Skip to content

MisaghMomeniB/user-auth-system-php

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

44 Commits
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 
Β 

Repository files navigation

πŸ›‘οΈ User Auth System β€” PHP

A clean, secure, framework-free authentication system built in pure PHP.

PHP MySQL CSS License Stars

"Security isn't a feature β€” it's a foundation. Build it right from day one."


🧭 Table of Contents


πŸ“– About

User Auth System (PHP) is a clean, modular authentication system built from scratch in native PHP β€” no Laravel, no Symfony, no magic. It covers the entire authentication lifecycle: register, login, session management, and logout, with security best practices baked in from the ground up.

Perfect for developers who want to:

  • πŸŽ“ Learn how PHP auth actually works under the hood
  • πŸ—οΈ Use it as a base for larger PHP applications
  • πŸ” Understand password hashing, sessions, and PDO in practice

✨ Features

Feature Details
πŸ“ Registration Create a new account with username, email & password
πŸ”‘ Login Authenticate with email/username + password
πŸšͺ Logout Cleanly destroy session and redirect to login
πŸ”’ Password Hashing password_hash() with PASSWORD_BCRYPT β€” never plain-text
βœ… Password Verify password_verify() for secure comparison
🎫 Session Management PHP $_SESSION with session ID regeneration on login
πŸ›‘οΈ SQL Injection Safe PDO prepared statements throughout
🧹 Input Sanitization Server-side validation on all form inputs
πŸ’… Custom CSS UI Clean, hand-crafted stylesheet β€” no framework dependency
πŸ” Protected Pages Session guard pattern to restrict access to auth-only pages

πŸ›  Tech Stack

Layer Technology
Backend PHP 7.4+ (native, OOP)
Database MySQL / MariaDB via PDO
Frontend HTML5 + Custom CSS (20.7% of the codebase)
Session PHP $_SESSION (server-side)
Password PHP password_hash() / password_verify()
Server Apache / Nginx / PHP built-in server

πŸ“ Project Structure

user-auth-system-php/
β”‚
β”œβ”€β”€ πŸ“‚ public/              # Web-accessible entry points
β”‚   β”œβ”€β”€ index.php           # 🏠 Home / landing page (protected)
β”‚   β”œβ”€β”€ login.php           # πŸ”‘ Login form & handler
β”‚   β”œβ”€β”€ register.php        # πŸ“ Registration form & handler
β”‚   β”œβ”€β”€ dashboard.php       # πŸ“Š Protected dashboard (session-guarded)
β”‚   └── logout.php          # πŸšͺ Session destroy & redirect
β”‚
β”œβ”€β”€ πŸ“‚ includes/            # Core reusable PHP logic
β”‚   β”œβ”€β”€ db.php              # πŸ—„οΈ PDO database connection
β”‚   β”œβ”€β”€ auth.php            # πŸ›‘οΈ Session guard / requireLogin()
β”‚   └── functions.php       # πŸ”§ Helper utilities (validate, sanitize)
β”‚
β”œβ”€β”€ πŸ“‚ css/                 # Custom stylesheets
β”‚   └── style.css           # 🎨 Auth UI styles (login, register forms)
β”‚
β”œβ”€β”€ .gitignore
β”œβ”€β”€ LICENSE
└── README.md

πŸ”„ Auth Flow

 β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
 β”‚                   User visits site                   β”‚
 β””β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                             β”‚
              β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
              β”‚    Session already active?   β”‚
              β””β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”˜
                    YES              NO
                     β”‚               β”‚
                     β–Ό               β–Ό
             β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”   β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
             β”‚ Dashboard  β”‚   β”‚  Login / Reg.  β”‚
             β””β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”˜   β””β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                   β”‚                  β”‚
                   β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”
                   β”‚         β”‚ Validate Input  β”‚
                   β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                   β”‚                  β”‚
                   β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                   β”‚         β”‚ PDO Query (prepared stm) β”‚
                   β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                   β”‚                  β”‚
                   β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                   β”‚         β”‚ password_verify() check β”‚
                   β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                   β”‚                  β”‚
                   β”‚         β”Œβ”€β”€β”€β”€β”€β”€β”€β”€β–Όβ”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”
                   β”‚         β”‚ session_regenerate_id(true) β”‚
                   β”‚         β”‚  + $_SESSION['user'] = ...  β”‚
                   β”‚         β””β”€β”€β”€β”€β”€β”€β”€β”€β”¬β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”€β”˜
                   β”‚                  β”‚
                   └──────────────────▼
                           Dashboard βœ…
                                β”‚
                         [Logout clicked]
                                β”‚
                   session_unset() + session_destroy()
                                β”‚
                          Login page πŸ”„

