Having a secure area to a PHP site is a common website requirement. Implementing the secure area, on the other hand, can be difficult and confusing. I’ve put together a basic security framework that you can use for your PHP based website.
What this framework is:
- Simply coded & easy to understand
- Secure enough for most sites, blogs, and internally accessed (intranet) sites.
What this framework is NOT:
- Secure enough for sites involving e-commerce transactions and sensitive personal information.
Note the “NOT” clause above - this implementation is not for securing sensitive data. Most people implementing this framework will be doing it on unsecure sites (sites NOT using the HTTPS secure socket layer), causing user passwords to be sent from script to script in plaintext, which is vulneable to intrusion.
How the PHP security flow works
This framework works as follows:
- User submits login form containing name and passsword to login processor script
- Login processor form compares name and password to stored value
- If name and password do not match expected value, send user back to login form
- If name and password match expected value, set a session variable containing a unique hash value, and forward user to secure page
When a user tries to access a secure page, this happens:
- Security code checks session variable with user hash and compares to expected value.
- If the hash values match, continue displaying page.
- If the hash values do not match, send user to login form.
Seems simple right? It is! To implement the above workflow you’re going to need to use the code I have included below.
Login Form
Below is the login form code. Note that you must set the destination of the form to match the name of your check login script (login processor.)
<?php /* * FILE: login.php */ ?> <html> <head> <title>Login</title> </head> <body> <form name="login-form" method="post" action="check_login.php"> <p>User: <input type="textfield" id="user" name="user"/></p> <p>Password: <input type="password" id="pass" name="pass"/></p> <p><input type="submit" name="Submit" value="Submit"></p> </form> </body> </html>
Login Processor
The login processor has the main chunk of your security code. This is the script that decides whether you have a correct username and password, and what to do after logging in. Note that this code uses an include of login functions to accompish its purpose. These login functions are shown later in this article.
<?php /* * FILE: check_login.php */ session_start(); //include our login functions. require('login_functions.php'); //retrieve post data $user = trim($_POST['user']); $pass = trim($_POST['pass']); /* * Basic Login Logic */ clear_login_state(); if (!empty($user) && !empty($pass)) { if (check_login_correct($user, $pass)) { //set appropiate session vars login_user($user); //redirect to secured page send_to_page('secure_page.php'); } else { //wrong user or password supplied, send back to login send_to_page('login.php'); } } else { //no user or password supplied, send back to login send_to_page('login.php'); } ?>
Login Functions
The above Login Processor code uses some important functions to accomplish the secure login. These functions are enclosed in their own file and included by the above code.
<?php /* * FILE: login_functions.php */ function check_login_correct($user, $pass) { /** * This function is for you to fill in. * Typically, you would compare the user's password * to the password stored in the database, and then return * either true or false, depending on the result. */ if ($user == 'admin' && $pass == 'Chelsea') { return true; } return false; } function login_user($user) { session_regenerate_id(); //set the user session variable, for later app use $_SESSION['user'] = $user; //set the hash session variable $_SESSION['hash'] = calculate_secure_hash($user); } //function sends the user to a page. Note this must be called //in the header, before any page output (echo's, html, print, etc) function send_to_page($page) { header("Location: $page"); die("Redirect Failed"); } //clears login state (logs you out) by unsetting login variables //must be called in header, before any page output (echo's, html, print, etc) function clear_login_state() { session_unset(); } function calculate_secure_hash($user) { //the security of your system is based on the hash seed below - change often $hash_seed = 'this_is_a_secret'; return md5($_SERVER['HTTP_USER_AGENT'] . $hash_seed . $user); } function check_logged_in() { //retrieve session vars $found_hash = $_SESSION['hash']; $user = $_SESSION['user']; //must not be empty if (!empty($found_hash) && !empty($user)) { //recalculate the hash $calculated_hash = calculate_secure_hash($user); //if recalculated hash matches, we have a logged in user if ($calculated_hash != $found_hash) { send_to_page('login.php'); } } else { send_to_page('login.php'); } } ?>
Secure Page Code
Okay, so we have successfully logged a user in - now what? Well, for each secure page accessed you have to reverify the hash value. On each secure page, you’re going to need to setup the top of your page (PHP script) like this:
<?php /* * FILE: secure_page.php */ session_start(); //include our login functions. require('login_functions.php'); //do security check check_logged_in(); //now, display the page's content... echo "You are viewing a secured page!"; ?>
Download the Above Code
You can download this zip of the above code, and run it on your server to test how the authentication code works. Remember, you’re going to need to customize the check_login_correct() function to fit your particular password storage method.
