Discussion on Secure Registration & Login User Management System with PHP & MySql

escomnet

escomnet supports this item

Supported

This author's response time can be up to 1 business day.

18 comments found.

good job, very nice work ! wish you lots of sales ;)

thanks Eric

Good luck with selling! :)

thanks!

it is developed in corephp or in any framework ?

No, it does not use any framework or external js libraries. It is classic PHP and plain-old vanilla js. No jQuery, no frameworks.

Thank you for reply, you used mysqli_* or PDO ?

PDO

Can we have an extended license?

Yes, I’ll check with Envato about how to provide you with this. UPDATE: have added the possibility to purchase with an extended license. Thanks for your interest.

Thank you for the extended license. I will proceed with purchase very soon!

Hi, does this require TLS? or will it operate on just a standard http also?

I provide information in the comments of the script for how to use it without TLS, but obviously you don’t have the same heightened security as you would with TLS. Better to use it with TLS (and I can help you with the certificate installation if you need), but, yes, it can be used without TLS – but note, you lose some of the security.

understood, but not every client is willing to spend on a SSL certificate, despite it being good for them. Can you outline what is specifically dropped by the lack of TLS please.

As you probably know already, TLS (SSL) is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is being sent between two systems. It prevents criminals from reading and modifying any information transferred; in this case: the password, email and any other personal information you might add to the login form.

TLS makes sure that any data transferred between users and site remains impossible to read. It uses encryption algorithms to scramble data in transit, preventing hackers from reading it as it is sent over the connection. So, if you don’t install the TLS, someone else might be able to read or intercept the information transmitted between user and server during the login/registration process.

This script also uses SECURE javascript cookies, which only work on servers where a TLS is installed. The Secure option tells the browser (or other http clients) to only send the cookie over SSL connections. This means the cookie will not be available to any part of the site that is not secure; any part of the site not under SSL will not have access to the cookie. It also makes it much less likely that you’ll accidentally send the cookie across as cleartext.

The secure cookie also helps protect against XSS Exploits by telling the browser that it should not allow javascript to access the contents of the cookie. This is primarily a defense against cross site scripting, as it will prevent hackers from being able to retrieve and use the session through such an attack. The secure cookie is simply a fourth parameter passed to the cookie, so you can easily remove this if you don’t want to use secure cookies. You’ll still have the other three parameters that can be sent along when creating a cookie that, when used properly, will keep the cookie limited to only your application and help in part to reduce security vulnerabilities.

Amazing =D

How much will it cost if you were to install it.

I think I have a few things missing from the download. The SSL shows up in Edge but not in Chrome. I don’t know why. But I would like you to install the program.

just a minute. I am trying to do this once again.

yes i tried to upload it but it said I can’t so I’d like for you to install it. no problem with the cost

got it sorry for ALL the replies…..Thank You

Hi,

I am still not clear on how it is to work on my website itself. I successfully import to SQL but still unclear how to place it on the website.

we would like a customize service and also the installation services.

We rather execute it correctly.

Contact administartor@safetyintact.com

Hi,

This is Tammy Alo. I have been in contact with Shira, just making my due diligence to confirm she works with you.

I am about to send funds to the account she specified, she is supposed to do some customize work for our company.

Please get back to me,

Regards,

T. Alo Member Safety Intact

jkj977

jkj977 Purchased

hi! can you send me a example with a password so i can load up to mysql.

i cant login on this system when i set in my user in phpmysql.

password is wrong.. and i think something is wrong in my db

sure, can you send me your email address? Mine is s.crane@escomnet.com

Hi,

I got this working, installed on the database, and able to do confirmations via email.

This looks great.

However, I have a project to execute, and I want to pre-load 100 users. Any tips for how I could achieve this. I have a unique piece of info I can use for the password, but I’m at a bit of a loss on how the salt works otherwise i would plaintext the email address and password in and be on my way.

