PHP Login Script

chadsmith · 01-06-2009, 03:03 PM

Several sites I am working on required some kind of authentication using PHP, but since the sites were entirely custom coded - and needed to be to serve their purpose - I was unable and unwilling to use a CMS just to have user registration and sign-ins.

The enclosed code is a PHP class I came up with to enable secure logins on any site it's dropped into. Some configuration is required, but as you will see, it's fast, secure, easy to set up, and most of all gets the job done.

This version uses PDO and SQLite3 to quickly read and write user information to an SQLite database, rather than requiring MySQL to be installed and setup.

Requirements

PHP5+ w/ PDO & PDO-SQLite enabled
Apache w/ mod_rewrite enabled

View the README file (it's in the zip) for instructions on installing and configuring the script for your site.

ZIP Contents

Code:

contrib
	users.sql - SQL used to build database (reference only)
example
	.htaccess - .htaccess file (place in root or add contents to your own)
	auth.php - example page that requires authentication
	change.php - example change/recover password page
	index.php - example index page
	login.css - example stylesheet (place in root or add to your own stylesheet)
	login.php - example login page
	manage.php - example change email page (requires authentication)
	signup.php - example registration page
root
	user.php - PHP login script thing
CHANGELOG - list of version changes
COPYING - license details
README - installation & config instructions
user.db - the database file (place on server above root)

Features

Authentication using PHP and SQLite
Expiring nonces to deter spam and session hijacking
Salted passwords and sessions
Secured against SQL Injection
Built in change password, e-mail address, & password recovery
Account activation & user registration notification
Extendable using plugins
Valid XHTML 1.0 Strict

Demo

Download

Source

Support
????: NamePros.com http://www.namepros.com/code/548502-php-login-script.html

Summary

I chose to write my own class rather than using a pre-made one so I could fix all the bugs and security flaws of the scripts that already exist, and so there would be something that works with SQLite.

Let me know if you come up with any bugs or questions. Things are in the works to make the script extendable (with plugins and such) to add features such as user tracking and profiles. The script as is provides a secure system of login, registration, and account management. When finished, I plan to make an OpenID and MySQL version as well.

chadsmith · 01-11-2009, 12:29 PM

I noticed several NP'ers have tested the script. Any comments or issues? Word from PHP Classes is it's been OK'd and will be added in next round of approvals.

Darkneoboi · 01-12-2009, 10:05 AM

Where would plug-ins come from?

chadsmith · 01-12-2009, 01:39 PM

Originally Posted by Darkneoboi

Where would plug-ins come from?

Easy answer, my site. I'm working on the first few right now. Otherwise, who ever uses the script can make plugins for it.

The first plugin-like addition is built into the script, which is the new user notification e-mail.

PHP Code:

  $this->add_action('signup',array('user','signup_notification')); 

????: NamePros.com http://www.namepros.com/showthread.php?t=548502

On my server I have a few others in place to run particular actions when users register, log in, and log out.

I will release them along a user profile plugin once I finish developing the plugin system. As mentioned in the changelog, I still have a few things to do before plugins are automatically activated. Right now they have to be manually added to the script.

If you want to test the script without signing up you are welcome to log in as test with the password testing. There is a secure page here that can only be viewed when you're logged in.

Dean · 01-16-2009, 04:30 AM

Thanks for this, will try it out. Was planning on using some sort of CMS just for the login too but this could change that.

EDIT: Download link not working.

chadsmith · 01-16-2009, 07:53 PM

Originally Posted by Dean

Thanks for this, will try it out. Was planning on using some sort of CMS just for the login too but this could change that.

EDIT: Download link not working.

