Secure PHP Login Script in PHP5

**michaels** · 14-04-2009

I need a secure login script in php 5. I am looking for a code example, maybe some gpl app that uses the latest php and a very secure way to log in. Can you tell me if this php login script is secure?

check_login.php

PHP Code:


<?php



session_start();

include('config.php');



trim($_POST['username']);

trim($_POST['password']);



$username = $_POST['username'];

$password = $_POST['password'];



if(!preg_match("/^[-a-z0-9 ']{4,12}+$/i",$_POST['username'])){

    echo "Username error";

    exit();

}



sqlconnect();

$sqlquery = mysql_query("SELECT * FROM users WHERE username = '$username' AND password = '".md5($password)."'");



if (mysql_num_rows($sqlquery) > 0) {

    session_regenerate_id();

    $sqldata = mysql_fetch_assoc($sqlquery);

    $_SESSION['USERID'] = $sqldata['userid'];

    $_SESSION['LOGGEDIN'] = true;

    

    session_write_close();

    header("Location: members.php");

    exit();

} else {

    echo "login error";

    echo $password;

    echo md5($password);

    

}

?>

members.php

PHP Code:


<?php



session_start();



if (($_SESSION['LOGGEDIN'] = false) OR (!$_SESSION['USERID'])) {

    include('header.php');

    echo "<p>Please login before playing.</p>\n";

    include('footer.php');

    exit();

}



include('header.php');



?>

If it is not. Please give me some code example.

**Reegan** · 14-04-2009

The first bit seems fine as you do a regex for alphanumerics. I think you need to store the username and md5(password) inside the session also so it can revalidated.Your DB should absolutely limit the ability to store a non-unique user name, but this is good practice anyway. Use a UNIQUE constraint on your `username` field.

NEVER store the password in the session. It's too easy to hijack session data on a shared server.If a person hijack the session and set "loggedin=true" and make up a user id which could be 1, as your user id is likely to be just a number. If they do that they are in without having to ever get past your authenitcation SQL statement.

Basically this is the simplest to implement secure login script:-

PHP Code:


<?php



$username = md5($_POST["username"]);

$passwd = md5($_POST["passwd"]);



$handle = mysql_connect(”user”,”pass”,”mySQLHost”);

      mysql_select_db(”yourdb”);

$query = “SELECT r34ln4m3 FROM 1nside0ut WHERE

      md5(l0gn4m3)=’$username’ AND entryw41=’$passwd’”;



$result = mysql_query($query, $handle);



if (mysql_num_rows($result)!=0) {

      //mark as valid user

      header(”Location: private.php”);

      exit;

}



//if the code reaches this part then the login failed

//wrong username/password



header(”Location: public.php”);



?>

**opaper** · 14-04-2009

The logon might be secure, but once someone is logged in, they have the ability to place their own content on your web site. This could be due to an easy to guess password, a cookie that contains information that it should not or even allows a value to be changed in it that says you are logged in - I believe that an early version of PHPBB had a cookie that contained admin=0 and all you had to do was change this to a 1 to be an administrator...

This is only an example bare structure suitable for online administration, if you want to have registered members you should add more columns.

The schema is somewhat MySQL specific, I have yet to use another database other than MySQL and PostgreSQL but if you are using PostgreSQL you can convert the schema with the example script provided in my article Converting a database schema from MySQL to PostgreSQL.

CREATE TABLE member (
id int NOT NULL auto_increment,
username varchar(20) NOT NULL default '',
password char(32) binary NOT NULL default '',
cookie char(32) binary NOT NULL default '',
session char(32) binary NOT NULL default '',
ip varchar(15) binary NOT NULL default '',
PRIMARY KEY (id),
UNIQUE KEY username (username)
);

The password and cookie fields are md5 hashes which are always 32 octets long. Cookie is the cookie value that is sent to the user if he/she requests to be remembered, session and ip are respectively the session id and the current IP of the visitor.

**MindSpace** · 14-04-2009

To allow users to login you should build a web form, after validation of the form you can check if the user credentials are right with $user->_checkLogin('username', 'password', remember). Username and password should not be constants of course, remember is a boolean flag which if set will send a cookie to the visitor to allow later automatic logins.

function _checkLogin($username, $password, $remember) {
$username = $this->db->quote($username);
$password = $this->db->quote(md5($password));
$sql = "SELECT * FROM member WHERE " .
"username = $username AND " .
"password = $password";
$result = $this->db->getRow($sql);
if ( is_object($result) ) {
$this->_setSession($result, $remember);
return true;
} else {
$this->failed = true;
$this->_logout();
return false;
}
}

The function definition should be placed inside the User class definition as all code that follows. The function uses PEAR:

B's quote method to ensure that data that will be passed to the database is safely escaped. I've used PHP's md5 function rather than MySQL's because other databases may not have that.

**Modifier** · 14-04-2009

If the visitor requested a cookie will be send to allow skipping the login procedure on each visit to the site. The following two methods are used to handle this situation.

function updateCookie($cookie, $save) {
$_SESSION['cookie'] = $cookie;
if ($save) {
$cookie = serialize(array($_SESSION['username'], $cookie) );
set_cookie('mtwebLogin', $cookie, time() + 31104000, '/directory/');
}
}

Checking Persistent Login Credentials

If the user has chosen to let the script remember him/her then a cookie is saved, which is checked via the following method.

function _checkRemembered($cookie) {
list($username, $cookie) = @unserialize($cookie);
if (!$username or !$cookie) return;
$username = $this->db->quote($username);
$cookie = $this->db->quote($cookie);
$sql = "SELECT * FROM member WHERE " .
"(username = $username) AND (cookie = $cookie)";
$result = $this->db->getRow($sql);
if (is_object($result) ) {
$this->_setSession($result, true);
}
}

This function should not trigger any error messages at all. To make things more secure a cookie value is saved in the cookie not the user password. This way one can request a password for areas which require even higher security.

Ensuring Valid Session Data

function _checkSession() {
$username = $this->db->quote($_SESSION['username']);
$cookie = $this->db->quote($_SESSION['cookie']);
$session = $this->db->quote(session_id());
$ip = $this->db->quote($_SERVER['REMOTE_ADDR']);
$sql = "SELECT * FROM member WHERE " .
"(username = $username) AND (cookie = $cookie) AND " .
"(session = $session) AND (ip = $ip)";
$result = $this->db->getRow($sql);
if (is_object($result) ) {
$this->_setSession($result, false, false);
} else {
$this->_logout();
}
}

We check if the cookie saved in the session is right, the session id and the IP address of the visitor. The call to setSession is with a parameter to let it know that this is not the first login to the system and thus not update the IP and session id which would be useless anyway.

**boon4376** · 14-05-2009

I have a question about the method i've been using to validate users.

I store the username the user has entered + md5 password in a session cookie thing...

And everytime a private page loads, a function at the beginning of the page validates the user, by grabbing password from database where username = username...

If the password doesnt match, the page echo's "restricted area".. IF the password's match, it continues to load / display the private data.

Each private page does this for every page load... So am i effectively making it secure? or is it really easy to bypass?

**loginguard** · 11-09-2010

If you want a more security for a php login check out:
loginguard.net

annyphp · 15-12-2010

Several operations are possible and HTML forms are generated for user authentication and account management.

Currently PHP Login Script can register a new account, activate registered accounts, authenticate an user and start a session, end a logged user session, change the user password or e-mail address.
More php login script you can check at PHPKode