I just started programming with PHP and MySQL this week and the first script I wanted to write was a login script. I wanted to include the popular "Remember Me" feature seen on a lot of websites that basically keeps users logged into the website, even after they've closed the browser so that the next time they come, they won't have to login again manually.
I found this tutorial Creating a PHP Login Script to be very helpful in writing this script, in fact, a lot of the code presented here is very similar to the code presented in that tutorial. The differences are seen with the new "Remember Me" feature, the use of cookies in addition to sessions, and with slight modifications in the design.
The ultimate goal is to create a PHP login script that remembers logged-in users. I also hope this tutorial will serve as a way to introduce people to user sessions and cookies in PHP.
Although this tutorial uses a MySQL database for storing user information, it has been written so that the data accessing code is separated from the main code through specific functions, so it would be easy to instead use a flat file "database" system, simply by changing the code in those specific functions, without messing with the rest. This tutorial uses the latest and greatest of PHP 4, which means super globals are used, such as $_POST, $_SESSION, etc.. This tutorial will aim to teach you about sessions and cookies through example, however if you need to know more information, go to the official website .
For those of you planning on using a flat file system, you can skip this section. For the rest of us, we want to create a MySQL database table that holds user information, here it is:
Of course this table can be modified according to your needs, however the password field must not be less than 32 because it has to store the md5 encrypted versions of passwords which are 32 bytes.
This file will contain the code that connects you to your MySQL database and the functions that access user information, you need to modify this to show your MySQL username, password and database.
Before we can login users, we need users. Here we will focus on the code that allows users to sign-up, registering their username and password.
Read through the code and see what it's doing, there are comments there to help you. It was written with you in mind, I tried to make it so people could just paste their website specific html code in between the php code with ease. Don't be scared when you see the use of session variables right away, they are used to tell the script key information like the requested username, registration attempt and registration success. With this information the script knows what to display, and when the registration is done, it "forgets" the information (by unsetting the variables).
You'll notice that the script immediately refreshes itself after the registration request, this is done to eliminate the case where users, for any reason, hit the Refresh button on their browser and cause a pop-up window that says the page has expired and prompts the user to send the registration request again. This technique is also used in the login script, so watch out for it.
Now the fun begins, now that we have users, we can log them in. This is the heart of this tutorial, it will create the login script with the "Remember me" feature that we all want, and it accomplishes this by using cookies.
This one's a little bit tricky because of the function calling. Let me just clarify what this script does.
It first checks to see if the login form has just been filled out and submitted, if not it checks to see if a session has already been established where the username and password are already known. This is true in two cases, when the user has chosen to be remembered and a session is established automatically, or when the user has not chosen to be remembered but has already logged in and is still using the same browser window that he used to log in.
If either of these two cases is true, then it verifies that the username is in the database and that the password is valid, if these two checks pass then the almighty $logged_in variable is set to true, false otherwise. If the user has just filled out the login form and submitted it, the script detects this and then verifies the authenticity of the username and password, if all is well then session variables are set with the username and md5 encrypted password.
Great, but when does the login form get displayed? That's all up to you. It's up to you the programmer to display the login form when the $logged_in variable is false. But wait! I have added a function that you can call that relieves you of this horrible burden. The displayLogin() function is there to check if the $logged_in variable is true or not and displays information accordingly. How to use this function is described in the Usage section.
login.php is not meant to be a stand-alone file like register.php, it is meant to be included at the top of every file that needs to use it, so it doesn't contain the call to "session_start()", that should be at the top of the file that wants to include login.php, as you will see in the examples below.
So, how was this accomplished again? As is described in login.php, when a user chooses to be remembered, two cookies are set on the user's computer. Well, really one cookie, but one that contains two important pieces of information: the username and the md5 encrypted password. What is a cookie anyways? It is a temporary file that is stored on the user's computer on behalf of the website in order to hold information that is important to the website. How long does this temporary file last? As long as we say so. As written, the expiry time is 100 days, after which the cookie will be deleted. However, it also gets deleted when the user decides to log out, as you will soon see.
If users want to log-out, we should let them. All we need to do is delete the cookies we've set if they chose to be remembered, and simply unset the session variables. Done.
You're probably wondering why login.php was included in logout.php, seems a little weird right? Well, if the user is not logged in how can we log them out? We use login.php to verify that the user really is logged in with the help of the variable $logged_in which gets set when login.php is run.
If you don't have MySQL, don't worry, you can still use this script! All you would have to do is change the following functions to include your flat file user management code, but remember to keep the operations and return values consistent with the documentation.
Now that everything has been coded, all that's left is for you to know how to actually use this beast.
I've mentioned the function "displayLogin()" found within login.php. If you call it within one of your files, it will display the login form if no user is logged in, if a user is logged in, it displays a message reflecting such. The point of this is so that you won't have to include that code in all of your files, all you have to do is just call the function:
You should also know that login.php sets a boolean variable called $logged_in, which is true when a user is logged in, and false when no user is logged in. You can use this variable in your files for whatever you'd like.
What can make this script even better? Well, you can add a check to enforce that usernames are strictly alphanumeric, without any wacky characters. At registration, you probably want more info from the user (email, homepage, location,..), but this script is about user logins, so we only focused on the username and password.
Also the error pages are not very cool, for example, when someone doesn't enter a field thats required from the form, instead of just stopping and printing an error message, you can redirect him to the form again, but have specified which field was left blank (in red lettering possibly). There's more that I'm sure you'll think of.
I hope you were able to learn something from my script, and if you choose to use my script on your site, I hope you enjoy it. Good luck programming!