there should ever be at most 1 so unique is appropriate)
If you think that there might be no result row, then your fetch will just return null/false if there's no row, and you check for that.
also the php docs state, that calling rowCount on a select statement may not return what you want and you should make a select COUNT(*) query instead (there's also a comment re-stating that the only way to get the count after the select statement is to call a separate select count(*) ... statement or to count what fetch returns - essentially).
This is theoretical only. After header you should end the request by returning/exiting before you generate more output and make the header invalid. (Redirect + output -> output + error message (possibly))
if(!isset($_SESSION['user'])){
//header('Location: index.php');
echo 'Session:'.$_SESSION['user'];
}
this will only output something, if no user is stored in the $_SESSION. either remove the ! or replace isset with empty