<?php
session_start();
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$username = $_POST['username'];
$password = $_POST['password'];
// Validate (check database in real app)
if ($username === 'admin' && $password === 'secret') {
// SECURITY: New session ID on login
session_regenerate_id(true);
// Store user in session
$_SESSION['user_id'] = 1;
$_SESSION['username'] = $username;
// Redirect to protected page
header('Location: dashboard.php');
exit;
}
}
?>