what login script do you use?

[franco714]

ive been using this one for a while

http://www.roscripts.com/PHP_login_script-143.html

but it seems really simple, and im not too sure about its security. does anyone recommend a different one (thats free)

thanks

[CoderMaya]

What do you want to achieve? Just a simple way to password protect a certain page?

[franco714]

thats what ive been using it for so far, but now i need to make a full on user system which im hoping will become pretty large

[CoderMaya]

And why not code one yourself?

[franco714]

id rather use a premade script and not have to worry if its secure or not.... so, no suggestions

[Jake Arkinstall]

id rather use a premade script

Programming Learning Mistake #1 there.

If you want to learn, learn how login systems work and write one yourself (and learn sessions inside out). If you don't know how secure it is - post your script and we'll be more than glad to assist you with it.

If you don't want to learn, I'd have to wonder why you're even on SitePoint.

[franco714]

Programming Learning Mistake #1 there.

If you want to learn, learn how login systems work and write one yourself (and learn sessions inside out).

yeah, but you see, i dont want to learn how it works, i just want one that does work... could you a have a look at the one i linked in my first post and tell me if that one is secure

thanks

[topgrade]

if you don't want to learn and even don't know about the security issues & suppose two people says it is secure & two says it is not! then to whom will you believe?

[CoderMaya]

Come on, you've been on SitePoint long enough... Ain't it time you started learning some PHP?

[franco714]

seriously you guys, i know more than enough php, and have coded plenty of sites. did i post this in the wrong forum category? or should i have posted it in the Scripts and Online Services category because thats all i want, someone to point me in the direction of a decent login script. when i want to learn sessions and all that, i will, and im sure its not even that difficult, but at the moment, i got to much crap in my head, so can someone please just help me out

if someone came here asking whats a good bloggin script, you wouldnt try to teach him how to code a blog would you?

[Jake Arkinstall]

seriously you guys

We are being serious. It seems you aren't.

someone to point me in the direction of a decent login script

Open notepad, start typing. Voila!

if someone came here asking whats a good bloggin script, you wouldnt try to teach him how to code a blog would you?

No because a blog is a big project.

A login system... I made those when I was 13 (Ok yes I made a decently-featured blog when I was 14 but that's not the point here).

They are basic and involve no learning other than sessions and maybe MD5.

Simple stuff:

1. Create a table for users, with a primary key, their username, their password (quite a few chars long because it's going to be MD5ed) and any other details you want
2. Make a registration form which inserts stuff into the database
3. Make a login form. This runs a simple query:
   
   Code sql:

   SELECT id, someothercolumn, etc FROM TABLE WHERE username = '{$username}' AND password = md5('{$password}' LIMIT 1)

   Then count the rows - if none, then they gave the wrong details. If there is one, grab the info into an array or object
4. Save the user ID in a session - being an experienced programmer, you've gotta know them right?
   
   PHP Code:

   <?php
session_start(); //before ANYTHING is output, but after any class definitions
/*
 * saving the session:
 */
$_SESSION['user_id'] = $userId;
$_SESSION['logged_in'] = true;
/*
 * Getting the data:
 */
if(isset($_SESSION['logged_in']) && $_SESSION['logged_in'] === true){
    $userId = $_SESSION['user_id'];
    $getDetails = mysql_query("SELECT blah FROM table WHERE userID = {$userId}");
    //....etc
}

Easy concept to grasp.

