This PHP login script / tutorial will show you how you can have users register on your site, and log in to access secure areas. I have seen a few tutorials around the web which show how this can be done, but they all seem to lack in security. This user membership tutorial will show a better way of having users authenticated once logged in by using their session ID.

DEMO: HERE

The Table

Firstly, we need to create a table to store our users. I’m using phpMyAdmin to administer my database, so setting up the table is pretty easy for me. You can use the following SQL statement to create your `users` table, using whichever method you prefer:

CREATE TABLE `users` (
    `id` INT NOT NULL AUTO_INCREMENT PRIMARY KEY ,
    `email` VARCHAR( 255 ) NOT NULL ,
    `password` VARCHAR( 32 ) NOT NULL ,
    `session_id` VARCHAR( 32 ) NULL ,
    `date_registered` DATETIME NOT NULL ,
    UNIQUE (`email`)
) ENGINE = MYISAM ;

A few things to note here:

• We’re going to be hashing the passwords (using MD5), so we know that the password field will be exactly 32 characters in length
• For extra security, we’re going to re-authenticate users across pages using their session ID, so we – again – need a field which is exactly 32 characters
• We’re making the email field unique. This isn’t completely necessary, as we’ll be checking for duplicate email addresses within the register form, but it’s just an extra “lock on the door” so to speak. So if anything failed within the PHP code, the database would still fail on the insert.

 

The main config file

It makes sense to have an include which will set up a few things for us on every page we want to secure. This file should have the session_start() function call in it – because without this, we wouldn’t be able to use sessions at all! We also need to establish a database connection, and finally, check for an authenticated user.

Create a new file called config.php and paste the following code into it:

// Start the session (pretty important!)
session_start();

// Establish a link to the database
$dbLink = mysql_connect('YOUR HOSTNAME', 'YOUR USERNAME', 'YOUR PASSWORD');
if (!$dbLink) die('Can\'t establish a connection to the database: ' . mysql_error());

$dbSelected = mysql_select_db('YOUR DATABASE', $dbLink);
if (!$dbSelected) die ('We\'re connected, but can\'t use the table: ' . mysql_error());

// Run a quick check to see if we are an authenticated user or not
// First, we set a 'is the user logged in' flag to false by default.
$isUserLoggedIn = false;
$query 		= 'SELECT * FROM users WHERE session_id = "' . session_id() . '" LIMIT 1';
$userResult 	= mysql_query($query);
if(mysql_num_rows($userResult) == 1){
	$_SESSION['user'] = mysql_fetch_assoc($userResult);
	$isUserLoggedIn = true;
}else{
	if(basename($_SERVER['PHP_SELF']) != 'login.php'){
		header('Location: login.php');
		exit;
	}
}

Ok, so firstly we’re calling session_start(). This is an extremely important function to call if you want to use server-side session variables. This function should ALWAYS be called before any output has been sent to the browser – even newlines. It’s generally a good idea to just call session_start() at the very top of your code, on every page. Why are we using session variables anyway? Well, it’s much easier to handle arrays of data across pages if we do this. In this example, we will be storing the user’s details (such as name, email address etc…) within a session variable array, so we can access it on any number of secure pages we have.

Lines 5 to 9 are simply establishing a connection to our database. I’m not going to go into too much detail on how you use PHP to connect to a database, but you do need to replace the following four items within these lines:

• YOUR HOSTNAME – This is generally localhost, but can be another named, or IP of a remote host where your database resides.
• YOUR USERNAME – Replace this with your username for accessing your database.
• YOUR PASSWORD – Replace this with your password for accessing your database.
• YOUR DATABASE – Replace this with the name of your database you want to access.

 

The Auto-Authentication

Within the config.php file, I think it’d be a good idea to automatically authenticate the user. This means that every time a page is loaded (with our config.php file in the header) we’ll be doing a quick check to see if they’re authenticated, and if they are – we’ll set a boolean flag to indicate this, and a session based array full of their information.

Line 13 sets the boolean flag $isUserLoggedIn to false by default. Line 14 sets up a query to get any user who has the session id set to session_id(). session_id() is a PHP function which returns a 32 character length string with the user’s current session variable. This is a unique string that PHP will generate for every user on your site. This will timeout (change to a new session ID) based on the PHP ini setting session.gc_maxlifetime. Generally, you won’t need to change this timeout limit, but if you need to, you should be able to add the following to the top of the config file (just under session_start() should do fine):

ini_set(’session.gc_maxlifetime’, 60*60);

Which will set the timeout to one hour – 60 seconds multiplied by 60. You can make this even bigger if you like, but it’s a good idea to keep your timeouts down to around 30mins, so if a registered – and logged in – user leaves their computer for over 30mins, someone else won’t be able to use the secure area (as the session would have timed out).