Hi Michael – can you send me your email address and I’ll send you some additional information about the salt? Thanks! s.crane@escomnet.com

For quick reference, take a look at lines 199 – 211 & 313-316 in auth.php . You can see how the salt is formed and used during the insert query during the registration process.

If you have a list of users & plaintext passwords, you could use the lines above to write a mini-script. Cycle through your list of users applying this salt and using this query to insert into the database.

I will try to write a mini-script as you have advised to generate the salted passwords. It would be a cool feature for you to include a script that can import a csv of email addresses plus passwords for people in this situation in the future.

Hi Shira,

We decided to utilize your script. I’ll send you a comment if I run into anything

The submit button doesn’t work? I tried to register and it doesn’t work.

Hi I would like to see your preview, but, where can I find the user and pass demo?

Hi, I am trying to preload some users.

I have made the following php script which cycles through an array inserting the users in the array into the database. While this script appears to work, and I do see encrypted information in the password fields afterwards, the passwords are incorrect.

I must be doing something wrong with the salting.

Do you have any insight into why this would not work? I mostly reused your code with only the addition of the array creation and the foreach loop.

<?php $LOGIN_INFORMATION = array( 'fakeemail1@fake.com' => '11111',//add as many people you want to preload into this array 'fakeemail2@fake.com' => '22222' //no comma on last line ); //db section $host = 'localhost'; $db = 'dbname'; $user = 'dbusername'; $pass = 'dbusernamepassword'; $charset = 'utf8'; //insert your site parameters $siteURL = 'https://www.yoursite.com'; //use https!!! without trailing / $siteEmail = 'admin@yoursite.com'; $siteName = 'yoursitename'; $dsn = "mysql:host=$host;dbname=$db;charset=$charset"; $opt = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => false, ]; $pdo = new PDO($dsn, $user, $pass, $opt);//Preventing Sql Injection with prepared statements https://phpdelusions.net/pdo //Ip Address $ipAddress = $_SERVER['REMOTE_ADDR']; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { $ipAddress = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); } foreach($LOGIN_INFORMATION as $key=>$val) { //This section cycles through the array of users you need to preload created above $email = $key; $password = $val; // Salted key $saltedKey = openssl_digest('y&gdtreIJ64355rJNmhgd%ew£(g£', 'sha512'); // Salted Old password $old_password = openssl_digest($old_password . $saltedKey, 'sha512'); // Salted password $password = openssl_digest($password . $saltedKey, 'sha512'); // Crypt Old password $old_password = encrypt_decrypt("encrypt", $old_password); // Crypt password $password = encrypt_decrypt("encrypt", $password); $sql = "INSERT INTO users (email, password, confirmed_account, created, created_ip, confirmation_token) VALUES (?, ?, ?, ?, ?, ?)"; $confirmation_token = openssl_digest(uniqid(mt_rand(), true), 'sha512'); $created = date('Y-m-d H:i:s', time()); $pdo->prepare($sql)->execute([$email, $password, 'S', $created, $ipAddress, $confirmation_token]);// Set confirmation to 'S' these users are already confirmed. } function encrypt_decrypt($action, $string) { $output = false; $encrypt_method = "AES-256-CBC"; $secret_key = '6fgrt$sed£syhdRhgd6Rfd4Ed%$3e'; $secret_iv = 'ds67tfgh£$ERDFdksjy3876df£dgSW'; // hash $key = hash('sha256', $secret_key); // iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning $iv = substr(hash('sha256', $secret_iv), 0, 16); if( $action == 'encrypt' ) { $output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv); $output = base64_encode($output); } else if( $action == 'decrypt' ){ $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv); } return $output; } ?>

I found the problem. I was not doing the sha512 that loginregistration.js was doing before submitting.

When I included that, everything worked great.

So here is my preload script to push an array of users into the database.

