PHP Developers Network

Always glad to help a student who wants to learn! Let me offer a general comment that may be useful in many situations: Try not to get so buried in coding details that you lose sight of the actual objectives--for security matters, always ask yourself exactly what you are trying to protect against before you even begin to determine what kind of code you will use. For example, are you trying to protect against someone making a deliberate attempt to gain access to a particular user's account? Or maybe an attack that might allow a hacker to gain access to your database, thereby capturing ALL of the user passwords and other user data? Or gaining access to the server's control system, or even destroying data on the server, etc. etc. You might think, "Sure, ALL of those!", but you need to consider all those possibilities, and then evaluate your preliminary choices for methods to see whether they would be effective against the specific threats that you are trying to protect against. "Security" isn't just one big basket, it's a careful consideration of each and every potential threat, and most of those require different strategies to protect against. Passwords are only one part of security and do not protect against Denial of Service attacks, for example. Just some thoughts for you to consider.

@Celauran interesting idea; i was struggling with the idea of how to get a password (a new one) to the user but this seems like it could work in a system where there isn't an option to email. Something i would add to this is time limited option where a user would have x amount of time to change their password before the temporary password expires

what if the account holder wants to change his password?
i am echoing the password taken from the database to a password input field. it's still hashed so the text field contains a lot of dots.

how do i unhash the password so it matches the number of characters echoed in the textfield? or is there any other way?

You can't unhash. That's the whole point of hashes. If you want to allow the user to change their password, have three fields: existing, new, new repeated. When the form is submitted, hash the existing password and compare it against what's in the database, then compare the new and new repeated fields. If both tests pass, update the password with the hash of the new password.

Great tutorial, thank you although I am having a slight problem:

Managed to register a user. I can see the user in the database and the hashed passcode but I am not able to log in. The only changes I have made are the db connection details. I havent touched the PasswordHash.php file.
When I try to login I get the "login failed" message.

Any idea what I might be doing wrong?

many thanks again.

Could be that a user wasn't returned, could be that CheckPassword failed. You'd need to step through the code to see which is the case.

Thank for the informative tutorial.

Very nice tutorial. Very informative

I can't download the zip file. It seems to be removed.
Can you suggest me where I could find some complete secure login & logout system?


Thanks in advance, it's a long time I am looking for this.
Best regards,
Ercola

kindly share the tutorials of members page where they can check and update their profile and orders payment etc