Simple PHP single user login script

Warning: Abandoned
This page/script has been classified as abandoned and will no longer be updated. I will keep this page here indefinitely as a reference, but it will no longer be updated and I no longer offer support of any kind regarding content found on this page.

Description

  • This is a login that can be used on any existing PHP file. The login uses a single username/password set and does not require a database. Setup is as simple as adding a few lines of text to the top of any PHP page to force a login.

Download

Terms of Use

  • All versions of this script have been released under GNU General Public License. Basically this means you are free to use the script, modify it, and even redistribute versions of your own under the same license.

What's new

  • 2.1 [2010-06-06] First public release. There are many older versions in existence, however this was the first version I fully documented and put up for download.

Instructions

Requiring the login on your PHP file

  • At the very top of the PHP page where you need the login, add the following lines:
    <?php
    session_start
    (); // start session cookies
    require("Login.class.php"); // pull in file
    $login = new Login; // create object login

    $login->authorize(); // make user login
    ?>
  • How it works:
    • session_start(); starts the temporary session cookies needed
    • require("Login.class.php"); grabs the file that includes the login class. If you place the file somewhere else, don't forget to change the path. eg; require("includes/Login.class.php");
    • $login = new Login creates the $login object from the class
    • $login->authorize(); this is where the actual work occurs. This checks if the user is already logged in. If they are, it checks if the login is valid. If they are not logged in or if the login is incorrect, the Login class will print out the login prompt and kill anything further on the page from being run. This means if the login is incorrect or incomplete, nothing past the $login->authorize(); point on your page is run. If the user is correctly logged in, the page continues loading as normal.

Settings and configuration

  • You will also need to specify the username and the password. You can do this in several places. By default, they exist and are set before the class in Login.class.php but you can move them to a config.php file or even to the top of your existing PHP file. You set the username and password with (here set to "admin" and "secret"):
    <?php
    // username to login into page
    define('LOGIN_USER', "admin");

    // password to login into page
    define('LOGIN_PASS', "secret");
    ?>
  • The Login class also contains two properties that are changeable:
    var $prefix = "login_";
    $prefix is a unique identifier for that specific login object. 98% of the time you can leave it set to the default. It was added because I often have multiple projects going at once out of the same client/projects sub-folder. The $prefix setting allows me to make each set of cookies unique so they do not conflict with logins from other projects. This setting could allow you to use multiple files and multiple user/pass sets using my script, however if you need to allow multiple usernames, please PLEASE use a different script better designed to handle it.
  • The other Login class property controls the duration the cookie remains:
    var $cookie_duration = 21;
    This is the number of days the user will remained logged in if they check the "Remember me on this computer" checkbox on the login prompt. With this option, even if the browser is closed, they will still be logged in when the page is loaded again. Note that you can manually log out at any time by going your_pagename.php?action=clear_login. It is also safe to completely remove the "remember me" checkbox from the login prompt if you desire.

Changing the look of the login prompt

  • The login prompt is basic HTML/CSS by default. You can however easily customize it to your template. Edit Login.class.php and near the bottom, you can change any of the HTML inside the prompt() function. There are a few things to remember however:
    • The field names need to remain the same. This means name="user" and name="pass" are required and can not be renamed.
    • name="remember" checkbox is optional and can safely be deleted. However, if you want to use it, the name must remain the same.
    • <form action="<?php echo $_SERVER['SCRIPT_NAME']; ?>" method="post"> must remain the same so the login class will work on any page name.
    • <?php echo $msg; ?> is optional, but if you remove it you will not receive any type of messages like "Incorrect username or password"
    • Messages come in two formats. Error messages come with class="warn" and feedback messages come with class="msg". With the default template, the "warn" are formatted to show in red, the "msg" to show in green. However you are welcome to use your own formatting or ignore it completely.

Comments

I love your classes and they are saving me a lot of time. However I notices what looks like a security hole today:

I have the logout link on page.php which points to: /page.php?action=clear_login

Now, after user has been logged out, if someone else comes and clicks the browser back button, they are back in the previous user's account.

I don't know if I'm not using this class as intended what.

[edit]
I commented in the wrong section, sorry; I'm actually using the BETA Login.singleton.php not Login.class.php

The user is completely logged out at that point. If they tried to change something or actually interact with the site it would not let them and it would send them to the login prompt.

However, you are correct in that any static information on any of the "back" pages would still be viewable. That's due to the browser caching those pages, not actually anything in the script. That's not a big concern for what I've used the script for so I've left it like that. However, I believe there is either some META tags you can use or even PHP header() tags you can use to prevent a page from being cached by the browser.

Hello!
I have a question:
- Is there any way to get more than just one user?

This is a very simple login script that only supports one user. If you need a system that allows multiple users, you'll need to search for something more advanced that stores the users in a database.

After searching the internet almost to the end for a simple but secure script for hiding content your's i am happy to report is not just the best one, but also the only one out of 20 or so i downloaded that works !!!

Thank you
Sam