So, our last post on creating login admin and logout seems to be pretty backdated. We decided to come up with a new post under the same topic. So, to start with, let us see what you will be able to do after following this tutorial:
- Create a MySQL database for managing admin users. Use SHA1 encryption method to store the password in database. Also insert data into it.
- Create your own login/logout system in PHP using Cookie and Session along with remember me option. We shall md5 the SHA1 password in cookie for better protection.
- Understand the PHP code behind the scene. How we have stored the encrypted password in the cookie.
- Implementing the whole thing in OOP (Object Oriented Programming).
In this tutorial we will do only the basic stuffs, there will be no CSS/HTML styling. In our next release, we will provide you a package with HTML5 admin, from where you can download and use it directly in your projects. This tutorial is intended to explain the basic mechanism used in Login Systems and how cookies and sessions work to provide the administrator security. We will discuss the file and directory structure, the database structure, we will see how we’ve used MySQL in PHP to connect to database and how we actually authenticate the user for a single session or for multiple session (in case the remember me option is selected). Check out below to get the codes straight away if you know how to do this already and just want to get the code.
As for the so called licensing stuffs, this whole thing is just FREE. You download, fork, modify, redistribute, use in your project, or do whatever you want. Although a credit will be appreciated, but in this open world of internet, it is completely upto you.
So, let us start with the directory structure and understand which file does what.
#0: File and directory structure:
- directory – admin: The root directory of all your admin files. It contains all the classes, login/logout files etc that we need to get the system running.
- admin-class.php – The main library class of the admin. It contains the several library functions that we need for user authentication, password checking etc.
- index.php – The main admin file which should be restricted to the logged in administrator only. If not logged in, then this should redirect to the login page.
- login-action.php – The action file which processes the user submitted username and password and authenticates on success. On failure, it redirects to the login page.
- login.php – The login form where users are asked to enter their username, password etc along with the a nice remember me option.
- logout.php – The logout script which should clear the authentication data and send back the user to the login page.
- directory – db: The root directory for the database connection files. We have used ezSQLto code our application. It gives several query abstractions for faster access.
- db.php – It includes the library files ez_sql_core.php & ez_sql_mysql.php and initializes a global variable $db for all the database connections. We shall look more about this later.
- ez_sql_core.php – The core ez_sql file as downloaded from the link above.
- ez_sql_mysql.php – The MySQL extension for the ezSQL.
#1.1: Creating the database:
We shall start by creating a new database for our application. If you are on linux and have MySQL installed, just open up terminal and hit mysql (you need to access with super user privilege if you have not changed the mysql root, su mysql or sudo mysql) and enter the following sql queries.
CREATE DATABASE login_test;
USE login_test;
CREATE TABLE `user` (
`id` INT NOT NULL auto_increment,
`username` VARCHAR(50) NOT NULL default '',
`nicename` VARCHAR(255) NOT NULL default '',
`email` VARCHAR(255) NOT NULL default '',
`password` VARCHAR(255) NOT NULL default '',
UNIQUE KEY `user_n` (`username`),
UNIQUE KEY `user_e` (`email`),
PRIMARY KEY (`id`)
);
INSERT INTO `user` (`username`, `nicename`, `email`, `password`)
VALUES (
'swashata', 'Swashata Ghosh', 'abc@domain.com', SHA1('pass')
);
Let us see what it does:
- Creates a database named login_test.
- Use that database.
- Create a table user with id, username, nicename, email and password as fields. Set usename and email as unique keys and id as primary key.
- Β Insert a user named swashata with nicename Swashata Ghosh, email as above and password as pass.
- Note that we have encrypted the password ‘pass‘ using the SHA1 encryption method provided my MySQL. In this way our password is stored in encrypted form. But that also means, you will never be able to see it in original form again. So, how do you reset it? Simple, by querying the database directly. Just
Now, if you run a SELECT * query, then you will see something like this.
All done, now let us code the PHP backend.