Whoops. Sorry, I changed servers yesterday and forgot to move the zip. Fixed now. Let me know if you have any questions about it.
????: NamePros.com http://www.namepros.com/showthread.php?t=548502

jehnidiah · 01-16-2009, 08:30 PM

Great job, chad, thanks for yet another submission to the open source world.

chadsmith · 01-19-2009, 10:44 AM

The script was just approved on PHP Classes

Basile · 06-20-2009, 08:20 AM

Hello Chadsmith,

I didn't fully test the demo but observed that in case of password change, the pseudo seems to be asked as key.
I would like to apply the code for a script where the key for changing the password should be the permanent email address (the one for signing up).

Which set of changes should be done to adapt correctly the script (MySQL version)?

If my question is too noobish, please consider pm,
Kind regards
Basile

chadsmith · 06-20-2009, 10:44 PM

Hi Basile,

That's a good question. I am going to post the code for that on the support page for the script, since I'm sure others will be interested in it as well. I am out tonight, but hope to have something up for you by Monday.

CrackFeed.Com · 06-28-2009, 10:11 PM

I did not go into great detail in reviewing this, but it looks like you are on teh right track, I would like offer jsut a few humble suggestions.

1. I wouldn't integrate the template and the design. I would use a custom templating engine personally. Then users can change designs fast.

2. Instead of using the mail() function, I would use smtp_auth. More and more servers are marking emails as spam that are sent via mail(), prolly due to the mail sending configuration. I enjoy phpmailer, it is fast to setup and quite configurable.

3. I would get rid of the cookies and store the data in sessions only. Reason being that many people use software to block cookies... or block in their browser. *I know, paranoya.

4. Try using custom sessions using sessions and mysql based on IP, user agent, and user_id for authenticating. This way you prevent multiple logins with the same user account and add a bit more security due to the custom sessions.

I wish you the best of luck brother and thanks for sharing!

Wichita, you are brave brother! Watch out for them twisters!!

bodil4o · 08-28-2009, 04:55 AM

Thanks for this login form

OverDark · 09-01-2009, 06:27 PM

i can't find the database sql file in the archive. could someone upload it here or post the structure?

thanks

chadsmith · 09-01-2009, 07:49 PM

The script automatically sets up the tables on first run. Here's the SQL:

Code:

CREATE TABLE IF NOT EXISTS `users` (`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY, `name` VARCHAR(24) NOT NULL, `password` VARCHAR(32) NOT NULL, `email` VARCHAR(64) NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8;

CREATE TABLE IF NOT EXISTS `usermeta` (`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY, `user` INT NOT NULL, `key` VARCHAR(64) NULL, `value` TEXT NULL, INDEX (`user` ,`key`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;

OverDark · 09-02-2009, 02:33 AM

thanks. I created the users table after looking intoo the code, but i couldn't make the usermeta because i didn't knew all the field names

