PHP User Authentication

 

Our User Authentication scripts are fairly simple, and there other things you'll need to consider. Here's a few of them.


Validation

Some sites ask you to provide an email address when signing up. (An alarming number of them!) They then send you your login details and confirmation via email, with perhaps a hyperlink that you need to click on to verify the details. You would then enter the verification code or codes before you can start using the site.

To do this, you would need to add more fields to your database table - an email address field and a verified field. The verified field would be set to NO, by default. You could then check this field from all pages of your site. If it still says NO, then the user hasn't yet confirmed the login details. In which case, don't let them in. The verified field would only get set to YES if the user went to the page mentioned in the email and entered the correct details.

This type of script is more complex to set up, and tends to be more frustrating for the user. And there is always a sneaking suspicion that your email address is being sold off to the nearest spammer!


Passwords

If you need to save a password to your database table, then you have to encrypt the details. If you look at the signup script, you'll notice the use of this function:

md5($pword)

The inbuilt function md5() returns a 32-character hexadecimal number, based on the string you type between its round brackets. You then save this "hash" number to your password field. Or do it all in one go, with your SQL statement:

$SQL = "INSERT INTO login (L1, L2) VALUES ($uname, md5($pword))";

The L1 field is for the username and the L2 field for the password. The VALUE for the password now goes between the round brackets of md5()

When you check the password field on the login page, you'd then do this:

$SQL = "SELECT * FROM login WHERE L1 = $uname AND L2 = md5($pword)";

Again, the password goes between the round brackets of md5(). But storing passwords in encrypted format is highly recommended!

 

Some more things worth considering on your login/signup pages:

  • Test if the users is already logged in. That way, they can't sign up repeatedly without closing down the browser
  • Set a cookie for logins, instead of using sessions. You then need to write code to read the cookie data back for every protected page on your site.
  • Collect other information, and store it in your database tables: date and time of login, IP address, etc
  • User's forget their usernames and password. You'll need a link to send them the details. However, don't forget to add some extra security here! Something like a password reminder (memorable date, favourite teacher, etc) is recommended.
  • Enumeration attacks are quite a common way for malicious users to try and gain access to your site. This is when the attacker can simply sit at his/her pc screen and enter the username and password over and over again, looking for "error message" clues. To thwart this type of attack, you might want to limit how long a user has to log on to your site. A good way to do this is by setting a session to end after so many minutes. This page is worth exploring, for such script ideas: http://www.weberdev.com/get_example-4267.html

 

Conclusion

Although our login/sign up scripts are by no means complete, we hope that they've given you something to think about. In particular that these types of scripts are not as simple as you first thought! There are quite a few ready-made login scripts that will do the job for you, but we hope that you will develop your own!

In the next walkthrough, we'll script a complete survey/poll application.