#1.2: Connecting the database with PHP: – db.php
Now, we need to connect this database to our script. To do this, we will be using ezSQL as mentioned before. So, inside our db.php file, we place the following code:
<?php
/**
* The db.php file which initiates a connection to the database
* and gives a global $db variable for access
* @author Swashata <swashata@intechgrity.com>
* @uses ezSQL MySQL
*/
/** edit your configuration */
$dbuser = 'db_user';
$dbname = 'db_name';
$dbpassword = 'db_password';
$dbhost = 'localhost';
/** Stop editing from here, else you know what you are doing ;) */
/** defined the root for the db */
if(!defined('ADMIN_DB_DIR'))
define('ADMIN_DB_DIR', dirname(__FILE__));
require_once ADMIN_DB_DIR . '/ez_sql_core.php';
require_once ADMIN_DB_DIR . '/ez_sql_mysql.php';
global $db;
$db = new ezSQL_mysql($dbuser, $dbpassword, $dbname, $dbhost);
As you can see, it creates a global $db object which connects to the database from the credential above. To use it, we just need to include this file and declare $db as global.
#2: Creating the Login form: – login.php
So, we have used a plain and simple login form with valid xhtml markup. You can add your own css to it to make it look better. The things to notice are
- The name and id of the fields should not change.
- The form method should be post and action should be login-action.php.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Login to admin</title>
</head>
<body>
<form action="login-action.php" method="post">
<fieldset>
<legend>Enter Credential</legend>
<p>
<label for="username">Username: </label>
<input type="text" name="username" id="username" value="" />
</p>
<p>
<label for="password">Password: </label>
<input type="password" name="password" id="password" value="" />
</p>
<p>
<label for="remember">
<input type="checkbox" name="remember" id="remember" value="1" /> Remember me
</label>
</p>
</fieldset>
<p>
<input type="submit" value="Submit" /> <input type="reset" value="Reset" />
</p>
</form>
</body>
</html>
Simple and effective.
#3: Creating the library classes – admin-class.php
We first need to analyze what features we need for our library. The basic features are (and also the code behind it):
#3.0: Initialize the session for login system:
Login systems work mainly either on session or on cookie. As we are using remember me option, so it is better to use both. Here is how we initialize the session and do some other stuffs.
/**
* The constructor function of admin class
* We do just the session start
* It is necessary to start the session before actually storing any value
* to the super global $_SESSION variable
*/
public function __construct() {
session_start();
//store the absolute script directory
//note that this is not the admin directory
self::$abs_path = dirname(dirname(__FILE__));
//initialize the post variable
if($_SERVER['REQUEST_METHOD'] == 'POST') {
$this->post = $_POST;
if(get_magic_quotes_gpc ()) {
//get rid of magic quotes and slashes if present
array_walk_recursive($this->post, array($this, 'stripslash_gpc'));
}
}
//initialize the get variable
$this->get = $_GET;
//decode the url
array_walk_recursive($this->get, array($this, 'urldecode'));
}
#3.1: Checking the database for valid username and password combination:
/**
* Check the database for login user
* Get the password for the user
* compare md5 hash over sha1
* @param string $username Raw username
* @param string $password expected to be md5 over sha1
* @return bool TRUE on success FALSE otherwise
*/
private function _check_db($username, $password) {
global $db;
$user_row = $db->get_row("SELECT * FROM `user` WHERE `username`='" . $db->escape($username) . "'");
//general return
if(is_object($user_row) && md5($user_row->password) == $password)
return true;
else
return false;
}
So, what we do is, we compare the md5 and sha1 encrypted password with the one stored in database. As the database has only sha1 encrypted password, so we calculate the md5 hash by passing it through the function md5. If it matches, then we return true else, false. You might think, from where we get the username and password. Just keep on reading.