as i tested until now the script, it's very good .. and cool

keep up the good job Chad

01-06-2009, 03:03 PM	THREAD STARTER #1 (permalink)
chadsmith NamePros Regular Join Date: Jul 2008 Location: Wichita, KS Posts: 287 Follow @chadsmith	PHP Login Script Several sites I am working on required some kind of authentication using PHP, but since the sites were entirely custom coded - and needed to be to serve their purpose - I was unable and unwilling to use a CMS just to have user registration and sign-ins. The enclosed code is a PHP class I came up with to enable secure logins on any site it's dropped into. Some configuration is required, but as you will see, it's fast, secure, easy to set up, and most of all gets the job done. This version uses PDO and SQLite3 to quickly read and write user information to an SQLite database, rather than requiring MySQL to be installed and setup. Requirements PHP5+ w/ PDO & PDO-SQLite enabled Apache w/ mod_rewrite enabled View the README file (it's in the zip) for instructions on installing and configuring the script for your site. ZIP Contents Code: contrib users.sql - SQL used to build database (reference only) example .htaccess - .htaccess file (place in root or add contents to your own) auth.php - example page that requires authentication change.php - example change/recover password page index.php - example index page login.css - example stylesheet (place in root or add to your own stylesheet) login.php - example login page manage.php - example change email page (requires authentication) signup.php - example registration page root user.php - PHP login script thing CHANGELOG - list of version changes COPYING - license details README - installation & config instructions user.db - the database file (place on server above root) Features Authentication using PHP and SQLite Expiring nonces to deter spam and session hijacking Salted passwords and sessions Secured against SQL Injection Built in change password, e-mail address, & password recovery Account activation & user registration notification Extendable using plugins Valid XHTML 1.0 Strict Demo Download Source Support ????: NamePros.com http://www.namepros.com/code/548502-php-login-script.html Summary I chose to write my own class rather than using a pre-made one so I could fix all the bugs and security flaws of the scripts that already exist, and so there would be something that works with SQLite. Let me know if you come up with any bugs or questions. Things are in the works to make the script extendable (with plugins and such) to add features such as user tracking and profiles. The script as is provides a secure system of login, registration, and account management. When finished, I plan to make an OpenID and MySQL version as well. __________________ Free Services: Alertable.com, DetectMobileBrowser.com, DropCart.com, FreeCronJobs.com, HTMLDTD.com, ImagePNG.com, NoCart.com, phpMyLogin.com, RandomTweeps.com, SearchFriendlyURLs.com For Sale: Keyword Domains / Generics See Also:: Google Voice Add-on for Firefox, Google Wave Add-on for Firefox Last edited by chadsmith; 09-25-2009 at 05:22 PM.

01-11-2009, 12:29 PM	THREAD STARTER #2 (permalink)
chadsmith NamePros Regular Join Date: Jul 2008 Location: Wichita, KS Posts: 287 Follow @chadsmith	I noticed several NP'ers have tested the script. Any comments or issues? Word from PHP Classes is it's been OK'd and will be added in next round of approvals. __________________ Free Services: Alertable.com, DetectMobileBrowser.com, DropCart.com, FreeCronJobs.com, HTMLDTD.com, ImagePNG.com, NoCart.com, phpMyLogin.com, RandomTweeps.com, SearchFriendlyURLs.com For Sale: Keyword Domains / Generics See Also:: Google Voice Add-on for Firefox, Google Wave Add-on for Firefox

01-12-2009, 10:05 AM	#3 (permalink)
Darkneoboi NamePros Regular Join Date: Mar 2006 Location: Connecticut, USA Posts: 281	Where would plug-ins come from? __________________ DarkNeoNetwork

01-16-2009, 04:30 AM	#5 (permalink)
Dean Senior Member Join Date: Jan 2007 Location: Melbourne Posts: 1,714	Thanks for this, will try it out. Was planning on using some sort of CMS just for the login too but this could change that. EDIT: Download link not working. __________________ Free Image Hosting Image uploading Application Random Generator

01-19-2009, 10:44 AM	THREAD STARTER #8 (permalink)
chadsmith NamePros Regular Join Date: Jul 2008 Location: Wichita, KS Posts: 287 Follow @chadsmith	The script was just approved on PHP Classes __________________ Free Services: Alertable.com, DetectMobileBrowser.com, DropCart.com, FreeCronJobs.com, HTMLDTD.com, ImagePNG.com, NoCart.com, phpMyLogin.com, RandomTweeps.com, SearchFriendlyURLs.com For Sale: Keyword Domains / Generics See Also:: Google Voice Add-on for Firefox, Google Wave Add-on for Firefox

01-16-2009, 08:30 PM	#7 (permalink)
jehnidiah NamePros Regular Join Date: Aug 2004 Posts: 962	Great job, chad, thanks for yet another submission to the open source world.

06-20-2009, 08:20 AM	#9 (permalink)
Basile First Time Poster! Join Date: Jun 2009 Location: Milano Italy Posts: 1	Hello Chadsmith, I didn't fully test the demo but observed that in case of password change, the pseudo seems to be asked as key. I would like to apply the code for a script where the key for changing the password should be the permanent email address (the one for signing up). Which set of changes should be done to adapt correctly the script (MySQL version)? If my question is too noobish, please consider pm, Kind regards Basile Last edited by Basile; 06-20-2009 at 08:50 AM.

