PHP Login Script « Post Topic - Open For Discussion

PHP Login Script

(20 posts) (7 voices)

Started 1 year ago by Chad Smith
Latest reply from gibsongk55

Tags:

phpMyLogin

Several sites I made required some kind of authentication using PHP, but since the sites were entirely custom coded - and needed to be to serve their purpose - I was unable to use a CMS just to have user registration and sign-ins.

The enclosed code is a PHP script I came up with to enable secure logins on any site it's dropped into. Some configuration is required, but as you will see, it's fast, secure, easy to set up, and most of all gets the job done.

This version uses MySQL to read and write user information. If you ask nicely, I might add the same functionality back into the initial SQLite version.

Requirements

- PHP5+
- MySQL Database
- Apache
    - mod_rewrite enabled

View the README file (it's in the zip) for instructions on installing and configuring the script for your site.

Contents

example
    .htaccess - .htaccess file (place in root or add contents to your own)
    auth.php - example page that requires authentication
    change.php - example change/recover password page
    index.php - example index page
    login.css - example stylesheet (place in root or add to your own stylesheet)
    login.php - example login page
    manage.php - example change email page (requires authentication)
    signup.php - example registration page
root
    config.php - configuration file
    includes
        templates
            email
                activation.php - activation/welcome e-mail sent to new users
                change-password.php - change password e-mail sent to users
                html-dtd.php - valid xhtml 1.0 for html e-mails (can be modified
                to effect all emails)
                login-notification.php - user login notification sent to the site admin
                signup-notification.php - new user notification sent to the site admin
            forms
                change-email.php - the change e-mail form
                change-password.php - the new password form (used after e-mail link is
                clicked)
                login.php - the login form
                recover-password.php - the password recovery form
                signup.php - exactly what you think it is
    common.php - common functions, edit this code first
    db.functions.php - the database class, standalone at ezdb.org
    extend.php - set of plugin & notification functions, edit this code second
    functions.php - the main functions for the login system
    plugin.functions.php - functions for action handling and plugins (borrowed from
    wordpress)
CHANGELOG - list of version changes
COPYING - license details
README - the thing you're reading

Features

Authentication using PHP and MySQL
Expiring nonces to deter spam and session hijacking
Salted passwords and sessions
Secured against SQL Injection
Built in change password, e-mail address, & password recovery
Account activation & user registration notification
User meta for profiles or additional data
Extendable using plugins
Easily integrates into other services
Easy to use templating system for customizing forms and e-mails
Valid XHTML 1.0 Strict

Demo

Download

Donate

Summary

I initially wrote my own login script so I could fix all the bugs and security flaws of the scripts that already exist, and so there would be something that can easily be extended using plugins.

If you find any bugs or have any questions, let me know. The next things I am working on for this include plugns for profiles and analytics, and OAuth and OpenID versions. The script as is provides a secure system of login, registration, and account management.

Posted 1 year ago #

Chad Smith
Admin
The script just received it's first update which includes additional features.

New in Build 20090107211851
- The name of the session cookie can now be customized (was PHPSESSID)
- Added action hooks to enable basic plugin capabilities and callbacks when an action takes place
Most people probably have no idea what either of these are, but they are fairly important to the future of the script.

The user session now has a distinct name, which separates it from other scripts on your server and customizes the cookie name, just in case anyone should look at what you called it.

Action hooks are something Wordpress uses to allow plugins and filters to fire when a particular action takes place, such as a new blog post, comment, or pingback. On this script they do the same thing, but fire when a user registers, logs in, and logs out.

Additional hooks can be added manually for now, and eventually will be set to register when a file is placed in the plugin folder.
Posted 1 year ago #
rizzy
Member

Will a future version have a "remember me" feature when logging in?

If not I am going to try and hack at the code to see if I can get it. If you are going to have a feature like this I am just going to wait because I know your implementation of it will be a lot better than what I can come up with.

Posted 1 year ago #
Chad Smith
Admin

I plan on adding it to a future version, but I'm not sure when. "Remember Me" sessions tend to be easy to hijack and need a little extra security which is why it was not included in this version.

Posted 1 year ago #
rizzy
Member

That is what I thought. I probably won't mess with it at all because of those security reasons. Thanks for the response. I look forward to the future updates to your class.

Posted 1 year ago #
Chad Smith
Admin

I am just about finished with the MySQL version of the script, but need a few people to test it. Check it out on phpMyLogin if you are interested.

Posted 1 year ago #
Chad Smith
Admin

A trial of the remember me feature has been added to the script currently running on phpMyLogin. I am hoping to release the MySQL version and an update to the SQLite version later this week.

Posted 1 year ago #
sull
Member

i'd like to try out the latest mysql version. is their an url avail? thanks.

