Custom Login Page Logic

[Lance O.]

I have a custom login page where a user should be directed to a members only page when the form is submitted and the user has been validated. What is wrong with my logic in the code below? Regardless of the user's role, the user is never authenticated and displays as a guest.

if ( $input->post->user || $input->post->pass ) {
    // user submitted the login form

    if ( $session->login($input->post->user, $input->post->pass) ) {
        // user was authenticated and logged in
        // user has "admin" or "superuser" role
		foreach ($user->roles as $role) {
			$content .= $role->name . "<br/>";
		}
    } else {
        // user is not authenticated
        // user is "guest"
		foreach ($user->roles as $role) {
			$content .= $role->name . "<br/>";
		}
    }

} elseif ( $input->get->logout ) {
    // page was accessed with ?logout=1 GET variable, so log them out
    $session->logout();
    $content = $form;

} else {
    // user arrived at login page for first time
    $content = $form;
}

 

[flydev]

11 hours ago, Lance O. said:

[...]

if ( $session->login($input->post->user, $input->post->pass) ) {

[...]

The login function returns an user object on successful login or null on failure. 

You need to check this returned user object for roles:

[...]

$loggeduser = $session->login($input->post->user, $input->post->pass);
if ( $loggeduser->isLoggedIn() ) {
	// user was authenticated and logged in
	// user has "admin" or "superuser" role
	foreach ($loggeduser->roles as $role) {
		$content .= $role->name . "<br/>";
	}
}

[...]

 

PS: do not forget to sanitize your input.