06-20-2009, 10:44 PM	THREAD STARTER #10 (permalink)
chadsmith NamePros Regular Join Date: Jul 2008 Location: Wichita, KS Posts: 287 Follow @chadsmith	Hi Basile, That's a good question. I am going to post the code for that on the support page for the script, since I'm sure others will be interested in it as well. I am out tonight, but hope to have something up for you by Monday. __________________ Free Services: Alertable.com, DetectMobileBrowser.com, DropCart.com, FreeCronJobs.com, HTMLDTD.com, ImagePNG.com, NoCart.com, phpMyLogin.com, RandomTweeps.com, SearchFriendlyURLs.com For Sale: Keyword Domains / Generics See Also:: Google Voice Add-on for Firefox, Google Wave Add-on for Firefox

06-28-2009, 10:11 PM	#11 (permalink)
CrackFeed.Com Account Closed Join Date: Dec 2008 Location: Boston, Ma Posts: 650 Follow @CrackFeed	I did not go into great detail in reviewing this, but it looks like you are on teh right track, I would like offer jsut a few humble suggestions. 1. I wouldn't integrate the template and the design. I would use a custom templating engine personally. Then users can change designs fast. 2. Instead of using the mail() function, I would use smtp_auth. More and more servers are marking emails as spam that are sent via mail(), prolly due to the mail sending configuration. I enjoy phpmailer, it is fast to setup and quite configurable. 3. I would get rid of the cookies and store the data in sessions only. Reason being that many people use software to block cookies... or block in their browser. *I know, paranoya. 4. Try using custom sessions using sessions and mysql based on IP, user agent, and user_id for authenticating. This way you prevent multiple logins with the same user account and add a bit more security due to the custom sessions. I wish you the best of luck brother and thanks for sharing! Wichita, you are brave brother! Watch out for them twisters!!

08-28-2009, 04:55 AM	#12 (permalink)
bodil4o Account Closed Join Date: Aug 2009 Posts: 164	Thanks for this login form

09-01-2009, 06:27 PM	#13 (permalink)
OverDark New Member Join Date: Aug 2009 Posts: 14	i can't find the database sql file in the archive. could someone upload it here or post the structure? thanks

09-01-2009, 07:49 PM	THREAD STARTER #14 (permalink)
chadsmith NamePros Regular Join Date: Jul 2008 Location: Wichita, KS Posts: 287 Follow @chadsmith	The script automatically sets up the tables on first run. Here's the SQL: Code: CREATE TABLE IF NOT EXISTS `users` (`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY, `name` VARCHAR(24) NOT NULL, `password` VARCHAR(32) NOT NULL, `email` VARCHAR(64) NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8; CREATE TABLE IF NOT EXISTS `usermeta` (`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY, `user` INT NOT NULL, `key` VARCHAR(64) NULL, `value` TEXT NULL, INDEX (`user` ,`key`)) ENGINE=MyISAM DEFAULT CHARSET=utf8; __________________ Free Services: Alertable.com, DetectMobileBrowser.com, DropCart.com, FreeCronJobs.com, HTMLDTD.com, ImagePNG.com, NoCart.com, phpMyLogin.com, RandomTweeps.com, SearchFriendlyURLs.com For Sale: Keyword Domains / Generics See Also:: Google Voice Add-on for Firefox, Google Wave Add-on for Firefox

09-02-2009, 02:33 AM	#15 (permalink)
OverDark New Member Join Date: Aug 2009 Posts: 14	thanks. I created the users table after looking intoo the code, but i couldn't make the usermeta because i didn't knew all the field names as i tested until now the script, it's very good .. and cool keep up the good job Chad

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)