Web Development
Using PHP

Follow on
Twitter

Login Management

Simple login check

Man websites have protected areas that only users who are logged in may see. This next example shows how to do that. This example tries to keep unauthorized users away from the content in secret_page.php.

The PHP code will store the user's id in the session variable $_SESSION['user_id']. If no id exists in that variable, the code assumes the user is not logged in.

In the code example below, the main page of the site checks this variable to see if the user is logged in or not. It includes a link to secret_page.php. The main page also offers a small form that will take in a password if the user is not logged in. If the user is logged in, the page will display an option to log out.

Note that the how the page contains HTML code inside of the else statement.

<?php
// Start the session
session_start();
// Check for user_id in the session
if( isset( $_SESSION['user_id'] )) {
	// User is logged in.
	echo "<p>You are logged in</p>";
	echo "<p><a href='controller/logout_process.php'>Logout</a></p>";
} else {
// Only display this HTML if user is not logged in.
?>
<p>You NOT are logged in</p>
<form action="controller/login_process.php" method="post">
<input type="password" name="password" />
<input type="submit" value="Login" />
</form>
<?php
}
?>
<p><a href="secret_page.php">Try to go to the secret page.</a></p>

<p>

The code to process the login is straight-forward. It should be noted that hard-coding a password in the PHP code is bad. If the PHP code is able to be seen through a bug, the password is compromised. Furthermore it prevents the password from being changed. However a hard-coded password keeps this example simple.

<?php
// Start session
session_start();
// Check password
if( $_REQUEST['password'] == "mysecret" ) {
	// Password is good, set user id
	$_SESSION['user_id'] = "JaneSmith";
}
// Redirect back to the main page
header("Location: ../main.php");
?>

The secret page only needs to include one file, and that file will check the user login status:

<?php include "controller/check_login.php"; ?>
<p>This is a secret page.</p>
<p><a href="main.php">Back to main page</p>

The code to check the login only needs to look at the user_id session variable and see if it is set. If it isn't, an error is shown. The user could instead be redirected to a login page if desired.

<?php
session_start();
// See if the user id has been set
if( !isset( $_SESSION['user_id'] )) {
	// User id not set. Stop right here with an error.
	die ("Access denied. <a href='main.php'>Login</a> first!");
}
?>

Logout can be done by unsetting the user id.

<?php
session_start();
// Unset the user id
unset($_SESSION['user_id']);
// Redirect back to the main page
header("Location: ../main.php");
?>

Try it out: [link]

SHA1 Hash

The prior example had a password in plain text. This is rarely a good idea. A common way to check passwords is to use the SHA1 hash algorithm. SHA-1 is a cryptographic hash function. Read up on hash functions and how they work.

The hash of any string can be genereated in PHP by using the sha1 function. In the example below, the SHA-1 hash will be printed to the string for "mysecret". This code will display "e9fe51f94eadabf54dbf2fbbd57188b9abee436e".

echo sha1("mysecret");

A hash function is one-way. The output number can not be put back into the hash algorithm and get the original result. What can be done to reverse the password hashing is to guess. With fast computers today, it is possible to hash an entire dictionary of words, common passwords, and short passwords. A person may then do a "reverse lookup" and get the original password. To help prevent this, programmers often salt the input.

Using sha1, the former example would look like this:

<?php
// Start session
session_start();
// Check password
if( sha1($_REQUEST['password']) == "e9fe51f94eadabf54dbf2fbbd57188b9abee436e" ) {
	// Password is good, set user id
	$_SESSION['user_id'] = "JaneSmith";
}
// Redirect back to the main page
header("Location: ../main.php");
?>

Try it out: [link]

More extensive example

This example takes the prior MVC code and expands it to allow user login and management. Click here to download the example in a zip format.

You are not logged in. Log in here and track your progress.