PHP Unable to set a session variable

Question

From a login page I am capturing the user and password values:

<?php
session_start();
$error=''; 
$rows = 0;
if (isset($_POST['submit'])) {
    $username=$_POST['username'];
    $password=$_POST['password'];
    $mysqli = new mysqli("localhost","xxxxx","xxxxx","xxxxxxx");
    if (mysqli_connect_errno()) {
        printf("Connect failed: %s\n", mysqli_connect_error());
        exit();
    }
    $username = stripslashes($username);
    $password = stripslashes($password);
    $username = $mysqli->real_escape_string($username);
    $password = $mysqli->real_escape_string($password);
    $query = "select count(*) from login where password='$password' AND username='$username'";
   if ($stmt = $mysqli->prepare($query)) {
        $stmt->execute();
        $stmt->store_result();
        $rows = $stmt->num_rows;
        $stmt->close();
   }
}
$mysqli->close();
if ($rows == 1) {
    $_SESSION['login_user']=$username; 
    header("location: profile.php"); 
} else {
    header("location: login.php"); 
    $error = "Username or Password is invalid";
} 
?>

My profile.php script is something like below:

<?php
include('session.php');
?>
<!DOCTYPE html>
<html>
<head>
<title>Your Home Page</title>
<link href="style.css" rel="stylesheet" type="text/css">
</head>
<body>
   <div id="profile">
     <b id="welcome">Welcome : <i><?php echo $login_session; ?></i></b>
     <b id="logout"><a href="logout.php">Log Out</a></b>
   </div>
</body>
</html>

And session.php

<?php
if(!isset($_SESSION['login_user'])){
    header('Location: login.php');
}
?>

My code flow is like when the login form is submitted the validate_login.php source code will verify the details from the user. In case the details are correct a profile.php page would be displayed or back again to login page.

I am having 3 difficulties;

1. How to debug PHP scripts?
2. Why my code is going back to login page again - I have tested by hard coding wrong undefined variable (forcing a dump) - I found that the row is found as it enters in if condition which defines the session variable [if ($rows == 1)]
3. Is there any other way we can verify a session - basically only a logged in user should see the further pages?

Answer 1

Your session.php should be

empty() is essentially the concise equivalent to !isset($var) || $var == false.

<?php
session_start();
if(empty($_SESSION['login_user'])){
header('Location: login.php');
}
?>

include session.php to your script and any other page that is for registered users

<?php
include_once('session.php');
$error=''; 
$rows = 0;
if (isset($_POST['submit'])) {
$username=$_POST['username'];
$password=$_POST['password'];
$mysqli = new mysqli("localhost","xxxxx","xxxxx","xxxxxxx");
if (mysqli_connect_errno()) {
    printf("Connect failed: %s\n", mysqli_connect_error());
    exit();
}
$username = stripslashes($username);
$password = stripslashes($password);
$username = $mysqli->real_escape_string($username);
$password = $mysqli->real_escape_string($password);
$query = "select count(*) from login where password='$password' AND username='$username'";
if ($stmt = $mysqli->prepare($query)) {
$stmt->execute();
$stmt->store_result();
$rows = $stmt->num_rows;
$stmt->close();
}
}
$mysqli->close();
if ($rows == 1) {
$_SESSION['login_user']=$username; 
header("location: profile.php"); 
} else {
header("location: login.php"); 
$error = "Username or Password is invalid";
} 
?>

Answer 2

Call session_start() function, before use any session variable.

If you get warning such as : Warning: Cannot modify header information - headers already sent (output started at script:line), then use @ suppression operator

@session_start() //@ for error suppression

Answer 3

you have no session right now in youre session.php

<?php
if(!isset($_SESSION['login_user'])){
header('Location: login.php');
}
?>

You need to add session_start();

So u will get

<?php
session_start();
if(!isset($_SESSION['login_user'])){
header('Location: login.php');
}
?>

For security its better to use prepared prepared statements. For error handelings, try to make something is there really a session ?.

if(session_id() == '' || !isset($_SESSION)) {
    // session isn't started
    echo "No session";
}