<?php $LOGIN_INFORMATION = array( 'fakeemail1@fake.com' => '11111',//add as many people you want to preload into this array 'fakeemail2@fake.com' => '22222' //no comma on last line ); //db section $host = 'localhost'; $db = 'dbname'; $user = 'dbusername'; $pass = 'dbusernamepassword'; $charset = 'utf8'; //insert your site parameters $siteURL = 'https://www.yoursite.com'; //use https!!! without trailing / $siteEmail = 'admin@yoursite.com'; $siteName = 'yoursitename'; $dsn = "mysql:host=$host;dbname=$db;charset=$charset"; $opt = [ PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES => false, ]; $pdo = new PDO($dsn, $user, $pass, $opt);//Preventing Sql Injection with prepared statements https://phpdelusions.net/pdo //Ip Address $ipAddress = $_SERVER['REMOTE_ADDR']; if (array_key_exists('HTTP_X_FORWARDED_FOR', $_SERVER)) { $ipAddress = array_pop(explode(',', $_SERVER['HTTP_X_FORWARDED_FOR'])); } foreach($LOGIN_INFORMATION as $key=>$val) { //This section cycles through the array of users you need to preload created above $email = $key; $password = $val; $password = hash('sha512',$password); // Salted key $saltedKey = openssl_digest('y&gdtreIJ64355rJNmhgd%ew£(g£', 'sha512'); // Salted Old password $old_password = openssl_digest($old_password . $saltedKey, 'sha512'); // Salted password $password = openssl_digest($password . $saltedKey, 'sha512'); // Crypt Old password $old_password = encrypt_decrypt("encrypt", $old_password); // Crypt password $password = encrypt_decrypt("encrypt", $password); $sql = "INSERT INTO users (email, password, confirmed_account, created, created_ip, confirmation_token) VALUES (?, ?, ?, ?, ?, ?)"; $confirmation_token = openssl_digest(uniqid(mt_rand(), true), 'sha512'); $created = date('Y-m-d H:i:s', time()); $pdo->prepare($sql)->execute([$email, $password, 'S', $created, $ipAddress, $confirmation_token]);// Set confirmation to 'S' these users are already confirmed. } function encrypt_decrypt($action, $string) { $output = false; $encrypt_method = "AES-256-CBC"; $secret_key = '6fgrt$sed£syhdRhgd6Rfd4Ed%$3e'; $secret_iv = 'ds67tfgh£$ERDFdksjy3876df£dgSW'; // hash $key = hash('sha256', $secret_key); // iv - encrypt method AES-256-CBC expects 16 bytes - else you will get a warning $iv = substr(hash('sha256', $secret_iv), 0, 16); if( $action == 'encrypt' ) { $output = openssl_encrypt($string, $encrypt_method, $key, 0, $iv); $output = base64_encode($output); } else if( $action == 'decrypt' ){ $output = openssl_decrypt(base64_decode($string), $encrypt_method, $key, 0, $iv); } return $output; } ?>

Hello, I had a question before buying this. Would it be hard to implement a different login screen than the one you have? I was planing on using one from here http://www.premiumpixels.com/freebies/elegant-login-form-design-psd/

No, it wouldn’t be hard to use a different style for the login screen. You can refer to the style you like, changing the colors quite easily in the css.

Thanks for the reply, I plan to use this login to be able to direct each individual user to be able to download files that are associates with there account. (each user has different download options) Would you other application be able to accommodate this?

Yes, after logged in, user is redirected to a page that only he, as an authenticated user, has access to. On this page you could add links to the files the user has access to, filtering the query by his user id/email, etc.

Hello, I have a few questions about the install.

Where do I need to put the auth.php file information in the mysql. I have input the database name, username, etc. into the auth.php already.

Also, What sql file do you refer to, and where is it created/located?

I was able to answer my own previous questions :-)

Though I am not sure how to link the login screen on the website. what should the button link to?

The only item I don’t put into the web file would be the sql file correct?

Sorry for all the messages, I was able to find the html for the login file, just need clarification about not uploading the sql file. Also when I try to register a new user and click “register” it states “Error: Response returned with non-OK status” What could be causing this error?

Happy 4th of July btw :-)

by
by
by
by
by
by