Login/Registration System with php and mysql

Question

I would like to make a simple user login/registration system using php and mysql. I don't need to get any information beyond what is necessary for the user to log in and out. I want to make sure that the system is secure.

The way that I currently understand how it should work is:

Registration

User enters their email address and password and confirmation password.

The php script makes sure the passwords match and that the email is a valid address and is not already in the database.

It hashes the password along with a random salt and stores the salt and resulting hashed password in the database. (Is php's md5 function suitable for this? I am not quite sure how this part works.)

Store an email confirmation code in the database and send the given email address a link back to the website that contains that code for verification?

Login

User input their email address and password.

The server looks up the email in the database and retrieves the salt. Then hashes the salt with the password the user just provided to see if it matches the one in the database.

How do I make the session persist after login. With a php session? A cookie? What should get stored in the cookie for remembering the user between visits?

I basically would just like some verification that the process I am describing is an accurate and secure way of doing user registration/login. Also, what are some good tutorials with more information.

Answer 1

Is php's md5 function suitable for this?

MD5 is no longer considered secure; consider using a stronger hash such as SHA-256.

How do I make the session persist after login. With a php session? A cookie? What should get stored in the cookie for remembering the user between visits?

Ideally, you would use a PHP session to maintain state during a single visit, and if you would like to have a "remember my login" option, you would use a cookie that contains enough information to authenticate a returning user and restart a new session. There's a good article on best practices regarding login cookies here: Persistent Login Cookie Best Practice.

Apart from these, I think whatever you have described is fine.

Answer 2

Since Login systems are such an integral part of a website, you're screwed if it gets hacked. Unless you're doing this for educational purposes, I recommend finding a system that was created by someone that has experience in the field. You'll sleep soundly at night.

An example of a solid pre-built login system is tank auth, it's written for the Code Igniter framework. You might want to look at how this guy designed the system to get ideas on what's important if you decide to write your own.

Also just a note from experience, it takes more time to write a login system from scratch than it does to learn the code igniter framework and install tank auth.

Answer 3

A few notes on some missing considerations:

PHP sessions typically already use cookies: the session ID is stored as one.

Sessions can be hijacked; you should also take steps to reduce the possibility (start by reading "PHP: Preventing Session Hijacking with token stored as a cookie?" and "What is the best way to prevent session hijacking?").

Related to hijacking is fixing, where an attacker picks the session ID. There are two ways of combatting this: set session.use_only_cookies (the default in PHP >= 5.3) and change the session ID when a user logs in with session_regenerate_id.

Also see the question "PHP Session Security" and article "PHP Security Guide: Sessions".

Answer 4

Here's a recommendation: consider using a readily available framework that inherently provides such functionality. they are tried and tested. have a look at Kohana (http://kohanaframework.org/). it has an auth module which takes care authentication.

Answer 5

if you want a ready made solution

User Cake in php5

pretty much secure .. and stable.