πŸš€ Getting Started

Prerequisites

  • βœ… PHP 7.4+ with PDO & PDO_MySQL extensions enabled
  • βœ… MySQL 5.7+ or MariaDB
  • βœ… Apache (with mod_rewrite) or Nginx
  • βœ… XAMPP / WAMP / LAMP or any local PHP stack

Installation

# 1. Clone the repository
git clone https://github.com/MisaghMomeniB/user-auth-system-php.git

# 2. Navigate into the project
cd user-auth-system-php

# 3. Run with the PHP built-in server (quickest way)
php -S localhost:8000 -t public/

# OR place in your web server root
# e.g. XAMPP: C:/xampp/htdocs/user-auth-system-php/

Then open: http://localhost:8000


πŸ—„ Database Setup

-- 1. Create the database
CREATE DATABASE user_auth_db;
USE user_auth_db;

-- 2. Create the users table
CREATE TABLE users (
    id            INT AUTO_INCREMENT PRIMARY KEY,
    username      VARCHAR(50)  NOT NULL UNIQUE,
    email         VARCHAR(150) NOT NULL UNIQUE,
    password_hash VARCHAR(255) NOT NULL,
    created_at    TIMESTAMP DEFAULT CURRENT_TIMESTAMP
);

Then configure your connection in includes/db.php:

$host   = 'localhost';
$dbname = 'user_auth_db';
$user   = 'your_db_user';
$pass   = 'your_db_password';

$pdo = new PDO("mysql:host=$host;dbname=$dbname;charset=utf8", $user, $pass);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

πŸ’» Usage

πŸ“ Register a New Account

Visit /register.php β†’ fill in username, email, and password β†’ submit.

The password is immediately hashed with password_hash() before being stored β€” raw passwords never touch the database.

πŸ”‘ Login

Visit /login.php β†’ enter your credentials β†’ on success, session is started and you're redirected to the dashboard.

πŸ“Š Dashboard (Protected)

/dashboard.php is protected by a session guard. Any unauthenticated visitor is automatically redirected back to /login.php.

// Session guard pattern used on protected pages
require_once '../includes/auth.php';
requireLogin(); // Redirects to login.php if not authenticated

πŸšͺ Logout

Click the Logout button β€” this calls /logout.php, which destroys all session data and redirects to the login page.


πŸ” Security

This project implements multiple layers of security:

Threat Protection Used
SQL Injection PDO prepared statements β€” zero raw SQL string building
Password Exposure password_hash(PASSWORD_BCRYPT) β€” one-way hashing
Password Comparison password_verify() β€” timing-safe comparison
Session Hijacking session_regenerate_id(true) on every successful login
XSS htmlspecialchars() on all output variables
Unauthorized Access Session guard (requireLogin()) on all protected pages

⚠️ For production use, also consider: HTTPS enforcement, CSRF token protection, login rate limiting, account lockout after failed attempts, and secure cookie flags (HttpOnly, Secure, SameSite).


πŸ›£οΈ Roadmap

  • User registration with hashed password
  • Secure login & session management
  • Session guard for protected pages
  • Logout with full session destruction
  • PDO prepared statements
  • Custom CSS UI
  • πŸ” Password reset via email link
  • πŸ“§ Email verification on registration
  • 🚫 Login throttling / account lockout
  • πŸ”‘ "Remember Me" persistent login (secure cookie)
  • πŸ›‘οΈ CSRF token protection
  • πŸ‘€ User profile page & avatar upload
  • πŸ” Two-Factor Authentication (2FA)
  • 🐳 Docker + docker-compose support
  • πŸ§ͺ Unit tests for Auth & DB layers

🀝 Contributing

Contributions are always welcome β€” especially security improvements!

  1. Fork the repository
  2. Create your branch: git checkout -b feature/your-feature
  3. Commit with clear messages: git commit -m "Add: feature description"
  4. Push: git push origin feature/your-feature
  5. Open a Pull Request with a clear description of what you changed and why

Please keep security in mind with every change β€” this is an auth system after all. πŸ”


πŸ“„ License

Distributed under the MIT License β€” free to use, learn from, and build upon. See LICENSE for full details.


πŸ‘¨β€πŸ’» Author

Misagh Momeni Bashusqeh Software Developer

GitHub


Built with 🐘 PHP and a deep respect for user security. If this helped you learn or ship faster, leave a ⭐ β€” it means the world!

About

Visit My Profile to Access More Repositories and Projects.

Topics

Resources

License

Stars

4 stars

Watchers

1 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors