Login works on desktop but not mobile?

Question

So I'm using php-login-minimal to handle logins on my almost complete website.

The login system works perfectly on desktop, but on tablet or mobile it acts as though it's working and logging me in but ultimately I end up at the same page asking me to log in.

I don't understand why it would work on desktop but not mobile. The webpage is the same page that is loaded for both, as I am using a responsive design to scale the content to fit whatever screen is being used, but the logging in system doesn't return an error or anything to help me out.

I've noticed in the Login.php script that there is a line of code elseif (isset($_POST["login"])) { but none of the form elements have the name "login" other than the submit button, do you guys reckon that could be an issue?

I was also thinking about adapting the code a little bit to specify login in the URL (www.example.com/index?login) and see if that works, but I don't want to change the code as I don't fully understand it all yet.

Thanks for any help though guys!

My Login Form

<form method="post" action="index.php" name="loginForm" id="loginForm">
      <label for="login_input_username">Username</label>
      <input id="login_input_username" class="login_input" type="text" name="user_name" required /><span class="linebreak"></span>
      <label for="login_input_password">Password</label>
      <input id="login_input_password" class="login_input" type="password" name="user_password" autocomplete="off" required /><span class="linebreak"></span>

      <span class="loginregister"><input type="submit"  name="login" value="Log in" /></span></form>

The Login Code
index.php

<?php

if (version_compare(PHP_VERSION, '5.3.7', '<')) {
    exit("Sorry, Simple PHP Login does not run on a PHP version smaller than 5.3.7 !");
} else if (version_compare(PHP_VERSION, '5.5.0', '<')) {
    // if you are using PHP 5.3 or PHP 5.4 you have to include the password_api_compatibility_library.php
    // (this library adds the PHP 5.5 password hashing functions to older versions of PHP)
    require_once("libraries/password_compatibility_library.php");
}

// include the configs / constants for the database connection
require_once("config/db.php");

// load the login class
require_once("classes/Login.php");

// create a login object. when this object is created, it will do all login/logout stuff automatically
// so this single line handles the entire login process. in consequence, you can simply ...
$login = new Login();

// ... ask if we are logged in here:
if ($login->isUserLoggedIn() == true) {
    // the user is logged in. you can do whatever you want here.
    // for demonstration purposes, we simply show the "you are logged in" view.
    include("views/logged_in.php");

} else {
    // the user is not logged in. you can do whatever you want here.
    // for demonstration purposes, we simply show the "you are not logged in" view.
    include("views/not_logged_in.php");
}

classes/Login.php

<?php

/**
 * Class login
 * handles the user's login and logout process
 */
class Login
{
    /**
     * @var object The database connection
     */
    private $db_connection = null;
    /**
     * @var array Collection of error messages
     */
    public $errors = array();
    /**
     * @var array Collection of success / neutral messages
     */
    public $messages = array();

    /**
     * the function "__construct()" automatically starts whenever an object of this class is created,
     * you know, when you do "$login = new Login();"
     */
    public function __construct()
    {
        // create/read session, absolutely necessary
        session_start();

        // check the possible login actions:
        // if user tried to log out (happen when user clicks logout button)
        if (isset($_GET["logout"])) {
            $this->doLogout();
        }
        // login via post data (if user just submitted a login form)
        elseif (isset($_POST["login"])) {
            $this->dologinWithPostData();
        }
    }

    /**
     * log in with post data
     */
    private function dologinWithPostData()
    {
        // check login form contents
        if (empty($_POST['user_name'])) {
            $this->errors[] = "Username field was empty.";
        } elseif (empty($_POST['user_password'])) {
            $this->errors[] = "Password field was empty.";
        } elseif (!empty($_POST['user_name']) && !empty($_POST['user_password'])) {

            // create a database connection, using the constants from config/db.php (which we loaded in index.php)
            $this->db_connection = new mysqli(DB_HOST, DB_USER, DB_PASS, DB_NAME);

            // change character set to utf8 and check it
            if (!$this->db_connection->set_charset("utf8")) {
                $this->errors[] = $this->db_connection->error;
            }

            // if no connection errors (= working database connection)
            if (!$this->db_connection->connect_errno) {

                // escape the POST stuff
                $user_name = $this->db_connection->real_escape_string($_POST['user_name']);

                // database query, getting all the info of the selected user (allows login via email address in the
                // username field)
                $sql = "SELECT user_name, user_email, user_password_hash
                        FROM users
                        WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_name . "';";
                $result_of_login_check = $this->db_connection->query($sql);

                // if this user exists
                if ($result_of_login_check->num_rows == 1) {

                    // get result row (as an object)
                    $result_row = $result_of_login_check->fetch_object();

                    // using PHP 5.5's password_verify() function to check if the provided password fits
                    // the hash of that user's password
                    if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {

