A complete, secure user login system

When you are programming with PHP, I have a habit of not liking to use ready-made library files, such as Phplib or other similar libraries, in this system, I also intend to write a library file, it needs to process authentication, confirm email, update the account (password, email) and so on.
In order to ensure the security of the system at the same time, will not aggravate my existing database burden. So the new system relies on cookies. This is really a dilemma choice, because if just set a user name of the cookie is very unsafe, this does not work, but from the burden of the database, I also can not add a simple unordered code to my database to verify.

The solution is to set two cookies at the same time, one for the username and one for the unordered code cookie. This unordered code is actually generated by a combination of user name and a super password (known only by the program designer) through the MD5 () function operation. Since MD5 () is a one-way unordered code, it cannot be cracked. When the user changes the email, I can also use the email and the super password to generate an unordered code to allow the user to confirm the modification. This is actually a public key/private key class system. Don't understand? It doesn't matter, let's explain it slowly.

Interestingly, the system's scalability is limitless, because the system's main task is to compute the value of the MD5 () function, which is done by the Web server and can be added to other servers to share the load when the load is increased, although the authentication system does not drag across a database. But in doing so, the final bottleneck can only be found on the database.

Here are two functions in the library--notation generation and token authentication functions.

<?php

$hidden _hash_var= ' Your_secret_password_here ';

$LOGGED _in=false;
unset ($LOGGED _in);

function User_isloggedin () {
Global $user _name, $id _hash, $hidden _hash_var, $LOGGED _in;
file://has the unordered code been detected?

file://if so, return the variable

if (Isset ($LOGGED _in)) {

return $LOGGED _in;

}

file://are both cookies present?

if ($user _name && $id _hash) {

/*

　　　　　 The user name and system Super Password obtained from cookies produce an authenticated unordered code if the unordered code is the same as the unordered code in the cookie, the variable in the cookies is trustworthy and the user has logged in

*/

$hash =md5 ($user _name. $hidden _hash_var);

if ($hash = = $id _hash) {

file://unordered code Fit, set a global variable so that when we call the function again，

file://you do not need to perform the MD5 () operation again

$LOGGED _in=true;

return true;

} else {

file://two unordered codes not compliant, no login

$LOGGED _in=false;

return false;

}

} else {

$LOGGED _in=false;

return false;

}

}

function User_set_tokens ($user _name_in) {

/*

　　　　　 This function is called once the username and password are authenticated

*/

Global $hidden _hash_var, $user _name, $id _hash;

if (! $user _name_in) {

$feedback. = ' Error-user Name Missing when Setting tokens ';

return false;

}

$user _name=strtolower ($user _name_in);

file://Create an unordered code using the username and Super password to determine whether you have logged in

$id _hash= MD5 ($user _name. $hidden _hash_var);

file://cookies are set to be valid for one months and can be set to any value

Setcookie (' user_name ', $user _name, (Time () +2592000), '/', ', 0 ';

Setcookie (' Id_hash ', $id _hash, (Time () +2592000), '/', ', 0 ';

}

? >

Looking at another interesting piece of code, how can users safely change their email address? They can change the email address at any time, but make sure.

<?php

function User_change_email ($password 1, $new _email, $user _name) {

Global $feedback, $hidden _hash_var;

if (Validate_email ($new _email)) {

$hash =md5 ($new _email. $hidden _hash_var);

file://Change the unordered code value confirmed in the database, but do not change the email

FILE://sends a confirmation email with a new authentication code.

$user _name=strtolower ($user _name);

$password 1=strtolower ($password 1);

$sql = "UPDATE user SET confirm_hash= ' $hash ' WHERE user_name= ' $user _name ' and password= '". MD5 ($password 1). "'";

$result =db_query ($sql);

if (! $result | | db_affected_rows ($RESULT) < 1) {

$feedback. = ' Error-incorrect User Name or Password ';

return false;

} else {

$feedback. = ' confirmation Sent ';

User_send_confirm_email ($new _email, $hash);

return true;

}

} else {

$feedback. = ' New Email address appears Invalid ';

return false;

}

}

function User_confirm ($hash, $email) {

/*

When the user clicks on the related connection of authenticated email, connect to a confirmation page, the page will call this function,

*/

Global $feedback, $hidden _hash_var;

File://verify that they didn "t tamper with the" email address

$new _hash=md5 ($email. $hidden _hash_var);

if ($new _hash && ($new _hash== $hash)) {

file://found this record in the database.

$sql = "SELECT * from user WHERE confirm_hash= ' $hash '";

$result =db_query ($sql);

if (! $result | | db_numrows ($RESULT) < 1) {

$feedback. = ' Error-hash not Found ';

return false;

} else {

file://confirm Email and set account number to be activated

$feedback. = ' User account updated-you Are now logged in ';

User_set_tokens (Db_result ($result, 0, ' user_name '));

$sql = "UPDATE user SET email= ' $email ', is_confirmed= ' 1 ' WHERE confirm_hash= ' $hash '";

$result =db_query ($sql);

return true;

}

} else {

$feedback. = ' HASH invalid-update FAILED ';

return false;

}

}

function User_send_confirm_email ($email, $hash) {

/*

This function is used when registering or changing an email address for the first time

*/

$message = "Thank for registering at company.com".

"\nsimply follow this link to confirm your registration:".
"\n\nhttp://www.company.com/account/confirm.php?hash= $hash &email=". UrlEncode ($email). "\n\nonce you confirm, you can use the services on Phpbuilder."
Mail ($email, ' registration confirmation ', $message, ' from:noreply@company.com ');

}

? >

Comment: Perhaps we do not use this method in the user authentication aspect, but uses the session and so on the way, but this article in how carries on the encryption and the confirmation aspect, still has the inspiration to us.