PHP Username Password Solution

Question

I am working on my first PHP based website, and I was wondering what solutions were out there for a username/password system? I have tried using a .htaccess file for basic security, and while it works, I want something a little easier for a layman to administer. Are there any other solutions out there that I could try? I don't have a database server available, so it would have to support flat file databases...thanks!

Edit I have determined that I do have SQLite support, so I do have a database option available. Also, I feel I should mention a little further some requirements that I have. I originally looked to using .htaccess to protect my website, since I need security over the entire directory. Most of the files I am trying to protect are .pdf and .doc...any solution would have to allow me to secure those files as well as any web pages in the directory.

If I could find a good solution to more or less "skin" the .htaccess method of locking a directory, so that I could do things like have an actual login/register page, etc. then I would just stick to the .htaccess method. I would however like something that is more manageable, I just need the directory security.

Answer 1

According to this page from the Apache website:

In general, you should never use .htaccess files unless you don't have access to the main server configuration file. There is, for example, a prevailing misconception that user authentication should always be done in .htaccess files. This is simply not the case. You can put user authentication configurations in the main server configuration, and this is, in fact, the preferred way to do things.

Its easy to see why this is so, too. Its far preferable to have centralized control, rather than digging through EVERY SINGLE DIRECTORY when debugging a faulty configuration.

I urge you to transfer your .htaccess file config to your main configuration file ASAP, for your own good!

Answer 2

Have a look at Zend_Auth. It's open source, so you can sniff around to get a feel for how an authentication module should (or could) be implemented. From the doc:

Zend_Auth is concerned only with authentication and not with authorization. Authentication is loosely defined as determining whether an entity actually is what it purports to be (i.e., identification), based on some set of credentials.

Answer 3

Check if you have support for sqlite, it doesn't require a server so it might work for you.

And don't forget to hash your passwords. ;)

To check create a file (ex. php_info.php) add:

<?php
     phpinfo();

Then upload the file to your host, load it in your browser (example.com/php_info.php) and do a search for sqlite.

You should see several references to sqlite in the page that shows if you have support. The line with "SQLite Library" will tell you the version of sqlite you have (if you have it).

Also once you are done you should delete the php_info.php file from your site, since it does give some information on your setup which can be helpful to crackers.

Answer 4

I wrote up this code quickly, it is syntacticly correct but I have not tested it.
There are 2 things that I did not do here, first, I did not provide a function to remove a user and second I did not provide a function to change a users password, these you'll have to write yourself.
However this should provide for a good place to start.

These functions will store your usernames/passwords in a file called passwords in the following format

username0:password0
username1:password1
username2:password2
...

.

function authenticate($username, $password)
{

    //ALWAYS use a salt to secure the encryption of your passwords, this can be any value of any
    //length, the longer and the more characters the better
    //I like to use a "perfect password" from Steve Gibbson's https://www.grc.com/passwords.htm
    //This must the exactly the same as the salt in theaddUser() function
    $salt = 'voDeaFWckErOPPGwiapYBwEoc4O2d1M60m2QsYc7A15PUshrLamoVioG1wUmEgF';

    //First we need to get the contents of the file that has the usernames/passwords in it.
    //we don't want to use fopen() or we may end up with a locked file error if another access is 
    //attempted before we've closed it.

    //this line will get the contents of the file named passwords and store it in the $fh variable
    $fh = file_get_contents('passwords');

    //Now lets take the file and split it into an array where each line is a new element in the array.
    $fh = split("\n", $fh);

    //Now lets loop over the entire array spliting each row into it's username/password pair
    foreach($fh as $r)
    {
        //Every time this loop runs $r will be populated with a new row

        //Lets split the line into it's username/password pairs.
        $p = split(':', $p);

        //Since we don't need all the usernames/password to be in memory lets stop when we find the one we need
        if($p[0] == $username && $p[1] == sha1($salt . $password))
        {
            //We've found the correct use so lets stop looping and return true
            return true;
        }
    }
    //If we've reached this point in the code then we did not find the user with the correct password in the 'database'
    //so we'll just return false
    return false;
}
function addUser($username, $password)
{
    //ALWAYS use a salt to secure the encryption of your passwords, this can be any value of any
    //length, the longer and the more characters the better
    //I like to use a "perfect password" from Steve Gibbson's https://www.grc.com/passwords.htm
    //This must the exactly the same as the salt in the authenticate() function
    $salt = 'voDeaFWckErOPPGwiapYBwEoc4O2d1M60m2QsYc7A15PUshrLamoVioG1wUmEgF';

    //We need to parse out some preticularly bad characters from the user name such as : which is used to seperate the username and password
    //and \r and \n which is the new line character which seperates our lines
    $username = preg_replace('/\r|\n|\:/', '', $username);

    //Now lets encrypt our password with the salt added
    $password = sha1($salt . $password);

    //Lets build the new line that is going to be added
    $line = $username . ':' . $password . "\n";

    //Lets open the file in append mode so that the pointer will be placed at the end of the file
    $fh = fopen('passwords', 'a');

    //Write the new entry to the file
    fwrite($fh, $line);

    //Close the file
    fclose($fh);

    //Typicaly one would write a bunch of error handling code on the above statments and if something
    //goes wrong then return false but if you make it this far in the code then return true
    return true;
}

Answer 5

have you seen if you have SQLite available? It is PHP's built in database. If not you could just use read/write to a file hope this helps a bit

Answer 6

Sure, there are plenty of flat file database PHP security systems available. Doing a quick Google search will pull up many results. Here is a tutorial:

http://www.devshed.com/c/a/PHP/Private-Pages-with-PHP-and-Text-Files/