A clean, secure, framework-free authentication system built in pure PHP.
"Security isn't a feature β it's a foundation. Build it right from day one."
- About
- Features
- Tech Stack
- Project Structure
- Auth Flow
- Getting Started
- Database Setup
- Usage
- Security
- Roadmap
- Contributing
- Author
User Auth System (PHP) is a clean, modular authentication system built from scratch in native PHP β no Laravel, no Symfony, no magic. It covers the entire authentication lifecycle: register, login, session management, and logout, with security best practices baked in from the ground up.
Perfect for developers who want to:
- π Learn how PHP auth actually works under the hood
- ποΈ Use it as a base for larger PHP applications
- π Understand password hashing, sessions, and PDO in practice
| Feature | Details |
|---|---|
| π Registration | Create a new account with username, email & password |
| π Login | Authenticate with email/username + password |
| πͺ Logout | Cleanly destroy session and redirect to login |
| π Password Hashing | password_hash() with PASSWORD_BCRYPT β never plain-text |
| β Password Verify | password_verify() for secure comparison |
| π« Session Management | PHP $_SESSION with session ID regeneration on login |
| π‘οΈ SQL Injection Safe | PDO prepared statements throughout |
| π§Ή Input Sanitization | Server-side validation on all form inputs |
| π Custom CSS UI | Clean, hand-crafted stylesheet β no framework dependency |
| π Protected Pages | Session guard pattern to restrict access to auth-only pages |
| Layer | Technology |
|---|---|
| Backend | PHP 7.4+ (native, OOP) |
| Database | MySQL / MariaDB via PDO |
| Frontend | HTML5 + Custom CSS (20.7% of the codebase) |
| Session | PHP $_SESSION (server-side) |
| Password | PHP password_hash() / password_verify() |
| Server | Apache / Nginx / PHP built-in server |
user-auth-system-php/
β
βββ π public/ # Web-accessible entry points
β βββ index.php # π Home / landing page (protected)
β βββ login.php # π Login form & handler
β βββ register.php # π Registration form & handler
β βββ dashboard.php # π Protected dashboard (session-guarded)
β βββ logout.php # πͺ Session destroy & redirect
β
βββ π includes/ # Core reusable PHP logic
β βββ db.php # ποΈ PDO database connection
β βββ auth.php # π‘οΈ Session guard / requireLogin()
β βββ functions.php # π§ Helper utilities (validate, sanitize)
β
βββ π css/ # Custom stylesheets
β βββ style.css # π¨ Auth UI styles (login, register forms)
β
βββ .gitignore
βββ LICENSE
βββ README.md
βββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β User visits site β
ββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββ
β
ββββββββββββββββΌβββββββββββββββ
β Session already active? β
ββββββββ¬ββββββββββββββββ¬ββββββββ
YES NO
β β
βΌ βΌ
ββββββββββββββ ββββββββββββββββββ
β Dashboard β β Login / Reg. β
βββββββ¬βββββββ βββββββββ¬βββββββββ
β β
β ββββββββββΌβββββββββ
β β Validate Input β
β ββββββββββ¬βββββββββ
β β
β ββββββββββΌβββββββββββββββββ
β β PDO Query (prepared stm) β
β ββββββββββ¬βββββββββββββββββ
β β
β ββββββββββΌβββββββββββββββββ
β β password_verify() check β
β ββββββββββ¬βββββββββββββββββ
β β
β ββββββββββΌββββββββββββββββββββ
β β session_regenerate_id(true) β
β β + $_SESSION['user'] = ... β
β ββββββββββ¬ββββββββββββββββββββ
β β
ββββββββββββββββββββΌ
Dashboard β
β
[Logout clicked]
β
session_unset() + session_destroy()
β
Login page π
- β PHP 7.4+ with PDO & PDO_MySQL extensions enabled
- β MySQL 5.7+ or MariaDB
- β
Apache (with
mod_rewrite) or Nginx - β XAMPP / WAMP / LAMP or any local PHP stack
# 1. Clone the repository
git clone https://github.com/MisaghMomeniB/user-auth-system-php.git
# 2. Navigate into the project
cd user-auth-system-php
# 3. Run with the PHP built-in server (quickest way)
php -S localhost:8000 -t public/
# OR place in your web server root
# e.g. XAMPP: C:/xampp/htdocs/user-auth-system-php/Then open: http://localhost:8000
-- 1. Create the database
CREATE DATABASE user_auth_db;
USE user_auth_db;
-- 2. Create the users table
CREATE TABLE users (
id INT AUTO_INCREMENT PRIMARY KEY,
username VARCHAR(50) NOT NULL UNIQUE,
email VARCHAR(150) NOT NULL UNIQUE,
password_hash VARCHAR(255) NOT NULL,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);Then configure your connection in includes/db.php:
$host = 'localhost';
$dbname = 'user_auth_db';
$user = 'your_db_user';
$pass = 'your_db_password';
$pdo = new PDO("mysql:host=$host;dbname=$dbname;charset=utf8", $user, $pass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);Visit /register.php β fill in username, email, and password β submit.
The password is immediately hashed with password_hash() before being stored β raw passwords never touch the database.
Visit /login.php β enter your credentials β on success, session is started and you're redirected to the dashboard.
/dashboard.php is protected by a session guard. Any unauthenticated visitor is automatically redirected back to /login.php.
// Session guard pattern used on protected pages
require_once '../includes/auth.php';
requireLogin(); // Redirects to login.php if not authenticatedClick the Logout button β this calls /logout.php, which destroys all session data and redirects to the login page.
This project implements multiple layers of security:
| Threat | Protection Used |
|---|---|
| SQL Injection | PDO prepared statements β zero raw SQL string building |
| Password Exposure | password_hash(PASSWORD_BCRYPT) β one-way hashing |
| Password Comparison | password_verify() β timing-safe comparison |
| Session Hijacking | session_regenerate_id(true) on every successful login |
| XSS | htmlspecialchars() on all output variables |
| Unauthorized Access | Session guard (requireLogin()) on all protected pages |
β οΈ For production use, also consider: HTTPS enforcement, CSRF token protection, login rate limiting, account lockout after failed attempts, and secure cookie flags (HttpOnly,Secure,SameSite).
- User registration with hashed password
- Secure login & session management
- Session guard for protected pages
- Logout with full session destruction
- PDO prepared statements
- Custom CSS UI
- π Password reset via email link
- π§ Email verification on registration
- π« Login throttling / account lockout
- π "Remember Me" persistent login (secure cookie)
- π‘οΈ CSRF token protection
- π€ User profile page & avatar upload
- π Two-Factor Authentication (2FA)
- π³ Docker + docker-compose support
- π§ͺ Unit tests for Auth & DB layers
Contributions are always welcome β especially security improvements!
- Fork the repository
- Create your branch:
git checkout -b feature/your-feature - Commit with clear messages:
git commit -m "Add: feature description" - Push:
git push origin feature/your-feature - Open a Pull Request with a clear description of what you changed and why
Please keep security in mind with every change β this is an auth system after all. π
Distributed under the MIT License β free to use, learn from, and build upon.
See LICENSE for full details.