Posted 11 months ago #
martin
Member

wow took me too much effort to sign in here (openID didn't work, registering everywhere sucks)

anyways:

2 things:
you might want to add that you need to make sure that the directory containing the users.db file is writable; even if the file is writable, PDO will complain that it can't open the database if the directory is not writable

you didn't have any checks for people making duplicate accounts:

$q=$db->prepare("SELECT id FROM users WHERE email=?");
$q->execute(array($email));
if ($q->fetchColumn()!=0)
$this->fail("There is already an account registered to ".$email);

if you put that in signup function wherever you want it will keep people from registering for multiple accounts with the same email address;

you also might want to change the php files so they don't have absolute addresses; I was not in the root folder of my site and had to fix it so css pointed to "./" instead of "/" just a small thing

Posted 11 months ago #
Chad Smith
Admin

Sorry Martin, it appears the OpenID plugin I use isn't working properly. I am hoping bbPress releases an update soon.

The initial version of the login script was set to check for duplicate e-mails, but removed it after running into an issue where it still allowed you to change your e-mail, register and activate a new account using the same one, and then confirm the e-mail on the first account.

I debated for a while adding additional checks in the code, but essentially it came down to either removing it or creating an entirely new system where forgotten or unactivated accounts are automatically removed.

I will be packaging up the MySQL version for release when I get the chance. It still has the URL issues in the CSS, but fixes it where the database is locked on certain actions (when using plugins) and when write access is not allowed to the folder.

Posted 11 months ago #
martin
Member

Chad, thanks

I needed the additional code, and I am removing the email changing as well. I also added a field to users table for last login, and I might add another for IP address recording. otherwise thanks for the code.

Posted 11 months ago #
martin
Member

it's also considerate to put focus on the login form on load:

you have to add name="loginform" to the 2nd line of the login_form() function

"\t\t".'<script language="JavaScript">'."\n".
"\t\t".'document.loginform.name.focus();'."\n".
"\t\t".'</script>'."\n";

Posted 11 months ago #
Chad Smith
Admin
The MySQL version of the script was just uploaded which includes a near complete rewrite, a templating system for notification e-mails and the login forms, enhanced plugin capabilities, "remember me" functionality, usermeta for custom plugins and profiles, and a whole bunch of other things I can't remember right now.

New in Build 20090430000000
- Initial MySQL release
- Code rewrite
- Added template system for e-mails and forms
- Enhanced plugin capabilities
Documentation on the changes and plugin system will be added over the next few days. You can see the script in action on nocart.com, imagepng.com, nsfw.it, and a very large client project I am about to complete.
Posted 10 months ago #
jurry
Member

Hi there, thanks for the nice script.
There is only 1 problem i'm struggling with.
When i log in with the "remember" button, sometimes it's loggod out by itsself.
At line 120 i've replaced the line in "setcookie($config['site']['remember'],time()+12604800);" but sometimes it stay logged in for 1 day and another day it stay's for 3 days.

Posted 9 months ago #
Chad Smith
Admin

Most likely your IP is changing. It does the same thing when I'm on my laptop and go from work to home. The script does that to make sure the remember me session isn't hijacked.

Posted 9 months ago #
macCesar
Member

Hi there, very nice and useful script!!!

But I'm having problems with the Change Password example.

I've received the email with the 'instructions' to change the password, but if I click the link to change it, the 'change' page comes up asking me again for the user but the form is plain with no css formating, and no way to change any password.

the link is something like this:

http://www.myowndomain.com/example/change/6596b5851eb88b8d735eaaf5be88eb9c

Also...There is no 'activate' sample... So What do I need to do to activate the account???

I've created the page with a call to the activate() function, but the account is not activated!!!!!

Thanks!!!!! and sorry for my english.

Posted 7 months ago #
macCesar
Member

The only way to activate the account was by manually putting " .php?activate= " between the name of the page (activate) and the activation key, replacing the / symbol.

That means that my server configuration is wrong to handle URLs???

I don't have access to the file .htaccess, well I don't know!!!!.. I'm hosting my pages on GoDaddy Shared Servers.

Posted 7 months ago #
Chad Smith
Admin

The example HTML files were hardcoded to /style.css and so on, which goes back to the root directory rather than a subfolder. You will have to remove the / if you use it in a subdirectory.

As for the .htaccess file, Apache and mod_rewrite are required to run the script as is.

If you are on a Linux shared hosting account (that's what I use) it will work just fine. Otherwise if you are on GoDaddy's Windows hosting, you will have to change the activation page in the config from /activate to index.php?activate=

Posted 7 months ago #
gibsongk55
Member

What about databases? Do you suggest using a separate database for login and passwords or combine it with the sites database just different tables?

Thanks,

Gibs

Posted 1 month ago #
gibsongk55
Member

Hi

Just installed the script. I receive an email that a new user signed up. But the activation email is never received. Tried it many times. I don't see anymore in your config or setup to provide a path for the send mail or whatever function you use.

Thanks,

Gibs

Posted 1 month ago #

RSS feed for this topic

Reply

You must log in to post.