Line 15 simply executes the query, and stores the return result of the query in $userResult.

Line 16 checks to see if we have a result returned. If we do, it means that we have found a user in our users table, with a session ID which exactly matches the result of session_id(). Therefore, it’s safe to say that the user is an already-logged-in user, and as such, we can authenticate them.

We do this on lines 17 and 18 by setting a session variable array $_SESSION['user'] to the array of data that we get back when we fetch the row of data, and then setting the $isUserLoggedIn flag to true.

The remaining lines in our config.php file are there so that we can handle what happens to a non-authenticated user. If no logged-in-user is found, we check to see what page we’re currently on. If we’re not on our login.php page, we redirect the user to our login.php page. We need to check that we’re not on the login page before doing the redirect, otherwise we’d end up putting the user in an infinite loop. For example, regardless of what page you’re on (including the login.php page), we’d ALWAYS be redirecting the user to the login.php page. Just under that we’re calling exit;. This should always be called after doing a header(‘Location: …’); call, as the page can still continue to render after the header has been executed, causing all sorts of problems.

The Login & Register Page

Yep – we’re clever, so we’re going to have the login and register functionality / forms on the same page!

Create a new file called login.php and copy the following code into it:

<?php
include_once('config.php');

// Reset errors and success messages
$errors = array();
$success = array();

// Login attempt
if(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true'){
	$loginEmail = trim($_POST['email']);
	$loginPassword 	= trim($_POST['password']);
	
	if (!eregi("^[_a-z0-9-] (.[_a-z0-9-] )*@[a-z0-9-] (.[a-z0-9-] )*(.[a-z]{2,3})$", $loginEmail))
		$errors['loginEmail'] = 'Your email address is invalid.';
	
	if(strlen($loginPassword) < 6 || strlen($loginPassword) > 12)
		$errors['loginPassword'] = 'Your password must be between 6-12 characters.';
	
	if(!$errors){
		$query 	= 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = MD5("' . $loginPassword . '") LIMIT 1';
		$result = mysql_query($query);
		if(mysql_num_rows($result) == 1){
			$user = mysql_fetch_assoc($result);
			$query = 'UPDATE users SET session_id = "' . session_id() . '" WHERE id = ' . $user['id'] . ' LIMIT 1';
			mysql_query($query);
			header('Location: index.php');
			exit;
		}else{
			$errors['login'] = 'No user was found with the details provided.';
		}
	}
}

// Register attempt
if(isset($_POST['registerSubmit']) && $_POST['registerSubmit'] == 'true'){
	$registerEmail = trim($_POST['email']);
	$registerPassword = trim($_POST['password']);
	$registerConfirmPassword 	= trim($_POST['confirmPassword']);
	
	if (!eregi("^[_a-z0-9-] (.[_a-z0-9-] )*@[a-z0-9-] (.[a-z0-9-] )*(.[a-z]{2,3})$", $registerEmail)) 
		$errors['registerEmail'] = 'Your email address is invalid.';
	
	if(strlen($registerPassword) < 6 || strlen($registerPassword) > 12)	
		$errors['registerPassword'] = 'Your password must be between 6-12 characters.';
	
	if($registerPassword != $registerConfirmPassword)
		$errors['registerConfirmPassword'] = 'Your passwords did not match.';
	
	// Check to see if we have a user registered with this email address already
	$query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($registerEmail) . '" LIMIT 1';
	$result = mysql_query($query);
	if(mysql_num_rows($result) == 1) 
		$errors['registerEmail'] = 'This email address already exists.';
	
	if(!$errors){
		$query = 'INSERT INTO users SET email = "' . mysql_real_escape_string($registerEmail) . '", 
																		password = MD5("' . mysql_real_escape_string($registerPassword) . '"), 
																		date_registered = "' . date('Y-m-d H:i:s') . '"';
		
		if(mysql_query($query)){
			$success['register'] = 'Thank you for registering. You can now log in on the left.';
		}else{
			$errors['register'] = 'There was a problem registering you. Please check your details and try again.';
		}
	}
	
