Form question

[BlackRiver]

So I have a simple login form.I can enter username and password,submit the data to my script.The script checks if username and password are correct.

The question:
How do I start a session only if the data submitted is correct?

I don't want to have:

PHP Code:

<?php
session_start(); 
$_SESSION['username'] = $_POST['username']; 
$_SESSION['password'] = $_POST['password'];
?>

at the very top of my login.php,because even if the data is not correct,the form is still submited,so if I use:

PHP Code:

<?php
session_start();  
if(isset($_SESSION['username'])) {
    if (isset($_SESSION['password']))
{

the user would still be logged in.

[kows]

then you only define your session variables if the login is successful.

PHP Code:

<?php
  session_start();
  if($login_successful){
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['password'] = $_POST['password'];
  }else{
    echo 'The username and password you entered was incorrect.';
  }
?>

though, you'll need to connect to a database or something to figure out if the information is in fact correct, and then you can define $login_successful if so.

[BlackRiver]

That doesnt work.Maybe I didn't explain it well.Let me try again.
I have index.php with a login form.When the user enters the data,it is sent to login.php for processing.Here's how login.php looks like:

PHP Code:

<?php
include 'konfiguracija.php';

if (trim($_POST['username'] =='')){
die('Morate unijeti korisnicko ime!');
}
if (trim($_POST['password'] =='')){
die('Morate unijeti password!');
}
// otvaranje konekcije sa bazom

$konekcija = mysql_connect($host,$korisnik,$lozinka)
or die ('Povezivanje sa serverom nije uspjelo!');

// Odabir baze

mysql_select_db($baza) or die ('Odabir baze nije uspio!');
$username = $_POST['username'];
$password = $_POST['password'];

$upit= "SELECT username,password FROM login  WHERE  username = '$username' OR password = '$password'";

$rezultat = mysql_query($upit) or die ("Greska u upitu: $upit " . mysql_error());
$red = mysql_fetch_array($rezultat);
if ($red[0] != $username OR $red[1] != $password)
{
echo 'Niste unijeli tacan username ili password.Molimo vratite se nazad i pokusajte opet!';
}
else{
echo "Uspjesno ste prijavljeni!<br/>";
echo "UserName:".$_SESSION['username']."<br/>";
echo "Password:".$_SESSION['password']."<br/>";
}
?>

Before the <html> tag I have this:

PHP Code:

<?php
  session_start();
    $_SESSION['username'] = $_POST['username'];
    $_SESSION['password'] = $_POST['password'];
    ?>

This works fine if the username and password entered are correct.If not,the user will be notified,but the form is still submitted,and then in my index.php,before the <hml> tag,I have this:

PHP Code:

<?php
session_start(); 

if(isset($_SESSION['username'])) {
    if (isset($_SESSION['password']))
{
echo "PRIJAVLJENI STE KAO ADMIN!";
echo "<a href=\"odjava.php\">Kliknite ovdje da se odjavite!</a>";
}
}
?>

So even if the data is not correct,the user would still be logged in.

I'm just experimenting with this.It will not be an actual web-page.

[zalez]

What about using unset(); to unset your username and password if they are wrong?

PHP Code:

if ($red[0] != $username OR $red[1] != $password) 
{ 
//unset individual session variables.
unset($_SESSION['username']);
unset($_SESSION['password']);
//or if you needed to unset all sessions since login failed you could: $_SESSION = array();

echo 'Niste unijeli tacan username ili password.Molimo vratite se nazad i pokusajte opet!'; 
} 
else{ 
echo "Uspjesno ste prijavljeni!<br/>"; 
echo "UserName:".$_SESSION['username']."<br/>"; 
echo "Password:".$_SESSION['password']."<br/>"; 
} 


[kows]

you have basically the same code that I posted originally. just change it a tad:

PHP Code:

if ($red[0] != $username OR $red[1] != $password) 
{ 
echo 'Niste unijeli tacan username ili password.Molimo vratite se nazad i pokusajte opet!'; 
} 
else{ 

  //define session variables here.

echo "Uspjesno ste prijavljeni!<br/>"; 
echo "UserName:".$_SESSION['username']."<br/>"; 
echo "Password:".$_SESSION['password']."<br/>"; 
}