Several sites I made required some kind of authentication using PHP, but since the sites were entirely custom coded - and needed to be to serve their purpose - I was unable to use a CMS just to have user registration and sign-ins.

The enclosed code is a PHP script I came up with to enable secure logins on any site it's dropped into. Some configuration is required, but as you will see, it's fast, secure, easy to set up, and most of all gets the job done.

This version uses MySQL to read and write user information. If you ask nicely, I might add the same functionality back into the initial SQLite version.

Requirements

- PHP5+
- MySQL Database
- Apache
    - mod_rewrite enabled

View the README file (it's in the zip) for instructions on installing and configuring the script for your site.

Contents

example
    .htaccess - .htaccess file (place in root or add contents to your own)
    auth.php - example page that requires authentication
    change.php - example change/recover password page
    index.php - example index page
    login.css - example stylesheet (place in root or add to your own stylesheet)
    login.php - example login page
    manage.php - example change email page (requires authentication)
    signup.php - example registration page
root
    config.php - configuration file
    includes
        templates
            email
                activation.php - activation/welcome e-mail sent to new users
                change-password.php - change password e-mail sent to users
                html-dtd.php - valid xhtml 1.0 for html e-mails (can be modified
                to effect all emails)
                login-notification.php - user login notification sent to the site admin
                signup-notification.php - new user notification sent to the site admin
            forms
                change-email.php - the change e-mail form
                change-password.php - the new password form (used after e-mail link is
                clicked)
                login.php - the login form
                recover-password.php - the password recovery form
                signup.php - exactly what you think it is
    common.php - common functions, edit this code first
    db.functions.php - the database class, standalone at ezdb.org
    extend.php - set of plugin & notification functions, edit this code second
    functions.php - the main functions for the login system
    plugin.functions.php - functions for action handling and plugins (borrowed from
    wordpress)
CHANGELOG - list of version changes
COPYING - license details
README - the thing you're reading

Features

• Authentication using PHP and MySQL
• Expiring nonces to deter spam and session hijacking
• Salted passwords and sessions
• Secured against SQL Injection
• Built in change password, e-mail address, & password recovery
• Account activation & user registration notification
• User meta for profiles or additional data
• Extendable using plugins
• Easily integrates into other services
• Easy to use templating system for customizing forms and e-mails
• Valid XHTML 1.0 Strict

Demo

Download

Donate

Summary

I initially wrote my own login script so I could fix all the bugs and security flaws of the scripts that already exist, and so there would be something that can easily be extended using plugins.

If you find any bugs or have any questions, let me know. The next things I am working on for this include plugns for profiles and analytics, and OAuth and OpenID versions. The script as is provides a secure system of login, registration, and account management.