#3.2: Add action for the login-action.php file:
/**
* Check for login in the action file
*/
public function _login_action() {
//insufficient data provided
if(!isset($this->post['username']) || $this->post['username'] == '' || !isset($this->post['password']) || $this->post['password'] == '') {
header ("location: login.php");
}
//get the username and password
$username = $this->post['username'];
$password = md5(sha1($this->post['password']));
//check the database for username
if($this->_check_db($username, $password)) {
//ready to login
$_SESSION['admin_login'] = $username;
//check to see if remember, ie if cookie
if(isset($this->post['remember'])) {
//set the cookies for 1 day, ie, 1*24*60*60 secs
//change it to something like 30*24*60*60 to remember user for 30 days
setcookie('username', $username, time() + 1*24*60*60);
setcookie('password', $password, time() + 1*24*60*60);
} else {
//destroy any previously set cookie
setcookie('username', '', time() - 1*24*60*60);
setcookie('password', '', time() - 1*24*60*60);
}
header("location: index.php");
}
else {
header ("location: login.php");
}
die();
}
What it does is, calls the _check_db function with the username and encrypted password as parameters. If true is returned, then it sets the session for the admin with the username as $_SESSION[‘admin_login’] variable. Then it further checks for remember me option, and if yes, then it sets cookie as well. We shall discuss more about cookie in some other post. For now, you can just check the comments. As it says, it stores the username and password in the corresponding variables for 1 day. To fetch the cookie we shall use $_COOKIE super global.
#3.3: Creating the authentication method:
/**
* Checks whether the user is authenticated
* to access the admin page or not.
*
* Redirects to the login.php page, if not authenticates
* otherwise continues to the page
*
* @access public
* @return void
*/
public function _authenticate() {
//first check whether session is set or not
if(!isset($_SESSION['admin_login'])) {
//check the cookie
if(isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
//cookie found, is it really someone from the
if($this->_check_db($_COOKIE['username'], $_COOKIE['password'])) {
$_SESSION['admin_login'] = $_COOKIE['username'];
header("location: index.php");
die();
}
else {
header("location: login.php");
die();
}
}
else {
header("location: login.php");
die();
}
}
}
When ever we need to authenticate in a file access, we just have to call this function. We shall see it in the index.php file. It automatically fetches the data from cookie, revalidates it and also redirects to the login.php in case of failure. This is just pretty much what you need.
#3.4: Putting together the class file – admin-class.php
<?php
/** Include the database file */
include_once '../db/db.php';
/**
* The main class of login
* All the necesary system functions are prefixed with _
* examples, _login_action - to be used in the login-action.php file
* _authenticate - to be used in every file where admin restriction is to be inherited etc...
* @author Swashata <swashata@intechgrity.com>
*/
class itg_admin {
/**
* Holds the script directory absolute path
* @staticvar
*/
static $abs_path;
/**
* Store the sanitized and slash escaped value of post variables
* @var array
*/
var $post = array();
/**
* Stores the sanitized and decoded value of get variables
* @var array
*/
var $get = array();
/**
* The constructor function of admin class
* We do just the session start
* It is necessary to start the session before actually storing any value
* to the super global $_SESSION variable
*/
public function __construct() {
session_start();
//store the absolute script directory
//note that this is not the admin directory
self::$abs_path = dirname(dirname(__FILE__));
//initialize the post variable
if($_SERVER['REQUEST_METHOD'] == 'POST') {
$this->post = $_POST;
if(get_magic_quotes_gpc ()) {
//get rid of magic quotes and slashes if present
array_walk_recursive($this->post, array($this, 'stripslash_gpc'));
}
}
//initialize the get variable
$this->get = $_GET;
//decode the url
array_walk_recursive($this->get, array($this, 'urldecode'));
}
/**
* Sample function to return the nicename of currently logged in admin
* @global ezSQL_mysql $db
* @return string The nice name of the user
*/
public function get_nicename() {
$username = $_SESSION['admin_login'];
global $db;
$info = $db->get_row("SELECT `nicename` FROM `user` WHERE `username` = '" . $db->escape($username) . "'");
if(is_object($info))
return $info->nicename;
else
return '';
}
/**
* Sample function to return the email of currently logged in admin user
* @global ezSQL_mysql $db
* @return string The email of the user
*/
public function get_email() {
$username = $_SESSION['admin_login'];
global $db;
$info = $db->get_row("SELECT `email` FROM `user` WHERE `username` = '" . $db->escape($username) . "'");
if(is_object($info))
return $info->email;
else
return '';
}
/**
* Checks whether the user is authenticated
* to access the admin page or not.
