Login/Registration System with php and mysql

Question

I would like to make a simple user login/registration system using PHP and mysql. I don\'t need to get any information beyond what is necessary for the user to log in and ou

Answer 1

A few notes on some missing considerations:

PHP sessions typically already use cookies: the session ID is stored as one.

Sessions can be hijacked; you should also take steps to reduce the possibility (start by reading "PHP: Preventing Session Hijacking with token stored as a cookie?" and "What is the best way to prevent session hijacking?").

Related to hijacking is fixing, where an attacker picks the session ID. There are two ways of combatting this: set session.use_only_cookies (the default in PHP >= 5.3) and change the session ID when a user logs in with session_regenerate_id.

Also see the question "PHP Session Security" and article "PHP Security Guide: Sessions".

Answer 2

Since Login systems are such an integral part of a website, you're screwed if it gets hacked. Unless you're doing this for educational purposes, I recommend finding a system that was created by someone that has experience in the field. You'll sleep soundly at night.

An example of a solid pre-built login system is tank auth, it's written for the Code Igniter framework. You might want to look at how this guy designed the system to get ideas on what's important if you decide to write your own.

Also just a note from experience, it takes more time to write a login system from scratch than it does to learn the code igniter framework and install tank auth.

Answer 3

if you want a ready made solution

User Cake in php5

pretty much secure .. and stable.

Answer 4

Is php's md5 function suitable for this?

MD5 is no longer considered secure; consider using PHP's newer built-in password hashing with the bcrypt algorithm which has variable computational complexity: PHP password_hash() and password_verify().

How do I make the session persist after login. With a php session? A cookie? What should get stored in the cookie for remembering the user between visits?

Ideally, you would use a PHP session to maintain state during a single visit, and if you would like to have a "remember my login" option, you would use a cookie that contains enough information to authenticate a returning user and restart a new session. There's a good article from 2004 on best practices regarding login cookies here: Persistent Login Cookie Best Practice. You might also be interested in a more modern (2015) solution to securely implementing "remember me" checkboxes.

Apart from these, I think whatever you have described is fine.

Answer 5

Here's a recommendation: consider using a readily available framework that inherently provides such functionality. they are tried and tested. have a look at Kohana. It has an Auth module which takes care authentication.