prepare(" SELECT u.*, a.company_name, a.account_code FROM mt_users u JOIN mt_accounts a ON a.account_id = u.account_id WHERE u.email = ? AND u.is_active = 1 AND a.is_active = 1 LIMIT 1 "); $stmt->execute([$email]); $user = $stmt->fetch(); if ($user && password_verify($password, $user['password_hash'])) { // Build session session_regenerate_id(true); // prevent session fixation $_SESSION['user_id'] = $user['user_id']; $_SESSION['account_id'] = $user['account_id']; $_SESSION['user_name'] = $user['first_name'] . ' ' . $user['last_name']; $_SESSION['user_role'] = $user['role']; $_SESSION['user_initials']= strtoupper(substr($user['first_name'],0,1) . substr($user['last_name'],0,1)); $_SESSION['account_name'] = $user['company_name']; $_SESSION['account_code'] = $user['account_code']; $_SESSION['user_email'] = $user['email']; // Record last login $pdo->prepare("UPDATE mt_users SET last_login_at = NOW() WHERE user_id = ?") ->execute([$user['user_id']]); // Admins go to staff panel, everyone else to customer portal if ($user['role'] === 'admin') { header('Location: staff/dashboard.php'); } else { header('Location: track.php'); } exit; } else { // Vague message on purpose — don't reveal whether email exists $error = 'Invalid email address or password. Please try again.'; } } } ?> Log In — MaxTrack