PHP Classes
elePHPant
Icontem

PHP Auth Class: Register and login users stored in a database

Recommend this page to a friend!
  Info   View files Documentation   View files View files (23)   DownloadInstall with Composer Download .zip   Reputation   Support forum   Blog    
Last Updated Ratings Unique User Downloads Download Rankings
2016-07-27 (2 years ago) RSS 2.0 feedStarStarStarStar 62%Total: 355 All time: 6,749 This week: 355Up
Version License PHP version Categories
php-auth 1.0.0MIT/X Consortium ...5PHP 5, Databases, User Management
Description Author

This class can register and login users stored in a database.

It can perform several actions to manage records of users in a database accessed using PDO. Currently it can:

- Create the records of a new registered user and mail the user a URL with a gkey
- Activate account with a given key
- Authenticate a user with a password and optional CAPTCHA verification and create a login session
- Logout from a user session
- Request to reset the user password
- Change the user password
- Delete user records

The class uses bcrypt to store hashed passwords,

It can also verify and block attackers by IP for a defined time after a given number of failed login attempts.

The class can as well prevent registration of users with known disposable email addresses.

  Performance   Level  
Name: Con vertor <contact>
Classes: 2 packages by
Country: Portugal Portugal
Age: ???
All time rank: 278238 in Portugal Portugal
Week rank: 323 Up5 in Portugal Portugal Up
Innovation award
Innovation award
Nominee: 1x

Details

Build Status ghit.me

PHPAuth

What is it

PHPAuth is a secure user authentication class for PHP websites, using a powerful password hashing system and attack blocking to keep your website and users secure.

Features

  • Authentication by email and password combination
  • Uses bcrypt to hash passwords, a secure algorithm that uses an expensive key setup phase
  • Uses an individual 128 bit salt for each user, pulled from /dev/urandom, making rainbow tables useless
  • Uses PHP's PDO database interface and uses prepared statements meaning an efficient system, resilient against SQL injection
  • Blocks (or verifies) attackers by IP for any defined time after any amount of failed actions on the portal
  • No plain text passwords are sent or stored by the system
  • Integrates easily into most existing websites, and can be a great starting point for new projects
  • Easy configuration of multiple system parameters
  • Allows sending emails via SMTP or sendmail
  • Blocks disposable email addresses from registration

User actions

  • Login
  • Register
  • Activate account
  • Resend activation email
  • Reset password
  • Change password
  • Change email address
  • Delete account
  • Logout

Requirements

  • PHP 5.4
  • MySQL / MariaDB database or PostGreSQL database

Composer Support

PHPAuth can now be installed with the following command:

composer require phpauth/phpauth

Then: require 'vendor/autoload.php';

Configuration

The database table config contains multiple parameters allowing you to configure certain functions of the class.

  • site_name : the name of the website to display in the activation and password reset emails
  • site_url : the URL of the Auth root, where you installed the system, without the trailing slash, used for emails.
  • site_email : the email address from which to send activation and password reset emails
  • site_key : a random string that you should modify used to validate cookies to ensure they are not tampered with
  • site_timezone : the timezone for correct datetime values
  • site_activation_page : the activation page name appended to the site_url in the activation email
  • site_password_reset_page : the password reset page name appended to the site_url in the password reset email
  • cookie_name : the name of the cookie that contains session information, do not change unless necessary
  • cookie_path : the path of the session cookie, do not change unless necessary
  • cookie_domain : the domain of the session cookie, do not change unless necessary
  • cookie_secure : the HTTPS only setting of the session cookie, do not change unless necessary
  • cookie_http : the HTTP only protocol setting of the session cookie, do not change unless necessary
  • cookie_remember : the time that a user will remain logged in for when ticking "remember me" on login. Must respect PHP's strtotime format.
  • cookie_forget : the time a user will remain logged in when not ticking "remember me" on login. Must respect PHP's strtotime format.
  • bcrypt_cost : the algorithmic cost of the bcrypt hashing function, can be changed based on hardware capabilities
  • smtp : 0 to use sendmail for emails, 1 to use SMTP
  • smtp_host : hostname of the SMTP server
  • smtp_auth : 0 if the SMTP server doesn't require authentication, 1 if authentication is required
  • smtp_username : the username for the SMTP server
  • smtp_password : the password for the SMTP server
  • smtp_port : the port for the SMTP server
  • smtp_security : NULL for no encryption, tls for TLS encryption, ssl for SSL encryption
  • verify_password_min_length : minimum password length, default is 3
  • verify_password_max_length : maximum password length, default is 150
  • verify_password_strong_requirements : use strong password requirments (at least one uppercase and lowercase character, and at least one digit), default is 1 (true)
  • verify_email_min_length : minimum EMail length, default is 5
  • verify_email_max_length : maximum EMail length, default is 100
  • verify_email_use_banlist : use banlist while checking allowed EMails (see /files/domains.json), default is 1 (true)
  • attack_mitigation_time : time used for rolling attempts timeout, default is +30 minutes. Must respect PHP's strtotime format.
  • attempts_before_verify : maximum amount of attempts to be made within attack_mitigation_time before requiring captcha. Default is 5
  • attempt_before_block : maximum amount of attempts to be made within attack_mitigation_time before temporally blocking the IP address. Default is 30
  • password_min_score : the minimum score given by zxcvbn that is allowed. Default is 3

The rest of the parameters generally do not need changing.

