one of your big problems is that your SESSION and POST variables are getting tangled up in a sense. because they have the same name, the session value is overwriting the post value, so therefore every time you resubmit the form with new data, it's all be overwritten with whatever the session variables were originally set to. simply renaming either your session or post variables will correct that problem.
on a side note, you may want to rethink how you are approaching this... it's been a while since i've done authentication with sessions, but i remember there being some issues when doing something like this. i'll look more at it, and see what i can figure out.
<edit>
ok, here's what i'd suggest.... since you want the user to login once, and then for that action to be shown on all subsequent pages, your current code would you require to copy the (&username == "limb") stuff on every page. instead, consider creating a library that will contain all of your user functions (user.php below). this library will have a function that accepts a username and password, and will return if it's valid. (if you later change to multiple users, or using a SQL database, you only change this one function).
here are 4 files i created to test this...
Code: Select all
<?
// login.php
session_start();
echo'
<form action="login2.php" method="post">
<p>User: <input type="text" name="username"><br>
Pass: <input type="text" name="password"><br>
<input type="Submit" value="Login">
</p>
</form>
';
?>
<?
//login2.php
session_start();
session_register("sxUser","sxPass");
include("user.php");
$sxUser=$username;
$sxPass=$password;
$logged_in = user_isloggedin($sxUser,$sxPass);
if($logged_in) {
echo 'yes';
} else {
echo 'no';
}
?>
<?php
// user.php
function user_isloggedin($name,$pass) {
if($name=='limb' && $pass='test') {
return 1;
} else {
return 0;
}
}
?>
<?php
//login3.php
session_start();
include("user.php");
$logged_in = user_isloggedin($sxUser,$sxPass);
if($logged_in) {
echo 'yes';
} else {
echo 'no';
}
?>
on each page, the variable $logged_in is being stored to the return value of your login function. you might be able register $logged_in and then leave this off and just check for $_SESSION['logged_in']..... the main thing you want to prevent is people adding "?logged_in=1" to the end of the URL and gaining access. anyone know exactly what the security issues are with this?
login3.php is just an example of what your additional pages might look like. if any of that was unclear, just let me know...
</edit>