PHP Developer

My notes and thoughts about Linux, WordPress, PHP, WPML, Toolset and many more.

PHP Secure Authentication of User Logins

Recent author notes: Take note this is a quite very old implementation and needs to be updated in terms of security updates. There will be a future release which is a complete refactoring of all the essential aspects. And covers this security review by Anthony Ferrara. I don't recommend using this in your sites other than test sites which is not publicly available.

Want to learn secure authentication of user logins?

Download this file

To implement this script:

1.) Download it first.

2.) Unzip the script.

3.) Create database table:

First table: authentication
http://www.php-developer.org/screenshot/authenticationtable.jpg

Second table: ipcheck
http://www.php-developer.org/screenshot/ipchecktable.jpg

4.) Configure config.php

5.) Upload securelogin folder to the root directory of your website.

6.) Test

This is how the registration form looks like (customizable):

registration form

This is how the login form looks like (customizable also):

Login form

Featured image credits: ArnoldReinhold at the English language Wikipedia

60 thoughts on PHP Secure Authentication of User Logins

  • Hi,
    The Download of script is taking me to 404. Can you please re-upload the script files. As a new php coder, i feel this login script is awesome. It will be great if you help me with re-upload early. Thanks.

  • I know, it’s an old thread.

    I had an issue with case sensitivety, so a added right under //validate username:

    //match case
    $match_case = mysql_fetch_array(mysql_query(“SELECT username FROM authentication WHERE username=’$user'”));
    if (preg_match(“/”.$match_case[‘username’].”/”, $user)){
    $registered = TRUE;
    } else {
    $registered = FALSE;
    }

    in the authenticate.php

    Thanks.

  • Hi, I want to dowload this script and I’m getting a 403 Forbidden Page.
    How can I download the script?
    Thank you.

  • The download doesn’t seem to work anymore as I’m getting an error page. Is there an alternative place for me to download the latest version of the script?

  • Hy i get all things well but when i click on register button it is showing “Could not open socket” Please reply me how to resolve this problem. thanks in advance

  • Resolved. I realized that my domain name is MyDomainName dot com/ and not www dot MyDomainName dot com, so I removed the www. from $domain in config.php and now it’s working.

    Thanks again for the script, this is great!

    On the demo page, you asked for examples of this script in use and I noticed that the ones you had listed were basically direct copies of your script as far as design goes. As of today, I’m still building this site but if you’d like to list an example of your script being integrated into the design of a website then feel free to list frankenwriter dot com/secure/

  • I get this error
    “Input error: k: Format of site key was invalid ”
    The captcha isnt showing up at all on registration.
    Any ideas?

    • Try refreshing the browser and clearing all cache then if still doesn’t work, replace with a more recent recaptcha library and make sure you have correct public and private keys.

  • yes to thanks again could u explain it step by step to create table fields ,how many column what are they? and how many table.

  • I have been using this login script for a while. It is secure when used in a ssl website. Recently I was using a packet scanner and when I logged on to my website without ssl, I saw that it sent username and password in clear text. Anyone who captures the packets during my login process will be able to login as me. The ip filters will be of no effect.

    1) How do I obscure the username and password during login?
    2) What config changes do I need to make the cookie being created to be used only for encrypted connections?

    • This is why there is SSL. It’s the only effective way to obscure all sensitive informations on Internet communications. I’m not sure about config changes and I am not planning to add support on cookie authentication. It is a cookieless login and relies only on sesions. I suggest you will modify the code yourself, it is released as open source. You can do anything you like on that.

  • Problem fixed….. i had to remove the domain. “Securelogin” from the config file as the login was in root folder.

    🙂

  • Hi…

    Just a little problem im trying to get to the bottom off… When i register a new user, submit details, i get targeted to the Index.php page and I get a “Unable to connect to MySQL” error message.

    I then refresh the page the message disappears and im left with the usual boxes to enter the login information.

    i can then log in normally using the newly created user logon information.

    Any assistance would be awesome. Norman

    • from what i can tell when I had a look at the code, the register.php page has a postback from the form when the registration details are entered.