                        // write user data into PHP SESSION (a file on your server)
                        $_SESSION['user_name'] = $result_row->user_name;
                        $_SESSION['user_email'] = $result_row->user_email;
                        $_SESSION['user_login_status'] = 1;
                        print "<script type=\"text/javascript\">";
                        print "window.top.location.href='index.php'";
                        print "</script>";
                        exit;

                    } else {
                        $this->errors[] = "Wrong password. Try again.";
                    }
                } else {
                    $this->errors[] = "This user does not exist.";
                }
            } else {
                $this->errors[] = "Database connection problem.";
            }
        }
    }

    /**
     * perform the logout
     */
    public function doLogout()
    {
        // delete the session of the user
        $_SESSION = array();
        session_destroy();
        // return a little feeedback message
        $this->messages[] = "You have been logged out.";

    }

    /**
     * simply return the current state of the user's login
     * @return boolean user's login status
     */
    public function isUserLoggedIn()
    {
        if (isset($_SESSION['user_login_status']) AND $_SESSION['user_login_status'] == 1) {
            return true;
        }
        // default return
        return false;
    }
}

The not_logged_in.php file (logged_in.php is similar, just the form cannot be changed from display:none as the link used to do that changes to a logout link:

<?php
// show potential errors / feedback (from login object)
if (isset($login)) {
    if ($login->errors) {
        foreach ($login->errors as $error) {
            echo $error;
        }
    }
    if ($login->messages) {
        foreach ($login->messages as $message) {
            echo $message;
        }
    }
}
?>

<html>
<head>
<meta charset="utf-8">
<title>Untitled Document</title>
<link href="styles/main.css" rel="stylesheet" type="text/css">
<meta name="viewport" content="device-width, initial-scale=1, maximum-scale=1">
<script type="text/javascript">
function showForm(){
    document.getElementById('login').style.display = "block";
}

function hideForm(){
    document.getElementById('login').style.display = "none";
}
</script>
</head>

<body>
<header>
<div class="logo" id="logo">
<a href="#">Website Title</a>
</div>
<?php include("navigation.php"); ?>
</header>
<div id="login" class="login" style="display:none">
<div id="forms" class="forms">
<form method="post" action="index.php" name="loginForm" id="loginForm">
      <label for="login_input_username">Username</label>
      <input id="login_input_username" class="login_input" type="text" name="user_name" required /><span class="linebreak"></span>
      <label for="login_input_password">Password</label>
      <input id="login_input_password" class="login_input" type="password" name="user_password" autocomplete="off" required /><span class="linebreak"></span>

      <span class="loginregister"><input type="submit"  name="login" value="Log in" /></span></form><form action="#"><span class="loginregister"><input type="submit" value="Register"></span></form>


</div>
</div>

Answer 1

After OP used error reporting, as I suggested in comments:

"Right away, after adding it to the index.php page and loading up I got: Warning: session_start(): Cannot send session cache limiter - headers already sent, I also get a similar one on mobile that says session cookie headers in place of session cache limiter. – radiocaf"

Your index.php file (and possibly other files) is throwing you that warning because you might have your HTML form on top of PHP, or a space, or cookie, or even a BOM (byte order mark).

• Reference on BOM: https://en.wikipedia.org/wiki/Byte_order_mark

Your files' encoding may contain a byte order mark, which is often the leading cause to a headers sent warning. The UTF-8 encoding lets you save files as "with" or "without" the byte order mark; you need to save them as "without BOM".

That is considered as output, as are spaces before an opening <?php tag, or a cookie etc.

To check what the file's encoding is, you can check inside a code editor's options under the encoding option.

One of which is Notepad++ https://notepad-plus-plus.org/ and there are others also.

Place your PHP first, then your form if that is the case.

Consult the following on Stack about that warning:

• Warning: Cannot modify header information - headers already sent by ERROR

Additionally, a quick fix would be to use ob_start(); at the top of your PHP files.

• http://php.net/manual/en/function.ob-start.php

I.e.:

<?php 
ob_start();
// rest of your PHP
?>

then your HTML

or

<?php 
ob_start();
?>

• then your HTML

• then the rest of your PHP/SQL.

Plus, as originally stated in comments:

" these '" . $user_name . "' contain spaces and may be interpreted as extra spaces being added. Try to remove them '" .$user_name. "' or '".$user_name."'"

Answer 2

I've noticed in the Login.php script that there is a line of code elseif (isset($_POST["login"])) { but none of the form elements have the name "login" other than the submit button, do you guys reckon that could be an issue?

This is not the issue. If the submit button has the name 'login', it is posted as 'login', so this is set.

The PHP changes Fred recommends in his comments I would follow- though it wouldn't make sense that these would impact the mobile users only. More likely, this has to do with how the session is being saved.

Does the redirect to index.php work for mobile? If so, can you var_dump($_SESSION); at the top of index.php and see what it says on mobile after you attempt to login?