[franco714]

what about password hashing, password recovery, account confirmation, remember me feature, etc... yeah, what to you described is simple, but all that other stuff starts getting pretty complicated

[sk89q]

It's not complicated. It's just a pain, I have to admit. You need, for a decent, non-annoying login system:

1. Session support
2. Registration
3. Registration CAPTCHA prompt
4. Registration flood detection
5. Registration logs
6. Email confirmation for registration
7. Login page
8. Logout page
9. Remember me
10. Username recovery
11. Password recovery + password change form
12. Email address change page
13. Email confirmation for email change
14. Password change page
15. Cookie support check on login (if only cookies are used)
16. Failed login log
17. Brute force detection
18. Captcha prompt once a brute force is detected (better than a complete block, in my opinion, because sometimes people are genuinely trying to guess their username/password because they lost access to their email)
19. Blocking mechanism past a limit
20. Temporary session IDs to validate actions that could be hijacked via CSRF (i.e. so logouts can't be triggered via a CSRF)
21. Redirect-after-login support
22. Redirect URL validation (i.e. no redirect to /logout.php)

And then... let's not forget: what about all the user administration pages you also need? Permissions support, etc.?

[CoderMaya]

It's not complicated. It's just a pain, I have to admit. You need, for a decent, non-annoying login system:

1. Session support
2. Registration
3. Registration CAPTCHA prompt
4. Registration flood detection
5. Registration logs
6. Email confirmation for registration
7. Login page
8. Logout page
9. Remember me
10. Username recovery
11. Password recovery + password change form
12. Email address change page
13. Email confirmation for email change
14. Password change page
15. Cookie support check on login (if only cookies are used)
16. Failed login log
17. Brute force detection
18. Captcha prompt once a brute force is detected (better than a complete block, in my opinion, because sometimes people are genuinely trying to guess their username/password because they lost access to their email)
19. Blocking mechanism past a limit
20. Temporary session IDs to validate actions that could be hijacked via CSRF (i.e. so logouts can't be triggered via a CSRF)
21. Redirect-after-login support
22. Redirect URL validation (i.e. no redirect to /logout.php)

And then... let's not forget: what about all the user administration pages you also need? Permissions support, etc.?

All that can be + more customizations can be achieved within an hour on a good day.

On a normal day, with snacks and TV shows in between, and maybe even some online FPS action before taking out the trash, you can achieve this too.

It's a one day project. I don't see what the big deal is here. Do it on a Saturday instead of going out, if it means that much to you.

And sessions aren't that hard to understand. If you just want to know how to use them and not realize how they work (serialization, hashed ids, cookies, etc) - the idea is simple. - Session variables are variables that exist from the moment you created them to the moment you closed your browser.... or... deleted them yourself. You can manipulate, set, change and delete session variables after calling the function session_start() before you send your headers - or if you don't know much about headers - just call that function in the first line of your file.

You can access session variables in the global array, $_SESSION.

Hope this helped. All the rest - Google for it! If you can't understand something, post here and we'll be sure to help you out.

For the record, most of the people here don't use login scripts anyway since we make our own, so that's probably why no one here answered your question. We simply don't know, because we never got into it... So if you want help, there's plenty to go around... But going around the web looking for good scripts isn't what people in the PHP forum do. What we do is submitting our scripts so people like you can download and use them.

So again, if you need help with creating your own system - we'll be happy to assist. If that's not what you're looking for... You'll have to look somewhere else, then.

[sk89q]

• Registration (3: form, success, email confirmation page)
• Login (3: form+captcha, login processor, post login for cookie support check)
• Username/password recovery (4: form, username recovery page, password recovery change form, password recovery page)
• Logout (1: success)
• Email address change (3: form, success, email confirmation page)
• Password change: (2: form, success)

That's 16 pages, and that's not including all the user management and user permission pages. Throw in 10 more for that. Not to mention, you'd have to write code that's not directly related to the page (permissions API, sessions API if you're using something non-standard, etc.).

Not everyone's day consists of just watching TV and playing FPS games.

[franco714]

• Registration (3: form, success, email confirmation page)
• Login (3: form+captcha, login processor, post login for cookie support check)
• Username/password recovery (4: form, username recovery page, password recovery change form, password recovery page)
• Logout (1: success)
• Email address change (3: form, success, email confirmation page)
• Password change: (2: form, success)

That's 16 pages, and that's not including all the user management and user permission pages. Throw in 10 more for that. Not to mention, you'd have to write code that's not directly related to the page (permissions API, sessions API if you're using something non-standard, etc.).

