Comments on: Secure PHP login without database

By: Jerry Low

Jerry Low — Thu, 19 Jan 2012 16:58:06 +0000

James,

Basically the script will ensure all your settings are valid before it'll work. The settings are all in _login_users.php

You have to conform to the comments I have there. And user names can only be alphanumeric with no whitespace (hyphen and underscore is ok).

By: James

James — Wed, 04 Jan 2012 22:04:27 +0000

Hey I tried to use this, but I can't seem to figure out how to login , sorry I really don't feel like having to search this up somewhere else -.-…

Whenever I go to the index.php it tell me that the admin settings are wrong, I know that the code for that is on page _login.php but how to I get a login form?

By: Alessandro Marinuzzi

Alessandro Marinuzzi — Wed, 14 Dec 2011 09:38:21 +0000

Hi! Thanks for sharing this great php login tutorial! I have some improvements... in each page that you want to protect add these lines:

session_start();
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); #Date in the Past
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT"); #Always modified
header("Cache-Control: no-store, no-cache, must-revalidate"); #HTTP/1.1
header("Cache-Control: post-check=0, pre-check=0", false);
header("Pragma: no-cache"); #HTTP/1.0
require_once('_login.php');
if (!$login->verify_login($key_uid, $key_cid)) {
  header("Location: login.php");
  exit();
}

The first five headers avoid that another user that have the same session opened backs to previous page and posts again... the if statement verify if the user has logged in or not Thanks again!!!

By: jonas luin

jonas luin — Sun, 30 Oct 2011 01:18:22 +0000

i cant stay logged in and have to re-enter my user and password all the time. Whats the problem?

By: Dumbledore27

Dumbledore27 — Wed, 19 Oct 2011 14:04:04 +0000

One more question. Is there a way to do a log in page for this? So when a user fills out the necessary fields, an email is sent with a validation link and when the user is validated, another username & pass are added to the _login_users.php?

Thanks. :)

Btw, I no longer need the thing I asked in my previous comment. ;)

By: Dumbledore27

Dumbledore27 — Sat, 15 Oct 2011 10:36:21 +0000

It works perfect, but I have just one question.

Only one directory is password-protected.
So directories /web and /gfx are not protected, but /vip is.
I would like to have the "You are logged in as username; ?>" on all of the pages, but since only one directory requires login, would it be possible to say "You are not logged in/You are logged in as Guest" if user is not logged in. If I do it with the code above and am not logged in, I get:
"You are logged in as ."

Anything I can do?

By: Jerry Low

Jerry Low — Thu, 06 Oct 2011 15:57:43 +0000

Kin, this can support up to as many as you like, but the problem is it is not manageable. I'm still working on a deployable database one, only problem is that its fairly simple in management and hard to integrate with prebuilt systems.

By: Sven

Sven — Mon, 03 Oct 2011 17:43:26 +0000

Hello!

How well does this go up against rainbow tables? Is there a salt? (im noob)

By: Kin

Kin — Sun, 25 Sep 2011 15:36:24 +0000

Hi, Could you please let me know how many user names and passwords will it be best to use this method ? Eg. Is there any limit for the no. of users like less than 100 users only etc., stuff ?

Could you also provide me the code for login of users USING the Database?

Thank you,
Kin

By: AdamB

AdamB — Thu, 04 Aug 2011 22:07:06 +0000

hey jerry awesome code btw.. I don't know exactly what im doing wrong BUT even if i unzip the default php login site you have here and keep all the files in one folder and use the generic username and password you have in the default code i just get brought back to the same login page ;( any suggestions?