What is the best way to create a PHP login page?

Question

I'm fairly new to PHP and am looking for some best practices on how to implement authentication in PHP.

I'm an evangelist for Adobe and one of the things that annoys me is when people use Flex/Flash for the login screen. So I want to do a blog post/example on using an HTML/PHP login page and then passing the session information to Flex -after- the session has been set.

I'm still wrapping my head around exactly what PHP needs to create a valid session and how it sets cookies. So examples or information that specifically relate to that would be very helpful.

Thanks in advance,

=Ryan [email protected]

Answer 1

As has been said, there's quite a lot to creating a robust and secure authentication system in PHP, but the fundamentals are easy to grasp.

The first thing you want to do is call session_start(). Once you've done this you can get and set session variables using the $_SESSION superglobal:

session_start();
$_SESSION['foo'] = $foo;
$bar = $_SESSION['bar'];

Once you've done this you can set log in details for the current user upon a successful log in and have them persist over pages (remembering to call session_start before using them). Also, session_start must be called before any content is sent to the browser.

There are security issues to consider, such as session fixation and cookie theft, however. One approach to session fixation, for example, is to regenerate the user's session ID upon elevation of privileges using PHP's session_regenerate_id (or something like that).

The PHP Security Consortium has lots of useful info.

Cookies can be manipulated using the setcookie function.

Answer 2

Create login.php page with a form something like:

<form method="post" action="login.php">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="submLogin">
</form>

then add your php logic:

<?
if(isset($submLogin))
{
 $username = $_POST['username'];
 $password = $_POST['password'];

// run checks on vars not to pass on silly data + escape chars

 $query_login = 'SELECT * FROM users 
 WHERE username = ' . $username . ' AND password = ' . $password . ' LIMIT 1';
 $login = mysql_query($query_login, $db_connection) or die();
 $login_result = mysql_num_rows($login);

 if($login_result == 1)
 {
  // success
  session_start();
  $_SESSION['logged_in'] = TRUE;
  // redirect somewhere, set cookies, do whatever you want to do on success
 }
 else
 {
  // fail
  // display error or redirect
 }
}  
?>

$db_connection variable is the link identifier - result of mysql_connect() or mysql_pconnect()

Warning!

From a comment below:

Directly using the username and password in the SQL query is very unsecure way against SQL injection. You should at least use htmlentities function to clear the username and password before using in SQL query. Just for your information.

Answer 3

That's a fairly broad topic. However, a good understanding of sessions/cookies would be a good base. You should take a look at Chris Shiflett's blog - he has a lot of good posts about these topics.

I'm an evangelist for Adobe and one of the things that annoys me is when people use Flex/Flash for the login screen. So I want to do a blog post/example on using an HTML/PHP login page and then passing the session information to Flex -after- the session has been set.

I'm not entirely sure on your goal here. Do you need the Flash component to authenticate the user? Since this is a client-side technology, such an authentication would have limited scope.