*
* Redirects to the login.php page, if not authenticates
* otherwise continues to the page
*
* @access public
* @return void
*/
public function _authenticate() {
//first check whether session is set or not
if(!isset($_SESSION['admin_login'])) {
//check the cookie
if(isset($_COOKIE['username']) && isset($_COOKIE['password'])) {
//cookie found, is it really someone from the
if($this->_check_db($_COOKIE['username'], $_COOKIE['password'])) {
$_SESSION['admin_login'] = $_COOKIE['username'];
header("location: index.php");
die();
}
else {
header("location: login.php");
die();
}
}
else {
header("location: login.php");
die();
}
}
}
/**
* Check for login in the action file
*/
public function _login_action() {
//insufficient data provided
if(!isset($this->post['username']) || $this->post['username'] == '' || !isset($this->post['password']) || $this->post['password'] == '') {
header ("location: login.php");
}
//get the username and password
$username = $this->post['username'];
$password = md5(sha1($this->post['password']));
//check the database for username
if($this->_check_db($username, $password)) {
//ready to login
$_SESSION['admin_login'] = $username;
//check to see if remember, ie if cookie
if(isset($this->post['remember'])) {
//set the cookies for 1 day, ie, 1*24*60*60 secs
//change it to something like 30*24*60*60 to remember user for 30 days
setcookie('username', $username, time() + 1*24*60*60);
setcookie('password', $password, time() + 1*24*60*60);
} else {
//destroy any previously set cookie
setcookie('username', '', time() - 1*24*60*60);
setcookie('password', '', time() - 1*24*60*60);
}
header("location: index.php");
}
else {
header ("location: login.php");
}
die();
}
/**
* Check the database for login user
* Get the password for the user
* compare md5 hash over sha1
* @param string $username Raw username
* @param string $password expected to be md5 over sha1
* @return bool TRUE on success FALSE otherwise
*/
private function _check_db($username, $password) {
global $db;
$user_row = $db->get_row("SELECT * FROM `user` WHERE `username`='" . $db->escape($username) . "'");
//general return
if(is_object($user_row) && md5($user_row->password) == $password)
return true;
else
return false;
}
/**
* stripslash gpc
* Strip the slashes from a string added by the magic quote gpc thingy
* @access protected
* @param string $value
*/
private function stripslash_gpc(&$value) {
$value = stripslashes($value);
}
/**
* htmlspecialcarfy
* Encodes string's special html characters
* @access protected
* @param string $value
*/
private function htmlspecialcarfy(&$value) {
$value = htmlspecialchars($value);
}
/**
* URL Decode
* Decodes a URL Encoded string
* @access protected
* @param string $value
*/
protected function urldecode(&$value) {
$value = urldecode($value);
}
}
#4: Creating the login-action.php file:
As we have everything in our class, so creating the login-action.php file will be a breeze. All what we do is
- Include the admin-class.php file.
- Initiate a new instance of the itg_admin class.
- Call the _login_action function.
<?php include_once 'admin-class.php'; $admin = new itg_admin(); $admin->_login_action();
and we are done.
#5: Creating the index.php file – restricted access:
So, it is time to put all the codes to work. In index.php file we simply do what we have done in login-action.php file, except of calling the _login_action, we call _authenticate function. It will automatically check whether user is authenticated to access the further script or not and will redirect to login form if necessary.
<?php
include_once 'admin-class.php';
$admin = new itg_admin();
$admin->_authenticate();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Administrator page</title>
</head>
<body>
<fieldset>
<legend>Welcome <?php echo $admin->get_nicename(); ?></legend>
<p>
Here are some of the basic informations
</p>
<p>
Username: <?php echo $_SESSION['admin_login']; ?>
</p>
<p>
Email: <?php echo $admin->get_email(); ?>
</p>
</fieldset>
<p>
<input type="button" onclick="javascript:window.location.href='logout.php'" value="logout" />
</p>
</body>
</html>
and finally…
#6: The logout.php file:
Everything seems to be incomplete without it! What we do is
- Destroy the session.
