PHP login system incorporating best practices

Your login() function seems to handle user authentication.

359

Arun Kr.
12-Jun-24 
<?php
session_start(); // Start the session

// Check if the user is already logged in, if yes, redirect to dashboard
if (isset($_SESSION["SESS_USER_ID"])) {
    header("Location: dashboard.php");
    exit;
}

// Include database connection or any necessary files

$msg_danger = ''; // Initialize error message variable

// Define login function
function login()
{
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
        if (!empty($_POST['token_']) && hash_equals($_SESSION['token_'], $_POST['token_'])) {
            // Validate email and password
            $email = trim($_POST['email_']);
            $password = $_POST['Password_'];

            // Validate email format
            if (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
                return "Invalid email format";
            }

            // Validate password length or complexity

            // Hash and compare password (ensure to properly hash passwords in your database)
            $hashed_password = password_hash($password, PASSWORD_DEFAULT);

            // Check database for user credentials
            // Replace this with your database query logic
            $user_id = 1; // Assuming 1 is the ID of the admin user

            if ($user_id) {
                // Set session variables
                $_SESSION['SESS_USER_ID'] = $user_id;
                $_SESSION['SESS_FIRST_NAME'] = "Admin";

                // Redirect to dashboard
                header('Location: dashboard.php');
                exit();
            } else {
                return "Invalid email address or password";
            }
        } else {
            return "Invalid request";
        }
    }
}

// Call the login function
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $msg_danger = login();
}

// Generate CSRF token and store it in session
if (!isset($_SESSION['token_'])) {
    $_SESSION['token_'] = bin2hex(random_bytes(32));
}
?>

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>Login</title>
</head>
<body>
    <h2>Login</h2>

    <?php if (!empty($msg_danger)) : ?>
        <p style="color: red;"><?php echo htmlspecialchars($msg_danger); ?></p>
    <?php endif; ?>

    <form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]); ?>">
        <input type="hidden" name="token_" value="<?php echo htmlspecialchars($_SESSION['token_']); ?>">
        <div>
            <label for="email">Email:</label>
            <input type="email" id="email" name="email_" required>
        </div>
        <div>
            <label for="password">Password:</label>
            <input type="password" id="password" name="Password_" required>
        </div>
        <button type="submit">Login</button>
    </form>
</body>
</html>

 

This code implements the following features:

  1. CSRF Protection: Generates and validates CSRF tokens to prevent CSRF attacks.
  2. Password Hashing: Hashes passwords using PHP's password_hash() function.
  3. Error Handling: Provides meaningful error messages for invalid inputs or failed login attempts.
  4. Session Management: Starts the session and sets session variables upon successful login.
  5. Redirect Security: Redirects to the dashboard upon successful login.
  6. HTML Form Sanitization: Uses htmlspecialchars() to prevent XSS attacks.
  7. Email Validation: Checks the validity of the email format using FILTER_VALIDATE_EMAIL.
  8. Password Complexity: Encourages implementing password complexity requirements (not implemented in the code).
1
How To Find user's IP address.
universal INSERT query using object-oriented programming (OOP) in PHP
Buy Me a Coffee
@Since 2024 Arun'Log Powered by Arun Git