by

Php Login System

  1. Php Website Example
  2. Php Login System Source Code
  3. Php Login System Bootstrap
  4. Php Login System
  5. Php Login System Tutorial
Active7 months ago

I'm new to PHP and this is also my first log in system so it would be great if you guys could look over my code and see if you can spot any security holes:

note: I am sanitizing all user input although it's not shown here.

Sign Up:

2018-5-1  PHP Login System v.2.0 (zip file 23KB) Conclusion The only reason I made this advanced Login System was because so many people liked my first one and wanted to see more features get added. 2018-9-7  How To Create a Login Form Step 1) Add HTML: Add an image inside a container and add inputs (with a matching label) for each field. Wrap a element around them to process the input.

Step 1: I take the password the user chose and run it through this function:

Step 2: I then store the hash and the salt ($password['hash'] and $password['salt']) in the users table in the database:

Log In:

Step 1: I take the username the user entered and do a look up on the database to see if any rows are returned. On my site no 2 users can share the sameusername so the username field always has a unique value. If I get 1 row returned I grab the salt for that user.

Step 2: Then I run the user entered password through the encrypt function (as previously posted above) but this time I also supply the salt retrieved from the database:

This page contains information about installing the latest HP LaserJet 6L (6 Series) driver downloads using the HP (Hewlett Packard) Driver Update Tool. HP LaserJet 6L (6 Series) drivers are tiny programs that enable your Printer hardware to communicate with your operating system software. This self-extracting file contains the HP LaserJet 6L printer driver for Windows NT 4.0. See the readme file for detailed installation instructions. Jul 28, 2018  Support in windows 7 for laserjet 6l Hi all, I've been trying to install my oldie but goldie printer which is a Laserjet 6L thorugh a Jetdirect 300x which is connected to my router via ethernet. Free hp laserjet 6l driver for windows 7 These drivers will work with any HP LaserJet 6L series printer. Extensions The Best Video Software for Windows The 3 Free Microsoft Office Photo Editor. And driver for HP LaserJet Printer.

Step 3: I now have the proper password to match against in this variable: $password['hash']. So I so a second lookup on the database to see if theusername entered and the hashed password together return a single row. If so then the user's credentials are correct. Download free cours de tuyauterie gratuit pdf printer.

Step 4: In order to log the user in after their credentials passed I generate a random unique string and hash it:

I then insert the $session_key into the active_sessions table in the database:

Step 5:

I take the unencrypted unique string generated in the last step ($random_string) and set that as the value of a cookie which I call active_session:

Step 6:

At the top of my header.php include there is this check:

The get_userinfo() function does a lookup on the users table in the database and returns an associative array which is stored in a session called userinfo:

// first this function takes the value of the active_session cookie and hashes it to get the session_key:

Php

// then it does a lookup on the active_sessions table to see if a record by this key exists, if so it will grab the user_id associated with that record and use this to do a second lookup on the users table to get the userinfo:

If the userinfo session exists I know the user is authenticated. If it doesn't exist but the active_session cookie exists then that checkat the top of the header.php file will create that session.

The reason why I am using a cookie and not sessions alone is to persist the login. So if the user closes the browser the session may be gone but thecookie will still exist. And since there is that check at the top of header.php, the session will be recreated and the user can function as a loggedin user as normal.

Log Out:

Step 1: Both the userinfo session and the active_session cookie are unset.

Step 2: The associated record from the active_sessions table in the database is removed.

Notes: The only issue I can see (and perhaps there are many others), is if the user fakes that active_session cookie by creating it themselves in their browser. Of course they must set as that cookie's value a string which after it is encrypted must match a record in the active_sessions table from where I will retrieve the user_id to create that session. I am not sure what the chances of this is realistically, for a user (perhaps using an automated program) to guess a string correctly which they don't know will then be sha512 encrypted and matched against the string in the active_sessions table in the database to get the user id to build that session.

Sorry for the big essay but since this is such a critical part of my site and due to my inexperience I just wanted to run it by more experienced developers to make sure it's actually safe.

So do you see any security holes in this route and how can it be improved?

TK123TK123
11k39 gold badges121 silver badges170 bronze badges

6 Answers

You should include some kind of timeout or failover to prevent against brute-force attacks. There are a number of ways to do this, including IP-based blocking, incremental timeouts, etc. None of these will ever stop a hacker, but they can make it much more difficult.

Another point (which you haven't mentioned, so I don't know your plan) is failure messages. Make failure messages as vague as possible. Providing an error message like 'That username exists, but the passwords did not match' might be helpful to the end-user, but it kills login functionality. You just converted a brute-force attack that should take O(n^2) time to O(n) + O(n). Instead of needed to try every permutation in a rainbow table (for example), the hacker just tries all values for username (with a set password) first, until the failure message changes. Then, it knows a valid user, and just has to brute force the password.

Along those lines, you should also make sure that the same amount of time elapses when a username exists and doesn't exist. You are running additional processes when a username actually exists. As such the response time would be longer when a username exists vs when it doesn't. An incredibly skilled hacker could time page requests to find a valid username.

Similarly, you should make sure that, in addition to expiring cookies, you also expire the sessions table.

Php Website Example

Lastly, in the get_user_info() call, you should terminate all open sessions if there are multiple concurrent, active logins. Make sure you timeout sessions after a set amount of inactivity (like 30 minutes).

Along the lines of what @Greg Hewgill mentioned, you haven't included any of the following:

  • SSL/encrypted connection between Server-Client
  • Other transport protocols you much be using to process authentication (like OAuth)

You server is secure, but it doesn't matter how awesomely secure your algorithm is if someone can read the data that's exchanged (MITM). You should make sure you are only communicating over an encrypted protocol.

Php Login System Source Code

sethvargosethvargo
20.3k7 gold badges76 silver badges134 bronze badges

..run the user entered password through the encrypt function..

So how does the password get from the browser to the server? You haven't mentioned protecting against man-in-the-middle attacks.

Greg HewgillGreg Hewgill
708k155 gold badges1038 silver badges1183 bronze badges

This code..

..is bad. Use the new password API and be done with it. Unless you are an expert, you should not try to design your own authentication system. They are extremely difficult to get right.

In order to log the user in after their credentials passed I generate a random unique string and hash it:

Just let PHP handle session management. rand() and mt_rand() are both very insecure random number generators.

Scott ArciszewskiScott Arciszewski
25k10 gold badges60 silver badges167 bronze badges

It looks like the code you created is not testable through automated unit and integration tests. This makes it hard to spot any errors that might be included in your implementation over time and while running in a production environment.

This normally leads to security issues, because the security of a strict and correct execution and sane data handling is not tested/verified.

Php Login System Bootstrap

(It's just another point on the list, see as well the answer about how to secure the transport layer, also you have not specified how you protect your session data from being tampered.)

hakrehakre
164k33 gold badges323 silver badges637 bronze badges

Regarding passwords in php, you shouldnt be encrypting them. You should hash them using the password_hash() then on login, use password_verify() to verify that the password via the html form matches the stored hash in the database

Akintunde-RotimiAkintunde-Rotimi
3,8663 gold badges11 silver badges23 bronze badges

You should use mt_rand() instead of rand()

Here's why:

Community
Lucas Bustamante

Php Login System

Lucas Bustamante
5,5432 gold badges45 silver badges60 bronze badges

Php Login System Tutorial

Not the answer you're looking for? Browse other questions tagged phpsecurityauthenticationencryptionlogin or ask your own question.