      The user is created in the Database but the this “Unable to connect to MySQL” error message still pops up. Maybe I’ll download tomcat see if i can replicate this error message locally.

      but a point in the right direction would be helpful.
      🙂
      norm

  • I really appreciate this script, thanks so much. I used it as a starting point for my own, and it saved me so much time!

    The only issue I had with using it on a Windows 2008 server host was that I got an error, “too many connections open,” and that went away when I changed the include for config.php to:
    require_once(‘config.php’);

    • I learned that for Windows servers, one line of the registration script needs to be updated from:
      $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM)); //(this is for linux servers)
      to:
      $salt = bin2hex(mcrypt_create_iv(32, MCRYPT_RAND)); //(for windows servers)

      (Regarding my last comment: the “too many connections open” turned out to be a server issue that has now been fixed and had nothing to do with the script.)

      • That’s amazing. There’s a big difference between Linux and Windows servers. I will probably rewrite the script to inject these changes automatically in the core script depending on the OS the runs the server. Thanks for the update.

  • Great Code! It is just what any developer that cares about security should implement.

    I have uploaded all the files to production server but the register page just blanks out when register button is pressed without inserting into database. Please help out!

    • Thanks. OK I will test again, as I suspect something has changed now (probably the captcha or server aspect) that render the page blank. I will review the script again.It’s a bit strange since the live demo application is working well, probably this will affect only when executed in the local host. Cheers.

  • I have a local installation of my webpage and i use xampp. I implemented your script but if i go to the restricted page, the login screen opens but there are two failure messages.
    “Undefined variable: loginattempts_username in authenticate.php on line 324” and “Undefined variable: loginattempts_total in authenticate.php on line 324”
    Do you have an idea?

    Thanks!

    • Thanks Silvio for reporting this. I will test again the application to see if I can simulate your errors. I will report the updates here soon. Cheers.

  • Everything is working fine other than after updating chrome and now I am stuck on the 403
    http://localhost/auth/403forbidden.php
    You have been denied access because of the following reasons:

    1.) Too many failed login attempts, so you are likely brute forcing through logins.
    2.) You have been accessing an authorized user account login through a stolen or hijacked session.

    Any Ideas? :/

    • Some tips you can do to resolve this error:

      1.) Clear out login attempts in database. Find your IP (in my localhost it says 127.0.0.1 but it might be different for your system so you need to confirm) in there and change the number attempts to zero or your delete your login entry manually to test.

      2.) Clear out all cache of the browser.

    • Simply add an option to the source code. It can take a lot of work, but I do not have plan to update it at this time. Since the software is released open source and free, you can download the software and improve it. Thanks.

    • Did you ever get this working. I think it would need a duplicate of registration.php modifying to keep the user name and allow an update of the password only.

  • Great base for knowledge and start of making login. I’m still deciding between php and javascript but your example using the reCaptcha is helpful for both, thanks.

    • Never use JavaScript when relying on security! JavaScript can easily be manipulated because it will be executed in client side. Hackers and malicious programs can easily sniff data manipulated in JavaScript. Use server side program, it executes its code in the server so you have much tighter security control.

  • My pages are on xyz.com/securelogin/ABC
    I tried using require(‘../authenticate.php’); in files in my ABC folder, but every time I open a page in ABC folder, I get a blank screen instead of the Login page.
    I have changed $domain in config.php to http://www.xyz.com/ and
    login_url = $domain.’securelogin’

    where is the problem?

    • I believe I don’t use the dots in the require command. Go and read the perfect example. I suggest you use absolute server path in your require.

