how to create a login system

[mactrac11]

how do i create a login system for my website i was wanting to test it out (i am just testing things so i cant get a better thought on this stuff) can you guys help me out?

 

[smithee]

Hi mactrac11, I'm currently creating my own login scripts on behalf of someone else's site (although slowly, as I'm basing it in classes as much as possible!). A while ago, I taught myself on how to achieve this by coming across "PHP for Beginners by a Beginner: Simple Login, Logout, and Session Handling" on Dev Articles. It's quite an old post, but it does explain about the three most important requirements to a successful login (and logout) system... the login page with the form, the method of storing login details, and session implementation. Without these, you wouldn't get far!! It also explains about how to check if the user has entered the correct details, and detecting when the user wants to log out.

A few things I would suggest though:

1. It makes use of the "session_register" function; this has now been deprecated, so using it is not advised. Instead, use $_SESSION and assign a value to it.
2. It also makes use of the "session_is_registered" function; again, this has now been deprecated. So instead of using:
   if(session_is_registered('username')), use:
   if(isset($_SESSION['username'])).
3. It makes use of the built-in mysql functions. These aren't deprecated, and are still used massively. However in terms of robustness and security, there are other database object handlers out there that does a much better job at preventing SQL Injections from occuring. A good alternative is the PDO handler. The page "Writing MySQL Scripts with PHP and PDO" shows a good tutorial on this, and it's what I've referred to to get me off the ground with PDO.

So whilst looking through that page (or any other you come across), please be aware of the points I have mentioned

 

[misson]

• The article also doesn't use a strong enough password hashing scheme. MD5 is considered broken, and the scheme doesn't use any salt. Read "Enough With The Rainbow Tables: What You Need To Know About Secure Password Schemes" and "Password Hashing".
• The sample system is vulnerable to session hijacking. There's no foolproof way of preventing it, since there's no unforgeable, unique data coming from a user. The best you can do is check that the remote IP stays the same; if it doesn't, generate a new session ID with session_regenerate_id and force the user to login again.
• You should use session_regenerate_id when a user successfully logs in to prevent session fixation.
• Instead of session_unset, scripts using $_SESSION should clear out session data by setting $_SESSION to an empty array.
  

  $_SESSION = array();

• The username column should be made UNIQUE.

There are a few things about the article that don't matter too much.

• The article loops over query results when there's only a single result.
  

  $rowCheck = mysql_num_rows($result); 
  if($rowCheck > 0){ 
      while($row = mysql_fetch_array($result)){

  While not functionally incorrect, it's unnecessary and is counter to self-documenting code practices, impacting readability.
• If there is at most 1 result row, a LIMIT 1 clause in a query can produce a more efficient query execution plan. If you're querying against a UNIQUE column, the query optimizer will probably produce the same plan without a LIMIT clause, though including the clause won't hurt and is a hint to a programmer that the query should produce at most one result (more self-documenting code).