}
?>
<!doctype html>
<html>
<head>
  <meta charset="utf-8"/>
  <title>Login to the secure area</title>
  <meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0;"/>
  <link rel="stylesheet" type="text/css" href="default.css"/>
</head>

<body>
  <header><h1>Login / Register Here</h1></header>
	
	<form class="box400" name="loginForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
		<h2>Login</h2>
		<?php if($errors['login']) print '<div class="invalid">' . $errors['login'] . '</div>'; ?>
		
		<label for="email">Email Address</label>
		<input type="text" name="email" value="<?php echo htmlspecialchars($loginEmail); ?>" />
		<?php if($errors['loginEmail']) print '<div class="invalid">' . $errors['loginEmail'] . '</div>'; ?>
		
		<label for="password">Password <span class="info">6-12 chars</span></label>
		<input type="password" name="password" value="" />
		<?php if($errors['loginPassword']) print '<div class="invalid">' . $errors['loginPassword'] . '</div>'; ?>
		
		<label for="loginSubmit">&nbsp;</label>
		<input type="hidden" name="loginSubmit" id="loginSubmit" value="true" />
		<input type="submit" value="Login" />
	</form>
	
	<form class="box400" name="registerForm" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
		<h2>Register</h2>
		<?php if($success['register']) print '<div class="valid">' . $success['register'] . '</div>'; ?>
		<?php if($errors['register']) print '<div class="invalid">' . $errors['register'] . '</div>'; ?>
		
		<label for="email">Email Address</label>
		<input type="text" name="email" value="<?php echo htmlspecialchars($registerEmail); ?>" />
		<?php if($errors['registerEmail']) print '<div class="invalid">' . $errors['registerEmail'] . '</div>'; ?>
		
		<label for="password">Password</label>
		<input type="password" name="password" value="" />
		<?php if($errors['registerPassword']) print '<div class="invalid">' . $errors['registerPassword'] . '</div>'; ?>
		
		<label for="confirmPassword">Confirm Password</label>
		<input type="password" name="confirmPassword" value="" />
		<?php if($errors['registerConfirmPassword']) print '<div class="invalid">' . $errors['registerConfirmPassword'] . '</div>'; ?>
		
		<label for="registerSubmit">&nbsp;</label>
		<input type="hidden" name="registerSubmit" id="registerSubmit" value="true" />
		<input type="submit" value="Register" />
	</form>
</body>
</html>

It’s not as scary as it looks. Lines 1 to 66 contain the main PHP functionality for the page, whereas the rest is simple HTML markup with a few little extras for validation (which, again, many other similar tutorials don’t cover!).

We start by including our config.php file which we’ve just created. We’re assuming that the file is in the same directory as this login.php file. This can be changed easily, but just remember to either update your paths to your config file, or set a globally accessible variable to build the paths dynamically.

Because we have included that config.php file, we can already assume the following:

• We have declared session_start(), so we don’t need to re-declare that at all.
• We have a valid database connection
• We have run a check for a valid, logged-in user

 

We’re then declaring two empty arrays to hold errors and success messages. This will be used for validating the form, and notifying the user that they have successfully registered.

Next, we have two main if statements. One for the login attempt, and one for the register attempt. Both of which are looking for a hidden form variable to be set, with a value of ‘true’. I do this, as it’s my preferred method for checking for a form post, but feel free to use whatever method of checking for a form submission you prefer. The way this setup works is that on a standard page load (i.e. without a form submission) neither of the if statements will return true, as no form data would have been sent to it – but if we submit one of the forms, it will post back to itself and be dealt with accordingly. I like this method, as it allows me to keep functionality specific to a certain page, contained within that page.

The Login Attempt If Block

We’re firstly cleaning the posted variables, by trim()-ing them. This removes whitespace from the left and right side of the variable. This also gets around people just posting empty form elements, or form elements which have only spaces in them.

This is also setting a variable that we’ll use further down the page when we get to the form. How many times have you filled out a form on the web, only to have it not validate and then be faced with the same form – but completely blank! We’re going to use the $loginEmail variable on the loginEmail form element as the value, so if they mistype something, at least they won’t have to write their email address again (provided they typed it right the first time). It’s more of a proof-of-concept thing, rather than a MUST-DO for this tutorial.

After those two lines comes the validation. We’re using a regular expression to validate the email address, and simply checking the string length of the password to ensure it falls between 6 and 12 characters. If either fail, the $error array will be populated with the appropriate error messages, which will be used further down the page when we get to the actual form.