      • Codex, thank you for the reply. it solved my problem.
        the only point was to include the absolute server path for all the requires in the authenticate.php

        now im trying to add an option for the users to change the password 😉
        any hints on how to approach it? just general directions.
        again thank you for the help.
        good luck

  • Sir,
    I needs your help in PHP Secure Login form

    My problem is when i visit the login link and when closing the member area page i “sign in” and i close the with out “sign out” than after a short time period i visit the login page again the its forwarded me to *403 file
    so how can i solve this problem if user forget to signout than they see this 403 as i forget to signout and visit the login page in short time period i change the default session time out to 7200 means 2 hour so that when user login he will not be forwarded to login page again i also want to change this to 10 hour or unlimited time so that the same user from same computer not to ask again to login is this good

    please response as soon as possible.
    thank you so much for your kind favour

    • Don’t make it too long, the one in the tutorial is recommended (around hours i think if I remember). Take note that this script don’t use cookies. So if the user re-opens the secure site on this time, he will still be logged-in. Just put a warning to your users that they should sign out if they want their account to be secure.

      Of course if your user would be surfing on a public internet cafe then forgot to sign out. Any user can open the site because the session is still not timed out. Make sure you communicate this properly with your users. They are responsible for having their account secure so they should click the sign out button.

  • I have tried to register my account via the GUI. However with no success… I can connect to the database fine. Tables are present.

    However during some testing.. I did not receive an email validation, now locked out how can I reset my temp account? I have looked within authentication and see my temp account. However ‘loginattempt’ is still at “0”.

    What can I do to sort this out?

    • Are you running this in local host? IT cannot send emails, you need to do more configuration beyond what was offered by the script. I suggest to upload the script in your production server (with PHP running on Apache and MySQL), just to know its running. And report what error you further see.

  • Hmmm, what the heck is up with my Dreamweaver. Every time I try to load some of the files my DW just keeps freezing 🙁

    I have to do all my editing in notepad++ in order to modify the script to work with my login page.

    Other than DW’s faultiness, this script is great!

    • Thanks for using the script. Double check whether you are using an updated version of DW or license version. Some DW out there comes from illegal sources and contain some bad code on them.

    • Try using the latest version of Recaptcha. And make sure your PHP has some GD enabled, try to consult with your web host. The script does not fully work in free hosting environment. Have you tried running the script in local host environment such as XAMPP?

  • Thank you for your script it looks nice BUT.
    When i go to register.php and fill in the form and press register i get a blank screen afterwards.

      • Make sure you are using PHP 5. Make sure also that you have Mcrypt library enabled on your PHP. If you are not sure, consult your web host.

    • Have you fully tested the script in the local host environment before running the production server? You need to do this first as production server can have more permissions and lesser features than on your local server. For example, sessions ,etc might not be properly working on your server. You need to check on that. I suspect you have sessions disabled. Try running the original/unaltered script, that should work otherwise you will have faulty PHP/server installation that you need to fix first.

  • Hi,
    Your code looks great. However, we are getting few notices when I am executing the same at my end.

    Undefined index: logged_in: This is occuring when first time we run this website. However, when we refresh the page, this is gone. So I don’t want this notice to appear even for the first time.

    Please let me know..how this can be removed..

    PS: Notices/Warnings are turned off, but still it is showing the above one.
    Details:
    WAMP: Version 2.2
    PHP: 5.3.9
    MYSQL: 5.5.20
    APACHE: 2.2.21

    Thanks in advance

    • Its on your PHP.ini. All warnings and errors should be turned-off. There are several lines in there, not only one. So you need to turn them off. Do not forget to restart Apache after doing this. If Apache is not restarted you will not see the changes. Clear your browser cache.

  • Thanks for your script!

    I would like to let only a specific user to register other users. How can I do that ?
    Is there a simple way to test the user name logged in ?

    I would like to save logins (time + ip) in the database, is it complicated ?

    Thanks again

    • Yes, you can always query the database to test that the username has logged in or registered. As of now, what you are requesting is not yet supported by the current script but you can always modify the script to fit your application. The license of this script is open source.

      If you can code it yourself, you can always get the feature you need. Thank you also for using the script 🙂

  • Are you kidding me why not just include a text file with the mysql tables instead of passing of images of the database tables.

    Are you for real or just danm lazy?

    • Yeah I am for real. And why not you just simply create a database table out of that image. Are you also plain lazy or just damn ignorant?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes:

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">