Login
Send the login information through <Form> Attribute of HTML to login.php. For example,
<form action="login.php" method="post">
Username: <input type="text" value = "alice" name="username" size="36" /> <br>
Password: <input type="password" value = "1234" name="password" size="36" /> <br>
<input type="submit" value = "Submit" />
</form>
login.php collects the ID and password by
$username = $_POST['username'];
$password = $_POST['password'];
With the inputs, compare them with Database.
$stmt = $pdo->prepare("SELECT password FROM users WHERE id = :username");
$stmt->bindParam(':username', $id);
$stmt->execute();
if ($stmt->rowCount() == 0) { // When Nothing is found
header('Location: ./index.php');
exit();
}
$row = $stmt->fetch();
$actualPassword = $row["password"];
if ( $actualPassword != $password ) {
header('Location: ./index.php');
exit();
}
The authentication is complete, so post the user ID into the session and go to next page.
session_start();
$_SESSION['username'] = $username;
header('Location: ./nextpage.php');
Logout
<?php
// The following code can be used to log out a user by destroying the current session.
// The code is taken from http://php.net/session_destroy
// Initialize the session.
// If you are using session_name("something"), don't forget it now!
session_start();
// Unset all of the session variables.
$_SESSION = array();
// If it's desired to kill the session, also delete the session cookie.
// Note: This will destroy the session, and not just the session data!
if (ini_get("session.use_cookies")) {
$params = session_get_cookie_params();
setcookie(session_name(), '', time() - 42000,
$params["path"], $params["domain"],
$params["secure"], $params["httponly"]
);
}
// Finally, destroy the session.
session_destroy();
header("Location: ./index.php");
?>
If Logged In or Not
Logout Button
<form action="logout.php" method="post">
<input type="submit" value="logout" />
</form>
Logout.php
if (!isset($_SESSION['username'])) {
?> <form action="login.php" method="post">
Username: <input type="text" value = "testuser" name="username" size="36" /> <br>
Password: <input type="password" value = "1111" name="password" size="36" /> <br>
<input type="submit" value = "Submit" />
</form> <?php
}
else {
print("Your are logged in");
?>
<form action="logout.php" method="post">
<input type="submit" value="logout" />
</form>
<?php
}
Password Hashing
To create a hashed password
password_hash('yourpassword', PASSWORD_BCRYPT)
password_hash()creates a new password hash using a strong one-way hashing algorithm.password_hash()is compatible withcrypt(). Therefore, password hashes created bycrypt()can be used withpassword_hash().
The following algorithms are currently supported:
PASSWORD_DEFAULT- Use the bcrypt algorithm (default as of PHP 5.5.0). Note that this constant is designed to change over time as new and stronger algorithms are added to PHP. For that reason, the length of the result from using this identifier can change over time. Therefore, it is recommended to store the result in a database column that can expand beyond 60 characters (255 characters would be a good choice).
PASSWORD_BCRYPT- Use the
CRYPT_BLOWFISHalgorithm to create the hash. This will produce a standard crypt() compatible hash using the "$2y$" identifier. The result will always be a 60 character string, orFALSEon failure.
- Use the
Supported Options:
salt- to manually provide a salt to use when hashing the password. Note that this will override and prevent a salt from being automatically generated.
If omitted, a random salt will be generated bypassword_hash()for each password hashed. This is the intended mode of operation.
Warning The salt option has been deprecated as of PHP 7.0.0. It is now preferred to simply use the salt that is generated by default.
cost- which denotes the algorithmic cost that should be used. Examples of these values can be found on thecrypt()page.
If omitted, a default value of_10_will be used. This is a good baseline cost, but you may want to consider increasing it depending on your hardware.
To verify the password
boolean password_verify ( string $password , string $hash )
Verifies that the given hash matches the given password.
Note thatpassword_hash()returns the algorithm, cost and salt as part of the returned hash. Therefore, all information that's needed to verify the hash is included in it. This allows the verify function to verify the hash without needing separate storage for the salt or algorithm information.
This function is safe against timing attacks.