Going through and making sure every thing is secure, I think I found a flaw.
There is no need for:
if ($_SERVER['REQUEST_METHOD'] == 'POST')
for it's redudant and poises a security issue - never trust $_SERVER
All you have to do is this:
// Validate the form data:
if ($form->validate()) {
// Check against the database:
$query = 'SELECT id, userType, username, email, pass FROM users WHERE username=:username';
$stmt = $pdo->prepare($query);
$result = $stmt->execute(array(':username' => $username->getValue()));
// Try to fetch the results:
if ($result) {
$stmt->setFetchMode(PDO::FETCH_CLASS, 'Member');
$user = $stmt->fetch();
$result = false;
}
// Verify Stored Hashed Password:
$result = password_verify($password->getValue(), $user->pass);
// Store the user in the session and redirect:
if ($result) {
// Store in a session:
$_SESSION['user'] = $user;
// Redirect:
header("Location:index.php");
exit;
}
} // End of form validation IF.
I have been testing this thoroughly and it works