PHP Classes
PHP Classes
elePHPant
Icontem

PHP Secure Login Script 2016 and 2017 - Tutorial for a Complete Login System PHP MySQL with PDO Solution - PHP Secure Login and Registration package blog

Recommend this page to a friend!
  All package blogs All package blogs   PHP Secure Login and Registration PHP Secure Login and Registration   Blog PHP Secure Login and Registration package blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP Secure Login Scri...  
  Post a comment Post a comment   See comments See comments (38)   Trackbacks (0)  

Author:

Updated on: 2017-03-28

Posted on: 10 months ago

Package: PHP Secure Login and Registration

Over time PHP has been adding features that promote the development of secure applications, as well deprecated or removed features that made it easy to write insecure code.

Read this tutorial to learn how to create a modern login and registration system that takes advantage of PHP security-focused features and uses jQuery to send AJAX requests and Bootstrap to provide a fast and nice user interface that can work regardless if you use other frameworks or not.




Contents

OOP PHP Login Tutorial:  What is a PHP Secure Login System with Registration?

What this Secure PHP Login System Class can do?

The Start PHP Secure Login Page Script

JavaScript and AJAX Form Submission

The Login Process Script

The Registration Process Script

The Activation Process Script

The Logout Process Script

The Configuration Script File

The Logged User Section Script

Login One User at a Time

Download the PHP Login System Tutorial Class and Scripts

Change Log

OOP PHP Login Tutorial:  What is a PHP Secure Login System with Registration?

Many applications need to register and authenticate users. Some users have developed their own packages for this purpose, others have used existing packages. The problem is that some of those packages are vulnerable to different types of exploits because their developers were not aware of the security issues they may incur.

A secure login and registration system should at avoid SQL injections, using for instance database prepared statements with PDO, use a strong password hashing method to minimize the chance that if the site leaks user accounts it is impossible or at least very hard to discover the users' passwords, and limit the number of attempts that a user may fail a password to avoid brute force attacks.

This tutorial covers the implementation of a login and registration system using the PHP Secure Login and Registration package. In this tutorial I will show different aspects of the class features, so you can see  the different ways of how to use this package.

I will use Bootstrap and jQuery for the user interface and submitting forms using AJAX requests or regular form page submission. Don't be worried if you do not use AJAX everywhere. The tutorial is presented this way on propose so more people can take advantage of the knowledge shared here.

What this Secure PHP Login System Class can do?

This class provides a simple way to register new users. It supports a secure PHP login process after activation with the login verification code sent to their email address. It uses jQuery to submit forms using AJAX request to the scripts that act like a REST API, but can also be used directly with PHP scripts that serve the login pages.

This class also provides a solution in PHP to block user after a number of login attempts, I mean it lets  you specify a number of wrong attempts that it allows before blocking the account. It also lets users logout, change their password and have different permissions depending on the user role.

As many of us are using PHP 7, or at least PHP 5.5, obviously it is an OOP login system. Since usually our applications support multi-user login, I mean multiple users accessing at the same time, it makes perfect sense to store user records in a database.

It supports PDO, so you can use it to store user database records using MySQL, PostgreSQL, SQLite and others. The example included here will explain how to use it with MySQL. It could use MySQLi instead of PDO but it will be more useful if you can reuse this code with other types of database.

Since we can use PDO also with SQLite, we can use to implement a PHP login without database , I mean a real database server, as SQLite stores the database in local files.

This class could also be extend to implement a social login system using OAuth to perform login with Facebook, Yahoo, Google, YouTube, Gmail, Microsoft, LinkedIn, GitHub, BitBucket, Instagram, Tumblr, deviantart, WordPress, ODesk and many others.

But for that you will need to use also other classes to perform login with OAuth or even LDAP for login. A good idea for future improvements is to also to support SMS login, I mean using a method to send a code via SMS to let the user prove he owns a given account, or even check the Mac address to restrict the access to users in a local network. But for now let us keep it simple.

The Start PHP Secure Login Page Script

We will need a start page where visitors can register or login. I am using Bootstrap to construct a simple page on which we have two tabs, one for login and the other for registration.

When a visitor registers, usually we will need verify that he owns the email he entered. So he will also need a place to send the verification code to activate his new account. I am putting that also in the login tab.

