PHP Login Script

[chadsmith]

[FONT=Helvetica,Arial]Several sites I am working on required some kind of authentication using PHP, but since the sites were entirely custom coded - and needed to be to serve their purpose - I was unable and unwilling to use a CMS just to have user registration and sign-ins.

The enclosed code is a PHP class I came up with to enable secure logins on any site it's dropped into. Some configuration is required, but as you will see, it's fast, secure, easy to set up, and most of all gets the job done.

This version uses PDO and SQLite3 to quickly read and write user information to an SQLite database, rather than requiring MySQL to be installed and setup.

Requirements

• PHP5+ w/ PDO & PDO-SQLite enabled
• Apache w/ mod_rewrite enabled

View the README file (it's in the zip) for instructions on installing and configuring the script for your site.

ZIP Contents

contrib
	users.sql - SQL used to build database (reference only)
example
	.htaccess - .htaccess file (place in root or add contents to your own)
	auth.php - example page that requires authentication
	change.php - example change/recover password page
	index.php - example index page
	login.css - example stylesheet (place in root or add to your own stylesheet)
	login.php - example login page
	manage.php - example change email page (requires authentication)
	signup.php - example registration page
root
	user.php - PHP login script thing
CHANGELOG - list of version changes
COPYING - license details
README - installation & config instructions
user.db - the database file (place on server above root)

Features

• Authentication using PHP and SQLite
• Expiring nonces to deter spam and session hijacking
• Salted passwords and sessions
• Secured against SQL Injection
• Built in change password, e-mail address, & password recovery
• Account activation & user registration notification
• Extendable using plugins
• Valid XHTML 1.0 Strict

Demo

Download

Source

Support

Summary

I chose to write my own class rather than using a pre-made one so I could fix all the bugs and security flaws of the scripts that already exist, and so there would be something that works with SQLite.

Let me know if you come up with any bugs or questions. Things are in the works to make the script extendable (with plugins and such) to add features such as user tracking and profiles. The script as is provides a secure system of login, registration, and account management. When finished, I plan to make an OpenID and MySQL version as well.[/FONT]

 

[chadsmith]

[FONT=Helvetica,Arial]I noticed several NP'ers have tested the script. Any comments or issues? Word from PHP Classes is it's been OK'd and will be added in next round of approvals.[/FONT]

 

[Darkneoboi]

Where would plug-ins come from?

 

[chadsmith]

Where would plug-ins come from?

[FONT=Helvetica,Arial]Easy answer, my site. I'm working on the first few right now. Otherwise, who ever uses the script can make plugins for it.

The first plugin-like addition is built into the script, which is the new user notification e-mail.

$this->add_action('signup',array('user','signup_notification'));

On my server I have a few others in place to run particular actions when users register, log in, and log out.

I will release them along a user profile plugin once I finish developing the plugin system. As mentioned in the changelog, I still have a few things to do before plugins are automatically activated. Right now they have to be manually added to the script.

If you want to test the script without signing up you are welcome to log in as test with the password testing. There is a secure page here that can only be viewed when you're logged in.[/FONT]

 

[Dean]

Thanks for this, will try it out. Was planning on using some sort of CMS just for the login too but this could change that.

EDIT: Download link not working.

 

[chadsmith]

Thanks for this, will try it out. Was planning on using some sort of CMS just for the login too but this could change that.

EDIT: Download link not working.

[FONT=Helvetica,Arial]Whoops. Sorry, I changed servers yesterday and forgot to move the zip. Fixed now. Let me know if you have any questions about it.
[/FONT]

 

[jehnidiah]

Great job, chad, thanks for yet another submission to the open source world.

 

[chadsmith]

[FONT=Helvetica,Arial]The script was just approved on PHP Classes[/FONT]

 

[Basile]

Hello Chadsmith,

I didn't fully test the demo but observed that in case of password change, the pseudo seems to be asked as key.
I would like to apply the code for a script where the key for changing the password should be the permanent email address (the one for signing up).

Which set of changes should be done to adapt correctly the script (MySQL version)?

If my question is too noobish, please consider pm,
Kind regards
Basile

 

[chadsmith]

[FONT="myriad pro,helvetica,Arial"]Hi Basile,

That's a good question. I am going to post the code for that on the support page for the script, since I'm sure others will be interested in it as well. I am out tonight, but hope to have something up for you by Monday.[/FONT]

 

[CrackFeed.Com]

I did not go into great detail in reviewing this, but it looks like you are on teh right track, I would like offer jsut a few humble suggestions.

1. I wouldn't integrate the template and the design. I would use a custom templating engine personally. Then users can change designs fast.

2. Instead of using the mail() function, I would use smtp_auth. More and more servers are marking emails as spam that are sent via mail(), prolly due to the mail sending configuration. I enjoy phpmailer, it is fast to setup and quite configurable.

3. I would get rid of the cookies and store the data in sessions only. Reason being that many people use software to block cookies... or block in their browser. *I know, paranoya. :D

4. Try using custom sessions using sessions and mysql based on IP, user agent, and user_id for authenticating. This way you prevent multiple logins with the same user account and add a bit more security due to the custom sessions.

I wish you the best of luck brother and thanks for sharing!

Wichita, you are brave brother! Watch out for them twisters!! :D

 

[bodil4o]

Thanks for this login form

 

[OverDark]

i can't find the database sql file in the archive. could someone upload it here or post the structure?

thanks

 

[chadsmith]

[FONT="myriad pro, helvetica, Arial,sans-serif"]The script automatically sets up the tables on first run. Here's the SQL:[/FONT]

CREATE TABLE IF NOT EXISTS `users` (`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY, `name` VARCHAR(24) NOT NULL, `password` VARCHAR(32) NOT NULL, `email` VARCHAR(64) NOT NULL) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE IF NOT EXISTS `usermeta` (`id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY, `user` INT NOT NULL, `key` VARCHAR(64) NULL, `value` TEXT NULL, INDEX (`user` ,`key`)) ENGINE=MyISAM DEFAULT CHARSET=utf8;

 

[OverDark]

thanks. I created the users table after looking intoo the code, but i couldn't make the usermeta because i didn't knew all the field names :D

as i tested until now the script, it's very good .. and cool

keep up the good job Chad