Following that, we have another if statement checking to see if we don’t have any errors. If we don’t, we then look on the database for a user with the email address provided, and the password – which is MD5 hashed using the MD5() MySQL function. If we get a result (in other words, there is a user with the email address and password provided), we update that row for the user so that their session_id field in our database gets the value of the PHP provided session_id().

We then simply push them to our landing page for authenticated users – in this example, it’s index.php. As we’ll be including the config.php file across all secure pages, we know we don’t need to worry about anything else, because our config.php file does a user authentication check every page anyway .

The Register Attempt If Block

Very similar to the login attempt if block, but within this, we have a confirmPassword form element that we need to make sure matches the password form element, and lines 50 to 53 are also checking that the email address doesn’t exist within the database. We don’t want two people registering under the same email address!

Provided we have no errors, we insert a new record for the user into our users table, setting the email address, password (using MD5), and date registered. If the query succeeds when we execute it (on line 60), we can set a success message which will be displayed below, otherwise we set an error message.

The Forms

I’m not going to go into too much detail regarding the markup of the actual HTML page, but I will say that it is using HTML5 (for those unfamiliar), and there is a stylesheet included to aid the layout of the forms / labels. Feel free to create your own, or take mine from the actual tutorial itself.

The forms themselves (loginForm and registerForm) should be self explanatory, but you just need to note the following:

• Both forms have their action set to $_SERVER['PHP_SELF']. This makes sure that the form posts the submitted data to the same page (which will be dealt with accordingly as in our main PHP block at the top of the page.
• Within the forms I am checking for the existence of error or success array variables, such as $errors['loginEmail'], and if they exist, I’m outputting the error message wrapped in a div with appropriate styling.
• The login form has a hidden form element called loginSubmit, whereas the register form has a hidden form variable called registerSubmit. They are both set to ‘true‘. This is so we can identify which form was submitted when we post the data to the page. There are other ways of doing this, but I find this the cleanest for this tutorial.
• The register form has an extra field called confirmPassword, which is used to check that the user has entered their password correctly when they register.

And that is all we need for our login / register page.

The Secure Page(s)

Almost finally, we need to create a secure page to demonstrate this authentication / user membership is working.

Create a new file called index.php and copy in the following code:

<?php
include_once('config.php');
?>
<!doctype html>
<html>
<head>
  <meta charset="utf-8"/>
  <title>Welcome to the secure area</title>
  <meta name="viewport" content="width=device-width; initial-scale=1.0; maximum-scale=1.0;"/>
  <link rel="stylesheet" type="text/css" href="default.css"/>
</head>

<body>
  <header><h1>Secure Area</h1></header>
	
	<p>This is one (of many potential) pages that reside in the secure area. All you need to remember to do is to include the <strong>config.php</strong> file, which handles the user authentication every time.</p>

	<p>Your user details are as follows:</p>
	<ul>
		<?php foreach($_SESSION['user'] as $key => $value){ ?>
			<li><?php echo $key; ?> <strong><?php echo $value; ?></strong></li>
		<?php } ?>
	</ul>
	
	<footer>
		<a href="logout.php">Logout</a>
	</footer>
</body>
</html>

The magic here, is that we don’t need to to much at all! As you can see, we don’t need to do anything but include the config.php file. You can create as many secure pages as you like, but just remember to have the config file included at the top of your pages. This page will always ensure that your customers are logged in and authenticated at all times, and if they’re not – they’ll be pushed right back to the login.php page.

Logging a User Out

The final part of this tutorial is showing how we log a user out securely.

Create a new file called login.php and add the following code:

include_once('config.php');
$query = 'UPDATE users SET session_id = NULL WHERE id = ' . $_SESSION['user']['id'] . ' LIMIT 1';
mysql_query($query);
unset($_SESSION['user']);
header('Location: login.php');
exit;

Very simple. We’re simply updating the users table to set the currently logged in user’s session ID (as stored in the database) to NULL, unsetting the $_SESSION['user'] variable, then pushing them to the login.php page.

This concludes my simple – but secure – user membership / authentication tutorial using PHP and MySQL. You should have learned how to securely authenticate a user, track their authentication across multiple pages, and securely log them out. If you have any questions at all, please post them in the comments and I’ll do my best to answer them for you.

Don’t forget, there is a…

DEMO: HERE