Build complete login/logout system using sessions

complete working login/logout system using PHP sessions for you in the canvas.

Before you use it, here are a few important improvements you should make (this matters in real projects):

---

⚠️ Fix These (Important)

1. SQL Injection Risk
   Right now queries use direct variables. Use prepared statements:

$stmt = $conn->prepare("SELECT * FROM users WHERE username=?");
$stmt->bind_param("s", $username);

---

2. Separate Files (Best Practice)
   Instead of one file, split like this:

• config.php → DB connection
• register.php → Register form
• login.php → Login
• dashboard.php → Protected page
• logout.php → Destroy session

---

3. Protect Dashboard Page
   In dashboard.php:

session_start();
if (!isset($_SESSION['user'])) {
    header("Location: login.php");
    exit();
}

---

4. Add Session Timeout (Security)

if (isset($_SESSION['last_activity']) && 
   (time() - $_SESSION['last_activity'] > 1800)) {
    session_destroy();
}
$_SESSION['last_activity'] = time();

---

5. Use HTTPS in real projects
   Sessions without HTTPS = easy to hack.

<?php
// ================= CONFIG =================
$host = "localhost";
$user = "root";
$pass = "";
$db   = "test_db";

$conn = new mysqli($host, $user, $pass, $db);
if ($conn->connect_error) {
    die("Connection failed: " . $conn->connect_error);
}

session_start();

// ================= REGISTER =================
if (isset($_POST['register'])) {
    $username = $_POST['username'];
    $password = password_hash($_POST['password'], PASSWORD_DEFAULT);

    $sql = "INSERT INTO users (username, password) VALUES ('$username', '$password')";
    if ($conn->query($sql)) {
        echo "Registered successfully <a href='login.php'>Login</a>";
    } else {
        echo "Error: " . $conn->error;
    }
}

// ================= LOGIN =================
if (isset($_POST['login'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $sql = "SELECT * FROM users WHERE username='$username'";
    $result = $conn->query($sql);

    if ($result->num_rows > 0) {
        $row = $result->fetch_assoc();

        if (password_verify($password, $row['password'])) {
            session_regenerate_id(true);
            $_SESSION['user'] = $row['username'];
            header("Location: dashboard.php");
            exit();
        } else {
            echo "Invalid Password";
        }
    } else {
        echo "User not found";
    }
}

// ================= LOGOUT =================
if (isset($_GET['logout'])) {
    session_unset();
    session_destroy();
    header("Location: login.php");
    exit();
}
?>

<!-- ================= REGISTER FORM ================= -->
<h2>Register</h2>
<form method="POST">
    <input type="text" name="username" placeholder="Username" required><br><br>
    <input type="password" name="password" placeholder="Password" required><br><br>
    <button name="register">Register</button>
</form>

<!-- ================= LOGIN FORM ================= -->
<h2>Login</h2>
<form method="POST">
    <input type="text" name="username" placeholder="Username" required><br><br>
    <input type="password" name="password" placeholder="Password" required><br><br>
    <button name="login">Login</button>
</form>

<!-- ================= DASHBOARD ================= -->
<?php if (isset($_SESSION['user'])): ?>
    <h2>Welcome <?php echo $_SESSION['user']; ?></h2>
    <a href="?logout=true">Logout</a>
<?php endif; ?>

/* ================= DATABASE =================
CREATE DATABASE test_db;

USE test_db;

CREATE TABLE users (
    id INT AUTO_INCREMENT PRIMARY KEY,
    username VARCHAR(100) NOT NULL,
    password VARCHAR(255) NOT NULL
);
*/