<?php
    require_once '../class/user.php';
    require_once 'config.php';

    $user->indexHead();
    $user->indexTop();
    $user->loginForm();
    $user->activationForm();
    $user->indexMiddle();
    $user->registerForm();
    $user->indexFooter();
?>

This class uses template scripts that you may find in the inc directory. If you look at the template files, you can see we are using jQuery and Bootstrap, as well use two custom files, one for CSS and the other for JS.

In the body I added three form areas auto-generated by the class: two in the login section and one in the registration section. You can also see that I separated them in tabs.

You can find a lot of tutorials about Bootstrap on how to work with tabs. The first form will be used for login, the next one for account verification, and the last one for registration.

JavaScript and AJAX Form Submission

In the main.js file I am using jQuery and AJAX requests. This is important if we want to use the REST API method. This is very useful if we want to separate the frontend from the backend.

$(function() {

    $('#login-form-link').click(function(e) {
        $("#login-form").delay(100).fadeIn(100);
        $("#register-form").fadeOut(100);
        $('#register-form-link').removeClass('active');
        $(this).addClass('active');
        e.preventDefault();
    });

    $('#register-form-link').click(function(e) {
        $("#register-form").delay(100).fadeIn(100);
        $("#login-form").fadeOut(100);
        $('#login-form-link').removeClass('active');
        $(this).addClass('active');
        e.preventDefault();
    });
});

function validateEmail($email) {
    var emailReg = /^([\w-\.]+@([\w-]+\.)+[\w-]{2,})?$/;
    return emailReg.test( $email );
}

The first two sections in the JavaScript code are for switching between tabs. Next I use the submit buttons in every form. Since we are using jQuery and AJAX, we will not submit the form in the classic way, but rather get the values from the inputs with jQuery and submit the values using a AJAX POST request to the backend PHP scripts.

The last function at the bottom is a function to check if the inserted email address is valid. It will not check if the server exists but just if the format may be valid.

The Login Process Script

For login the script gets the posted data and passes it to the login method of the class. If the login succeeds, it will assign the user data to session login variables and returns nothing as the result. If there is an error it will print it.

Do not forget we are calling this script via AJAX, so everything outputted by the script will be delivered as a result of the AJAX call in JavaScript.

<?php
    require_once '../class/user.php';
    require_once 'config.php';

    $email = filter_input(INPUT_POST, 'username', FILTER_SANITIZE_EMAIL);
    $password = filter_input(INPUT_POST, 'password', FILTER_DEFAULT);

    if( $user->login( $email, $password) ) {
        die;
    } else {
        $user->printMsg();
        die;
    }

The Registration Process Script

As in login process, this is also a very simple code sample, where I use the registration method in the user class. If a registration passes then we will print a confirmation message or an error message instead.

<?php
    require_once '../class/user.php';
    require_once 'config.php';

    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
    $fname = filter_input(INPUT_POST, 'fname', FILTER_SANITIZE_STRING);
    $lname = filter_input(INPUT_POST, 'lname', FILTER_SANITIZE_STRING);
    $pass = filter_input(INPUT_POST, 'password', FILTER_DEFAULT);

    if($user->registration($email, $fname, $lname, $pass)) {
        print 'A confirmation mail has been sent, please confirm your account registration!';
        die;
    } else {
        $user->printMsg();
        die;
    }

The Activation Process Script

After registration the user needs to activate his account. So we are using here the emailActivation method. Again a strait forward code sample that outputs an error message if the activation fails, or nothing if it passes.

<?php
    require_once '../class/user.php';
    require_once 'config.php';

    $email = filter_input(INPUT_POST, 'email', FILTER_SANITIZE_EMAIL);
    $code = filter_input(INPUT_POST, 'code', FILTER_DEFAULT);
    
    if($user->emailActivation( $email, $code)) {
        die;
    } else {
        $user->printMsg();
        die;
    }

The Logout Process Script

For the logout process I use logout method in the user class. After logout process is conclude we simply redirect the user to index.php. The logout process is not started via AJAX in this example. If we call it via AJAX then the redirect is done by JavaScript code, and so not in PHP.

