what about using this to setup session

如何使用它来设置会话

session_start();
if( isset($_POST['username']) && isset($_POST['password']) )
{
    if( auth($_POST['username'], $_POST['password']) )
    {
        // auth okay, setup session
        $_SESSION['user'] = $_POST['username'];
        // redirect to required page
        header( "Location: index.php" );
     } else {
        // didn't auth go back to loginform
        header( "Location: loginform.html" );
     }
 } else {
     // username and password not given so go back to login
     header( "Location: loginform.html" );
 }

and at the top of each "secure" page use this code:

并在每个“安全”页面的顶部使用以下代码：

session_start();
session_regenerate_id();
if(!isset($_SESSION['user']))      // if there is no valid session
{
    header("Location: loginform.html");
}

this keeps a very small amount of code at the top of each page instead of running the full auth at the top of every page. To logout of the session:

这会在每个页面的顶部保留非常少量的代码，而不是在每个页面的顶部运行完整的身份验证。要注销会话：

session_start();
unset($_SESSION['user']);
session_destroy();
header("Location: loginform.html");

First, don't store the password in the session. It's a bad thing. Second, don't store the username in the session until afteryou have authenticated.

首先，不要在会话中存储密码。这是一件坏事。其次，在您通过身份验证之前，不要在会话中存储用户名。

Try the following:

请尝试以下操作：

<?php

session_start();

if (isset($_POST['username']) && isset($_POST['password'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
    $authed = auth($username, $password);

    if (! $authed) {
        header('Location: http://website.com/fail.php');
    } else {
        $_SESSION['username'] = $username;
    }
}

if (isset($_SESSION['username'])) {
    $navbar = 1;
    $logindisplay = 0;
} else {
    header ('Location: http://website.com/fail.php');
}

Just some random points, even though they may not actually pertain to the problem:

只是一些随机点，即使它们实际上可能与问题无关：

• Don't store the password in plaintext in the session. Only evaluate if the password is okay, then store loggedIn = trueor something like that in the session.

• Check if the password andthe username are $_POSTed, not ||(or).

• Don't pass password and username back and forth between $passwordand $_SESSION['password']. Decide on one place to keep the data and leave it there.

• Did you check if you can store anything at all in the session? Cookies okay etc...?

• 不要在会话中以明文形式存储密码。只评估密码是否正常，然后loggedIn = true在会话中存储或类似的东西。

• 检查密码和用户名是否为$_POSTed，而不是|| （或者）。

• 不要在$password和之间来回传递密码和用户名$_SESSION['password']。决定在一个地方保存数据并将其留在那里。

• 您是否检查过是否可以在会话中存储任何内容？饼干好吗等...？

To greatly simplify your code, isn't this all you need to do?

为了大大简化您的代码，这不是您需要做的全部吗？

if (isset($_POST['username'] && isset($_POST['password'])) {
    if (auth($_POST['username'], $_POST['password'])) {
        $_SESSION['user'] = /* userid or name or token or something */;
        header(/* to next page */);
    } else {
        // display "User credentials incorrect", stay on login form
    }
} else {
    // optionally: display "please fill out all fields"
}

Here are a few other things, which may or may not help you, by the way :

顺便说一下，这里有一些其他的东西，可能对你有帮助，也可能没有帮助：

• Do you have error_reportingon ? (see also)
• Do you have display_errorson ?
• Is session_startthe first thing you are doing in your page ? There must be nothingoutput before
• Are the cookies created on the client-side ?
• header Location indicates the browser it has to go to another page ; it doesn't stop the execution of the PHP script. You might want to (almost always anyway) add "exit" after it.

• 你有error_reporting吗？（另见）
• 你有display_errors吗？
• 是session_start您在页面上做的第一件事吗？之前一定没有什么输出
• cookie 是在客户端创建的吗？
• header Location 指示浏览器它必须转到另一个页面；它不会停止 PHP 脚本的执行。您可能想要（几乎总是）在它后面添加“退出”。

Headers are not function calls. They put a directive into the HTTP headers, and the last one to execute is the one which will be processed. So let say if you have something like this

标头不是函数调用。他们将一个指令放入 HTTP 标头中，最后一个执行的是将被处理的。所以假设你有这样的事情

if ($bAuthed)
{
     header("location: login.php");
}

// error case
header("location: error-login.php");

You will always be redirected to error-login.php no matter what happens. Headers are not function calls!

无论发生什么，您都将始终被重定向到 error-login.php。标头不是函数调用！

Don't use elsesection in second ifstatement.

不要else在第二个if语句中使用section 。

session_start();

if(isset($_POST['username']) || isset($_POST['password'])) {

    $username = $_POST['username'];

    $password = $_POST['password'];

    $_SESSION['username'] = $username;

    $_SESSION['password'] = $password;

}

if(isset($_SESSION['username']) || isset($_SESSION['password'])){

    $navbar = "1";

    $logindisplay = "0";

    $username = $_SESSION['username'];

    $password = $_SESSION['password'];

}

$authed = auth($username, $password);

if( $authed == "0" ){

    header('Location:http://website.com/fail.php');

}

The solution to my specific problem above

我上面的具体问题的解决方案

session_start();
if(isset($_POST['username']) || isset($_POST['password'])){
$username = $_POST['username'];
$password = $_POST['password'];
$_SESSION['username'] = $username;
$_SESSION['password'] = $password;
}

if(isset($_SESSION['username']) || isset($_SESSION['password'])){
$navbar = "1";
$logindisplay = "0";
$username = $_SESSION['username'];
$password = $_SESSION['password'];
$authed = auth($username, $password);
if( $authed == "0" ){
header('Location:http://website.com/fail.php');
}
} else {
header('Location:http://website.com/fail.php');
}