- Expire the cookie.
- Redirect to login form.
<?php
/**
* The logout file
* destroys the session
* expires the cookie
* redirects to login.php
*/
session_start();
session_destroy();
setcookie('username', '', time() - 1*24*60*60);
setcookie('password', '', time() - 1*24*60*60);
header("location: login.php");
?>
and we are done. It looks like this
So that was all. Feel free to ask any questions you have. I will try best to answer them.
Pingback: Create Login Admin & Logout Page in PHP w/ SESSION n MySQL - InTechgrity | InTechgrity
hey Swashata,
Nice post about login en logout with a form. It lokes pretty safe! My question is if it is simple to put a registration method in it, with emailadres verification.
That will be the next release π
that would be great. Keep up the good work. Already plans for the next release? π
Or you could skip developing yet another login system and use a prepackaged solution that is much more flexible such as:
http://barebonescms.com/documentation/sso/
I realize the author spent time developing this tutorial, but as Wouter points out, it is missing some rather critical components – registration, verification, maybe some anti-spam measures, and a LOT better security.
FYI, hashing a hash reduces the hash’s overall security. Cryptographic hashes are tricky like that. Also, see ‘bcrypt’, which is the correct way to store passwords. Those are a couple of the problems I spotted right away. This example code is susceptible to a whole slew of other security problems. As an example, the code is fine, but don’t use it in a production environment.
What you’ve said is right! This is just a beginner’s tutorial.
Is it possible to add a “error message”, when user enter a wrong username or password.
I have an idea!.
I want to destroy the section after 30sec and redirect to login page automatically.
Did u help me to implement it ?
How can i display logged in or out button depending if the user is logged in or not?
It is already there in the example. The concept is something like this:
if(isset($_SESSION['admin_login'])) { //print the logout button } else { //print the login button }Thanks! π But when i try to get the nicename from get_nicename(); ?>. It gives this error Notice: Undefined property: itg_admin::$get_nicename … Any ideas?
The call should be
$admin->get_nicename();where$adminshould correspond to the instance of the admin class.Thxx a lot for this tutorial..
its very useful for me.
Nice post about login and logout .
btw if i can change password metode, from sha1 to md5..
how to do that??
can u help me?
This code is very correct but when i logout the running session and go back it will open the account page which i already logged out. And another is when i open a account page directly from the list of pages without login, it will give an error of Undefined Index..Plz reply
Can you give me a screenshot of the error?
Hi, is there a way of setting what is seen in the admin section of the site based on the users type and session?
Cheers
In this code NO. Is it possible in PHP? Yes. But the concept is rather big and can not discuss through comment. Perhaps you should consider using some ready made PHP Admin Script.
Sir, please make the registrations increment too.
Or give us some hint how to integrate it in this.
Thanks.
Well making registration form is somewhat not “simple” and it can not be explained in comments. You need to do something like this:
1. Make a HTML registration form and submit it to some PHP script file
2. Use the PHP script file and
$_POSTvariables to catch the information.3. Use the information to save things into database (the users table)
Hope it helps.
First of all thanks alot for this clear tutorial. I am a rookie and i need to have user roles in my website. According to user roles display of pages will change. Is it possible to add user roles to this code?
Thanks again.
I added
Why don’t you code your stuff using WP Plugin API and use it with WordPress admin? It has inbuilt user role option. Adding it to this code requires lots of things and it can not be explained in the comment. Perhaps I will look into it in future. Also, you might want to check the admin script given by our commentator previously in this post.
HI i am facing a problem hope i get sme help from you.Is it possible to have 5 different admin and those admin can view and edit their order form submitted from 5 different buyers
alert(“I am an alert box!”);
alert(“You can’t expect to have XSS on WordPress”);
Hi, when you wrote “As for the so called licensing stuffs, this whole thing is just FREE. You download, fork, modify, redistribute, use in your project, or do whatever you want. Although a credit will be appreciated, but in this open world of internet, it is completely upto you.” I didn’t get it, would I cost something do download the design and use it? Or would something cost at all?
