Using the following simplified login form:
// login_form.php
<?php session_start(); ?>
<?php if ($_SESSION['isLoggedIn'] === false) : ?>
<form action="login.php" method="post">
<input type="password" name="password" />
<input type="submit" value="Login" />
</form>
<?php else: ?>
You're logged in!
<?php endif; ?>
// login.php
<?php
session_start();
$_SESSION['isLoggedIn'] = htmlspecialchars($_POST['password']) == "my secret";
header("Location: login_form.php");
I want to understand, if there is a downside using this “type” of login and I want to understand why the following is not working:
- Navigate to
login_form.phpwith a cleared session - Open devtools and create a session
isLoggedIn=truemanually - Refresh the page
- Result is not logged in