PHP to develop a complete, secure user login system

When you are programming with PHP, I have a habit of not liking to use ready-made library files, such as Phplib or other similar libraries, in this system, I also intend to write a library file, it needs to process authentication, confirm email, update the account (password, email) and so on.

In order to ensure the security of the system at the same time, will not aggravate my existing database burden. So the new system relies on cookies. This is really a dilemma choice, because if just set a user name of the cookie is very unsafe, this does not work, but from the burden of the database, I also can not add a simple unordered code to my database to verify.

The solution is to set two cookies at the same time, one for the username and one for the unordered code cookie. This unordered code is actually generated by a combination of user name and a super password (known only by the program designer) through the MD5 () function operation. Since MD5 () is a one-way unordered code, it cannot be cracked. When the user changes the email, I can also use the email and the super password to generate an unordered code to allow the user to confirm the modification. This is actually a public key/private key class system. Don't understand? It doesn't matter, let's explain it slowly.

Interestingly, the system's scalability is limitless, because the system's main task is to compute the value of the MD5 () function, which is done by the Web server and can be added to other servers to share the load when the load is increased, although the authentication system does not drag across a database. But in doing so, the final bottleneck can only be found on the database.

Here are two functions in the library--notation generation and token authentication functions.

<?php
$hidden _hash_var= ' Your_secret_password_here ';
$LOGGED _in=false;
unset ($LOGGED _in);
function User_isloggedin () {
Global $user _name, $id _hash, $hidden _hash_var, $LOGGED _in;
Has the file://been tested for unordered code?
file://if it is, return the variable
if (Isset ($LOGGED _in)) {
return $LOGGED _in;
}
File://are both cookies present?
if ($user _name && $id _hash) {
/*
The user name and system Super Password obtained from cookies produce an authenticated unordered code if the unordered code is the same as the unordered code in the cookie, the variable in the cookies is trustworthy and the user has logged in
*/
$hash =md5 ($user _name. $hidden _hash_var);
if ($hash = = $id _hash) {
file://unordered code fits, set a global variable so that when we call the function again,
file://do not need to perform MD5 () operations again
$LOGGED _in=true;
return true;
} else {
file://two unordered codes do not match, no login
$LOGGED _in=false;
return false;
}
} else {
$LOGGED _in=false;
return false;
}
}
function User_set_tokens ($user _name_in) {
/*
This function is called once the username and password are authenticated
*/
Global $hidden _hash_var, $user _name, $id _hash;
if (! $user _name_in) {
$feedback. = ' Error-user Name Missing when Setting tokens ';
return false;
}
$user _name=strtolower ($user _name_in);
FILE://uses username and super password to create an unordered code to determine whether it has been advertised
$id _hash= MD5 ($user _name. $hidden _hash_var);
file://set cookies are valid for one months and can be set to any value
Setcookie (' user_name ', $user _name, (Time () +2592000), '/', ', 0 ';
Setcookie (' Id_hash ', $id _hash, (Time () +2592000), '/', ', 0 ';
}
? >

Looking at another interesting piece of code, how can users safely change their email address? They can change the email address at any time, but make sure.