Password only Secure Login

Hello, I’m very new to PHP. For a project I’m doing I need a login type thing but with only a password field. How would I make it so that if you have to input the right password queried against a mySQL database and if returned true forwarded to a secure page, if false prompted for login again?

I need it so that if they try and access the secure URL then they are redirected to login, unless they are already logged in of course.

This may sound very beginner but I can’t find much about password only secure login.

Thank you for your time.

In my opinion, you would first need to create a hashed password. Creating a hashed password is much more secure than an encrypted password as it’s irreversible whereas an encrypted password can be decrypted.

So how do we do this? There are many ways to do it, but I’ll keep it simple.

[php]
$password = “YourPassword” //You could use this
$hashedpass = hash(SHA256, $password);
[/php]

So now you have your password, copy & paste it into your MySQL database (assuming you have id, username and password as your field names in a table called password) I know you only want password but we need an identifier to check against as pulling the password out in a query is insecure.

With the above, I’ve adjusted it slightly from what I’d use, I would have this updating the db automatically for a login system that has many users but for this example I think you only need an admin password…

So, now we have the password in the database, we’ll connect using PDO:

db.php
[php]
// Set the variables to connect
$db_myHost = “localhost”;
$db_myUser= “username”;
$db_myPassword = “password”;
$db_myDatabase = “databasename”;

// Declare a new db connection
$dbconn = new PDO(‘mssql:host=’.$db_myHost.’;dbname=’.$db_myDatabase, $db_myUser, $db_myPassword);

// Test the connection
try
{
$dbPDO = new PDO(‘mssql:host=’.$db_myHost.’;dbname=’.$db_myDatabase, $db_myUser, $db_myPassword);
$dbPDO->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
}
catch (PDOException $e)
{
//echo "Error!: " . $e->getMessage() . "

die();

}

[/php]

So the above is a simple PDO connection. We use PDO as the old style mysql_connect functions are now deprecated.

This next bit will allow you to enter your password before proceeding to the secure page:

login.php
[php]

<?php // Only require it once as if it gets called again, the script will fail so its added security require_once('db.php'); // Check if the submit button has been pressed, if it hasnt theres no point running the code if (isset($_POST['doLogin'])) { //Run the query $sth = $dbconn->prepare( //The reason we use :password and :username is to prevent SQL injections, that's the main pro with PDO SELECT username FROM admin WHERE password = :password AND username = :username ); $params = array("username" => $_POST["username"], "password" => hash(SHA256, $_POST["password"]); $sth->execute($params); while ($row = $sth->fetch()) { //Theres a row meaning the user has authenticated using a username and password session_start(); //Create a session. This is what we'll always check against to see if the user is authenticated //I send the username in the session so I can pull user data from the database $_SESSION['userName'] ="$row[username]"; //Header location will redirect the user. This redirection only happens while $row = fetch() and fetch only fetches if the username/password is correct header("Location:/admin.php"); }else { // Else is like 'otherwise' there's only 1 other outcome.... the username/password combination was incorrect. In this case we can simply output an error $error = true; $message = "

Username or Password Incorrect"; ?> Login <?php // If there's an error, output the message if ($error = true){ echo "

Your username or password was incorrect

"; }else { //There was no error, show the form echo ' Username
Password
'; ?> [/php]

That is most of it, now all we need to do is check for the session on the admin page…

admin.php
[php]

<?php //Check if the username session exists session_start(); if(isset($_SESSION['userName'])) { //This is where I would pull information based on the username but I don't think you need this for now. It's important to keep it in though as the else part of the statement means theres no session and the user is not authenticated }else { //The user isn't logged in, redirect them to the login page header("Location:/login.php"); } ?>

[/php]

I haven’t tested it so if you have any issues, let me know. Also, I tried to explain it as best I can but if there’s anything else you’d like to know or don’t understand, let us know so we can talk you through it.

scott: As an aside, SHA-256 should be avoided in favour of slower hashing algorithms. Read the first post of https://devtalk.nvidia.com/default/topic/496471/cuda-programming-and-performance/amd-radeon-3x-faster-on-bitcoin-mining-sha-256-hashing-performance/ this for a bit of info - I’ve just had a bit of fun on my laptop (with a modest 2x GeForce GT650M in SLI) and could average almost 500M hashes per second with CUDA.

Prefer bcrypt, scrypt or any of the equivalents if you have them, or blowfish if you don’t. PBKDF2 is also a viable option. Failing all this, do multiple rounds.

The reason behind the better algorithms is that bcrypt and scrypt are designed to be GPU-resistant. In other words, bcrypt has lots of rounds, which makes GPU processing difficult. scrypt requires the storage of a pretty big hash table, which is beyond the memory of most GPUs and therefore has to be done strictly on CPUs.

More info here: http://security.stackexchange.com/questions/4687/are-salted-sha-256-512-hashes-still-safe-if-the-hashes-and-their-salts-are-expos

Sponsor our Newsletter | Privacy Policy | Terms of Service