No, the content of this tutorial is completely free. Use it however you like, wherever you want π
hey swashata
I read your post and applied it but im getting these two errors.
I am just a beginner in this field dats y im trying but not able to resolve these issues .
can you please suggest me something in this
error are::
Strict Standards: Declaration of ezSQL_mysql::query() should be compatible with that of ezSQLcore::query() in C:\xampp\htdocs\LoginSystem\db\ez_sql_mysql.php on line 230
Strict Standards: Declaration of ezSQL_mysql::escape() should be compatible with that of ezSQLcore::escape() in C:\xampp\htdocs\LoginSystem\db\ez_sql_mysql.php on line 230
hii swashta,
I read ur post and applied it in my project too. but im getting some errors and as being beginner im nt able to resolve those:
error::
Strict Standards: Declaration of ezSQL_mysql::query() should be compatible with that of ezSQLcore::query() in C:\xampp\htdocs\LoginSystem\db\ez_sql_mysql.php on line 230
Strict Standards: Declaration of ezSQL_mysql::escape() should be compatible with that of ezSQLcore::escape() in C:\xampp\htdocs\LoginSystem\db\ez_sql_mysql.php on line 230
Fatal error: Call to a member function get_row() on a non-object in C:\xampp\htdocs\LoginSystem\admin\admin-class.php on line 175
You can ignore the Strict Standards notice. For the fatal error, did you use the right username/password for MySQL?
yes i did
hi swashata
can u answer me please, I’am waiting for your response…
Well, from the error it seems the sql connection is not made. Did you edit the db file to connect to mysql properly?
This system works perfectly!
I just made some changes to adjust it to my db system and to match my CMS password building system π
Awesome work! Thank you! Greetings from Spain π
you are most welcome π
I made a reduced (much less files and just one clean class) and mvc-like version of this (currently without cookies, but with sessions), free and downloadable via http://php-login.net or https://github.com/Panique/PHP-Login. Somebody wants to extend this baby ?
“Chukran” God bless you
Hi,
i’m browsing thru to find solution to the error we are having now. Appreciate if you can give us your advice.
1. Please browse thru this URL : http://excelwithus.com.my/estorev2/bejoi
2. you’ll see the estore displayed is belong to a user called “bejoi”. “bejoi” is one of our affiliate and this is his store
THen we migrate the whole system to a new production server
3. when you browse to the server : http://110.4.43.13/estore2/bejoi, it didn’t bring you to the page, but it prompted us to download the page. π
4. Is there any settings to the server we can look into?
The apps is running on WAMP with PHP 5.3.1, Apache 2.2 and mySQL
Appreciate your assistance in this matter…
beutyfull form
thanx
Dear Swashata
I got error like this in my admin system
Fatal error: Call to a member function get_row() on a non-object in D:\MyWebSite\business_design\admin\admin-class.php on line 67
with get_nicename(); ?> and get_nicename(); ?> please fix it..
It looks like, you database connectivity is not established. Please follow the tutorial carefully, you’ll need to create a database, assign user and add the credentials to a php file.
It really helps me thanks bro.
hey bro kindly help me for two files that are
ez_sql_core.php
ez_sql_mysql.php
as i’m new in php so I really don’t know where can i find these files…
thanks in advance π
Google for EZSQL and you will know!
i have done everything… its working fine… but a bit problem the the form isn’t navigating from log in page…
any suggestion ???
thanks…….
hey hiiiiiiii buddy
i need cookies script as that my site should be settled as a home page in users systems….
can u help me in this
I’ve utilized your script and I love it, I was wondering however if I could get some help real fast on utilizing the $_SESSION[‘admin_login’] differently. I’ve been trying to write a script that sends mail from one user to another and it’s proven to be a pain on the from section; I’m trying to find a way to make it so that there’s a $_SESSION that calls on the nicename field rather then the username as the username field isn’t shared with other users on the site I’m working on. If you could help in this that would be greatly appreciated.
Thanks guys.
i tryed this code but after login,welcome page is not open…