1. This is awesome. Thank you. I have got this working and it will do just what I wanted I think. Is there a way to store the destination URL the user was trying to reach so that you can deliver them there once the login sequence is done?

  2. Michelle says:

    Just thought I’d let you know that the link to the hashing tool leads to an error page.

    • edit ‘login.php’ file… find ‘your-page.php’ option….. replace it with the php or html file you want…. if the php or html file is not in the same directory, then mention the full path.

      hope, that helps.

  3. William says:

    This is exactly what I need…will be pinching the code. Ta very much.

  4. Do you know how can I protect a private key (to decrypt database content) stored in a session variable?

    See, my problem is I’m using asymetric encryption. The private key to read de data is safely stored in the user database symetrically encrypted with AES under the user’s password.

    So when the user wants to read something he just logs in and gets the private key with his pass, stored under a php session var for further use.

    Anybody who has access to this session var can retrieve the private key and steal al the cyphered content from the database file.

    Any ideas?

    • Anybody who has access to this session var can retrieve the private key and steal al the cyphered content from the database file….

      Anybody who can hijack the session, can access session var…

      Anybody who can perform a MIM (or MITM) attack, can hijack the session…

      My recommendation is, use https with a strong (as strong as 128 bit or 256 bit) SSL encryption, instead of general http.

  5. How about a logout function?
    I dont even know if thats needed from a technical point of view, but it would certainly add to design :)

  6. Hi, one thing I always wondering about is the question, how I can let the user set up his own password. and how I can protect the input form



    from sending the unhashed password via the web to the server.

    Do I have to hash it via javacript before sending it or du I have to use a https connection with a certificate to provide a secure password transmission?

    Does anybody know an answer to this?

    Greetings and thanks in advance!

    • I’ll always prefer the idea of using a https secure connection. If you have a secure connection (SSL Certificate is what you need), then you don’t need to hash the passwords anymore. Because the SSL encryption does the hashing job. If you’re not using a https, then you can do the hashing part yourself.

  7. This is a highly recommended tutorial for the beginners.

  8. Mr. Sazid says:

    Hi dear,
    Its very helpful note for an PHP regular user person.
    If it is more essay how to one normal person can know it and identified
    Please can you help me to give php code for multiple user log in code.
    Where one user can log in one page like a gmail, ymail, account.
    I am a Student in DCS.

  9. I find this post very helpful. But I can’t seem to figure out how to customize the username and password. When I change it in the script it doesn’t word. The log in function only works when the username is set to ‘username’ and password set to ‘password’

    Greetings and thanks in advance!
    / Oskar

  10. I keep getting “Invalid username”. How or where do I set the username?? I’m setting it in the users.php page now but again doesn’t seem to work.

  11. Doesn’t work with php5.3 :(

  12. This is the second time in a row that i found exactly what i needed at your site.. this works perfectly….

    If anyone is having trouble – make sure to HASH your passwords in your users.php since the code is -decrypting them during login process..

Speak Your Mind