Hi, in this video, we will make a professional authentication system with signup and login in PHP. Here, we will use sessions in PHP for login, and a user without having an account cannot able to access a particular page. We will also use a hash password function to encrypt the password before sending it to the database. We will also add the functionality of auto-logout after 24 hours from login to make the system more secure. Here, we will use the MySql database to save user records. Go through the process for a better understanding.
Project Structure
- db_connection.php
- auth.php
- check_login.php
- dashboard.php
- logout.php
Database Connection
First, create a "users" table inside an "auth_system" database as given below.
Now, connect database with the project. For that, we will create a db_connection.php file. In this file, add server configuration like server's name, user, password and database name. For local server, the server name is localhost, the user name is root, the password is empty and the database created for this project is named auth_system. For remote servers, everything is different except database name. The username and password are configured by users during creating database. Now, use the mysqli_connect() function and give the server name, user, and password to connect with the server. For a database selection, use the mysqli_select_db() function to select a database from the connected server.
Signup and login system in auth.php file
In auth.php file, we will add two forms, one for account creation and another one for login. The user record will send to the database in this file for account creation and the login process will also be done here.
Add bootstrap
We will use bootstrap to create forms and the grid system. Use the below CDN to add bootstrap to your project.
Create form for Signup
We need a username and password to create account and for that, we will make two input fields inside a form. Use the method POST and action in empty as we are not going to other page. Also, create a submit button for form submission. Carefully set the name attribute as we will use this later in PHP.
Create form for Login
Create the same form as created above for login because we need the same records for login. Just change the name attributes. Also, change the value of submit button from "Create Account" to "login" as it will use as login form submission.
PHP code for auth.php file
Now, start coding the PHP part of the auth.php file. We will get the records from the forms and send them to the database for signup and verify it to login. First, include the db_connection.php file which has server configuration and then start session.
We will add a condition that we only process the request made by the POST method. This will stop spam account creation on requesting file with GET method by just opening URL in the browser with some query.
Inside the previous condition, we will add two different conditions. When "create account" button is clicked, first condition becomes true and when "login" button is clicked, second condition become true. Both signup and login processes have different codes, so we'll discuss them separately.
If user clicked on the create account button, we will send the username and password to the "users" table in the database. We will use prepared statement that is very helpful against SQL injections. Create two variables for username and password and give them their respective values. Use bind_param() function to send variable data to INSERT query. Make sure to use the password_hash() function to encrypt passwords before sending them to the database. This will enhance system security. Execute the query, a new user will be added to database and account is created for that user. Now, just create sessions for that user. Execute a login() function with username and password parameters, it will create sessions for users. Don't worry, we'll make this function later.
Now, we will create a login() function that will create sessions for users when execute. We can use this function on both processes for account creation and for login. Execute session_regenerate_id() built-in function, which will regenerate the id of the cookie, created by sessions, every time on login. This will make the sessions more secure. We will create four session variables. One is for the time stamp, we will use it later for auto logout after 24 hours, and the other one is for holding the login condition. The other two variables store user data. After that, redirect the user to another page. Here, we have redirected a user to the dashboard.php file.
Now, if the user has clicked on the login button, the following condition becomes true and we will perform the login process.
We will use the same prepared statement, and use the SELECT query inside that. But here, we will use the store_result() function to save the response of the query in the stmt variable. If there is some result in the stmt variable, it means the username is available in the database. So, we have authenticated the username. The next step is to verify the user-entered password with the password available in the database for that user. Now, use the bind_result() function to get the stored result. Pass the variables respectively with the column keys used in the SELECT query. Here we have fetched just one column, so we pass just one variable. Use the fetch() function to get the records of the column. As there is only one record in the column so we are not using the fetch() function in the loop. First record which is a password is now available in the password variable. As our password is encrypted, so we will use the built-in password_verify() function and pass both, database-encrypted and user-entered password as parameters. It will automatically decrypt and match both passwords. If passwords match, returns true otherwise false. if true, execute the same login() function that we have created before. It creates a session for the user and now user is logged in.
Create check_login.php file
This file is an addon file for other files and checks whether a user is logged in or not. We can include this file in other files, where a user cannot access without login. Here, we have a dashboard.php file and we want that the user cannot access it without login. so, just include the check_login.php file in dashboard.php.
In check_login.php, if loggedin session variable is true, go for further checking otherwise redirect the user to auth.php file for account creation or for login. On further checking, we will check, is user completed 24 hours of the session. If yes, redirect the user to the logout page, if not, do nothing.
Create dashboard.php file
First, include the check_login.php file to check whether a user is logged in or not. Only logged-in users can access the dashboard, without logged-in users will redirect to other page. If you want to check the available session for the user, you can use the login_timestamp session variable as given below.
We can also get the username and password of the logged-in user on this file using session variables. Add a link of the logout.php file for the user to log out from the account.
Create logout.php file
Here, just remove the session using the session_destroy() function. All the user session data will be removed from the server. Redirect the user after logout to another page. You can redirect to the home page or login page.
Final Thoughts
We have created a secure and simple signup and login system. If you are a little familiar with PHP, you can easily understand this. Now, you can add the user authentication system to your web project. You can give access to some of your web pages to logged-in users only. This will prevent wasting your web resources by some unauthenticated users or bots. Get the source code given below and get more help with the video explanation.