Not everyone's day consists of just watching TV and playing FPS games.

thank you... finaly someone who understands

[CoderMaya]

thank you... finaly someone who understands

Understand what? The laziness? You'd be surprised how easy it is to find lazy people. If that's the kind of answer you want to get - look in another place.

Everything sk89q mentioned there is can actually be done with many less files, if you don't repeat your code and use logical techniques and conditions.


You know what, if you'd pay me, I'll prove you wrong by completing all of this in under 4 hours of non-intense work.

And I'm sorry I just can't allow myself to ignore the b-comment

Not everyone's day consists of just watching TV and playing FPS games.

Actually, as you could have seen, I was talking about a Saturday you'd do it while obviously giving up on other stuff, if it means so much.

For the record, I'm joining the army in 2 months, lots of interviews almost every day, I am still studying for MCPD tests (70-536 by Microsoft, download the test and tell me if you understand a word of the 230 questions I already memorized by heart), other than that I have to also study a 1,080 pages study book about threading, configuration, application domains, memory allocation, instrumentation, security, globalization and more (and that's just the second of 5 exams), and in between all of that - I write in-depth tutorials in my blog and work to save money to fly with my fiancee just 2 weeks before I leave for the army.

So no, I don't sit around and watch TV and play FPS games all day. I was trying to make a point with a friendly association.

[franco714]

wow dude, no ones attacking you here. its not laziness, i just have better things to do than code a login script which might or might not be good... why is it so hard to understand that id rather use something thats premade and that a lot of other people have used, so i can have peace of mind that its secure

[CoderMaya]

I have a mental issue with this kind of comments.

Anyway, if you read what I said before - this is not the best place to ask where to get a pre-made script, since most people here don't know.

Not to mention, there is a very obvious sticky thread in this forum:
http://www.sitepoint.com/forums/showthread.php?t=463100

[Jake Arkinstall]

i just have better things to do than code a login script which might or might not be good...

The great geniuses had to learn to read and write.

Franco, I can really see what you mean here. You don't really bother with making yourself better, your current skill is more than sufficient to get the basics done, and why learn anything else if you can grab easily available scripts off the internet?

If that really is your point of view... I think you need to reassess.

[Stormrider]

Guys, all he is asking for is a simple login script. So he doesn't want to learn to write one himself at this moment, does it matter?

Do any of you use phpbb or do you code your own forum? What about other third party software?

Stop being so hostile and unhelpful towards the guy. He asked a perfectly reasonable question, if you aren't willing to help him with it then seriously, don't bother posting.

Sorry franco, I'm afraid I don't know of anything that might help, but looking on google might give you some results.

[Jake Arkinstall]

It's tough love, honest.

The best help you can give to a guy is teach him how to do it himself. You know, teach a man to fish...

It's a very simple task, and if he wrote it himself he could ready-make it for integration to his site.

The lazy way is the hardest way in the end.

[Stormrider]

I understand that, but you don't know his situation, why he is looking for a script instead of doing it himself.

He clearly isn't interested in coding it himself, so posting again and again telling him you think that's what he should do isn't helping anything.

[Wolf_22]

Attention everyone:

Coming from the mind of a programmer, maybe it's wrong for the original poster to have a belief that a "canned solution" is the proper way through this hurdle, but on the flip side of the coin, maybe this person has a different set of priorities? Maybe he is no web developer? Maybe he has classes to worry about...? Maybe he has a girlfriend...? I mean, c'mon--we all know how much time they consume!

Not everyone has hacked into the Pentagon at age 3 or overthrown the Chinese government with the click of a button on a Saturday before cartoons start.

Just some food for thought guys... Not everyone is a programming God like some of you are around whom we all worship to no end.

[CoderMaya]

Oh I just love it when people assume you have no life other than staring at matrix code if you know how to program.

Like I said, if all he wants is to get a click & install script - then this isn't the right place anyway. It says so in the rules, too.