<?php
    require_once '../user.php';
    require_once 'config.php';

    $user->logout();

    header('location: index.php');
?>

The Configuration Script File

An important file I need to describe is the config.php. It is necessary to specify the database connection details and to initiate the session. This login and registration class will not work without sessions. It also will creates the user class object so we can use it in every other file. As you saw before we included this script every time after the class itself.

Also we need to specify the files we are using in the HTML generation functions. In this case user.php, login.php, activate.php and register.php. You can customize these files.

<?php
    session_start();
    define('conString', 'mysql:host=localhost;dbname=login');
    define('dbUser', 'root');
    define('dbPass', 'root');

    define('userfile', 'user.php');
    define('loginfile', 'login.php');
    define('activatefile', 'activate.php');
    define('registerfile', 'register.php');

    ini_set('display_errors', 1);
    ini_set('display_startup_errors', 1);
    error_reporting(E_ALL);

    $user = new User();
    $user->dbConnect(conString, dbUser, dbPass);
?>

The Logged User Section Script

After logging in, the users have a section on the site where they can see what non-logged visitors can see because it is only for registered users.

For this tutorial I created an example of what could be that section in the file user.php script. You may notice two cases. If a normal user is logged in it will show him only his information. But if the user is an administrator, in this case his role ID is 2 (you can change this to any ID number) then he sees a list off all the users in the system.

<?php
   require_once '../class/user.php';
   require_once 'config.php';

   if(IsSet($_SESSION['user']['id']) {
       $user->userPage();
   } else {
      header('Location: index.php');
   }
?>

Login One User at a Time

Currently this class does not support assuring that only one use is logged with one account at a time. That is because the database does not store the sessions initiated for each user.

That could be achieved with an additional database table that stores the session identifier of each user active session. Additionally using a PHP session handler that stores session data in a database table, you could invalidate any existing sessions of the current user that is logged in.

Download the PHP Login System Tutorial Class and Scripts

This PHP Secure Login and Registration is a reasonably complete class for creating a login and registration system that you can use in any application regardless if you use or not a framework like CodeIgniter, Zend, Symfony, etc..

This tutorial provides simple examples of how to use its of its core features in any application. You can freely adapt these example scripts to your PHP application.

You can download the complete package ZIP archive from the download page or install it with the composer tool using instructions in the same page.

If you have questions or comments you can post a message as comment to this article or post a support request in its support forum.

Change Log

2017-03-27: Added more download and install information using the composer tool.

2017-01-01: Updated the article to reflect that these continue to be secure practices in 2017




You need to be a registered user or login to post a comment

Login Immediately with your account on:

FacebookGmail
HotmailStackOverflow
GitHubYahoo


Comments:

20. Example code wrong - Tomas Engström (2017-09-10 09:58)
code syntax error... - 0 replies
Read the whole comment and replies

19. sdfg - nathan saunders (2017-09-04 07:26)
sdfg... - 0 replies
Read the whole comment and replies

18. Thank you - Juan Manuel Matas (2017-09-01 09:59)
Thank you... - 0 replies
Read the whole comment and replies

17. Re-send activation email link needed - Paul Daly (2017-07-13 12:11)
re-send activation and forgot password link needed... - 0 replies
Read the whole comment and replies

16. for test - sahrsa (2017-06-21 21:34)
iam trying this script... - 0 replies
Read the whole comment and replies

15. a - Cesar (2017-05-16 14:02)
a... - 0 replies
Read the whole comment and replies

14. good class - phpegy (2017-05-15 14:59)
good class... - 0 replies
Read the whole comment and replies

13. Registration Page - Paul Finch (2017-05-03 09:28)
Insert all valid required fields.... - 0 replies
Read the whole comment and replies

12. How can i make it work - juan m (2017-04-26 17:46)
Thanks with feed back.... - 3 replies
Read the whole comment and replies

11. Error on registration - Matze W (2017-04-26 08:49)
error message confirmation mail... - 0 replies
Read the whole comment and replies



  Post a comment Post a comment   See comments See comments (38)   Trackbacks (0)  
  All package blogs All package blogs   PHP Secure Login and Registration PHP Secure Login and Registration   Blog PHP Secure Login and Registration package blog   RSS 1.0 feed RSS 2.0 feed   Blog PHP Secure Login Scri...