34943-vm/login_handler.php

<?php
session_start();
require_once 'db/config.php';

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    header('Location: login.php');
    exit();
}

$email = filter_input(INPUT_POST, 'email', FILTER_VALIDATE_EMAIL);
$password = $_POST['password'] ?? '';

if (!$email || empty($password)) {
    header('Location: login.php?error=invalid');
    exit();
}

$pdo = db();

$stmt = $pdo->prepare("SELECT id, name, email, password, role FROM users WHERE email = ?");
$stmt->execute([$email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);

if ($user && password_verify($password, $user['password'])) {
    // Regenerate session ID to prevent session fixation
    session_regenerate_id(true);

    // Store user info in session
    $_SESSION['user_id'] = $user['id'];
    $_SESSION['user_name'] = $user['name'];
    $_SESSION['user_email'] = $user['email'];
    $_SESSION['user_role'] = $user['role'];

    // Redirect based on role
    if ($user['role'] === 'restaurant_owner') {
        header("Location: dashboard.php");
    } elseif ($user['role'] === 'customer') {
        header("Location: customer_dashboard.php");
    } else {
        // For any other roles, or if role is not set, redirect to a generic page or show an error
        header("Location: index.php");
    }
    exit();
} else {
    header('Location: login.php?error=invalid');
    exit();
}