CAPTCHA Implementation

If isBlocked() returns verify, then a CAPTCHA code should be displayed. The method checkCaptcha($captcha) is called to verify a CAPTCHA code. By default this method returns true, but should be overridden to verify a CAPTCHA.

For example, if you are using Google's ReCaptcha NoCaptcha, use the following code:

    private function checkCaptcha($captcha)
    {
 try {

        $url = 'https://www.google.com/recaptcha/api/siteverify';
        $data = ['secret'   => 'your_secret_here',
            'response' => $captcha,
            'remoteip' => $_SERVER['REMOTE_ADDR']];

        $options = [
            'http' => [
                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
                'method'  => 'POST',
                'content' => http_build_query($data)
            ]
        ];

        $context  = stream_context_create($options);
        $result = file_get_contents($url, false, $context);
        return json_decode($result)->success;
    }
    catch (\Exception $e) {
        return false;
    }
}

If a CAPTCHA is not to be used, please ensure to set attempt_before_block to the same value as attempts_before_verify.

How to secure a page

Making a page accessible only to authenticated users is quick and easy, requiring only a few lines of code at the top of the page:

<?php

include("Config.php");
include("Auth.php");

$dbh = new PDO("mysql:host=localhost;dbname=phpauth", "username", "password");

$config = new PHPAuth\Config($dbh);
$auth   = new PHPAuth\Auth($dbh, $config);

if (!$auth->isLogged()) {
    header('HTTP/1.0 403 Forbidden');
    echo "Forbidden";

    exit();
}

?>

Message languages

The language for error and success messages returned by PHPAuth can be configured by passing in one of the available languages as the third parameter to the Auth constructor. If no language parameter is provided then the default en_GBlanguage is used.

Example: $auth = new PHPAuth\Auth($dbh, $config, "fr_FR");

Available languages:

  • en_GB (Default)
  • da_DK
  • de_DE
  • fa_IR
  • fr_FR
  • gr_GR
  • it_IT
  • nl_BE
  • nl_NL
  • no_NB
  • pt_BR
  • ru_RU
  • se_SE
  • vi_VN Documentation ---------------

All class methods are documented in the Wiki System error codes are listed and explained here

Contributing

Anyone can contribute to improve or fix PHPAuth, to do so you can either report an issue (a bug, an idea...) or fork the repository, perform modifications to your fork then request a merge.

Credits

  Files folder image Files  
File Role Description
Files folder imagefiles (2 files)
Files folder imagelanguages (15 files)
Plain text file Auth.php Class Class source
Plain text file Config.php Class Class source
Accessible without login Plain text file database_mysql.sql Data Auxiliary data
Accessible without login Plain text file database_pgsql.sql Data Auxiliary data
Accessible without login Plain text file LICENSE Lic. License text
Accessible without login Plain text file README.md Doc. Documentation

  Files folder image Files  /  files  
File Role Description
  Accessible without login Plain text file domains.json Data Auxiliary data
  Accessible without login Plain text file password.php Aux. Auxiliary script

  Files folder image Files  /  languages  
File Role Description
  Accessible without login Plain text file cs_CZ.php Aux. Language
  Accessible without login Plain text file da_DK.php Aux. Language
  Accessible without login Plain text file de_DE.php Aux. Language
  Accessible without login Plain text file en_GB.php Aux. Language
  Accessible without login Plain text file fa_IR.php Aux. Language
  Accessible without login Plain text file fr_FR.php Aux. Language
  Accessible without login Plain text file gr_GR.php Aux. Language
  Accessible without login Plain text file it_IT.php Aux. Language
  Accessible without login Plain text file nl_BE.php Aux. Language
  Accessible without login Plain text file nl_NL.php Aux. Language
  Accessible without login Plain text file no_NB.php Aux. Language
  Accessible without login Plain text file pt_BR.php Aux. Language
  Accessible without login Plain text file ru_RU.php Aux. Language
  Accessible without login Plain text file se_SE.php Aux. Language
  Accessible without login Plain text file vi_VN.php Aux. Language

 Version Control Unique User Downloads Download Rankings  
 100%
Total:355
This week:0
All time:6,749
This week:355Up
 User Ratings  
 
 All time
Utility:91%StarStarStarStarStar
Consistency:91%StarStarStarStarStar
Documentation:75%StarStarStarStar
Examples:-
Tests:-
Videos:-
Overall:62%StarStarStarStar
Rank:1115