This is the development branch of php-login, currently under heavy action for the upcoming 2.1 version. 2.1 will be much improved version of 2.0 with lots of architecture changes, refactorings, etc., "php-login" will also be renamed to HUGE (in combination to TINY, MINI and MINI2).
THIS MIGHT BE BROKEN, as it's just a snapshot of current development. Please keep that in mind. For a stable version use the 2.0 version.
This script is part of the PHP Login Project, a collection of four similar login scripts for different use-cases. This script here is the MVC framework version. Find the official portal page of the project here: php-login.net. Follow the project on Twitter, Facebook have a look on the official support blog Dev Metal. Ask questions in the Official Support Forum.
- Change the VirtualHost file from DocumentRoot /var/www/html to DocumentRoot /var/www/html/public and from <Directory "/var/www/html"> to <Directory "/var/www/html/public">. Don't forget to restart. https://www.dev-metal.com/enable-mod_rewrite-ubuntu-14-04-lts/
- built with the official PHP password hashing functions, fitting the most modern password hashing/salting web standards
- users can register, login, logout (with username, email, password)
- users can register and login via Facebook (official Facebook PHP SDK used)
- [planned: users can register/login via Twitter, Google+, etc.]
- password-forget/reset
- remember-me (login via cookie)
- account verification via mail
- captcha
- failed-login-throttling
- user profiles
- account upgrade/downgrade
- supports local avatars and remote Gravatars
- supports native mail and SMTP sending (via PHPMailer)
- comes with a super-sexy Model-View-Controller (MVC) barebone-application structure
- uses PDO for database access
- uses URL rewriting ("beautiful URLs")
- file- and folder protection via .htaccess
- uses Composer to load external dependencies (PHPMailer, Facebook SDK, Captcha-Generator, etc.)
- can be installed via Composer
- fits PSR-1/2 coding guidelines
- fully commented
- is actively developed, maintained and bug-fixed
- has detailed tutorials
- [planned: ready-to-go PuPHPet files and Vagrant boxes]
One File Version [https://github.com/panique/php-login-one-file]
Full login script in one file. Uses a one-file SQLite database (no MySQL needed) and PDO. Features: Register, login, logout.
Minimal Version [https://github.com/panique/php-login-minimal]
All the basic functions in a clean file structure, uses MySQL and mysqli. Register, login, logout.
Advanced Version [https://github.com/panique/php-login-advanced]
Same like minimal (uses MySQL and PDO), but much more features: Register, login, logout, email verification, password reset, edit user data, gravatars, captchas, remember me / stay logged in cookies, "remember me" supports parallel login from multiple devices, login with email, i18n/internationalization, mail sending via PHPMailer (SMTP or PHP's mail() function/linux sendmail).
TODO
- professional file/folder structure
- Composer
- Facebook login/registration
- mostly implemented the "always return something" rule, with default return
- if/else nesting as flat as possible
- implemented dependency injected database connection (we open just one connection, use it for all models)
- multiple models allowed per controller
- everything is "as manual as possible"
- massive refactoring
See a live demonstration or see the server's phpinfo().
Make sure you know the basics of object-oriented programming and MVC, are able to use the command line and have used Composer before. This script is not for beginners.
- PHP 5.5+
- MySQL 5 database (better use versions 5.5+ as very old versions have a PDO injection bug
- installed PHP extensions: pdo, gd, openssl (the tutorial shows how to do)
- installed tools on your server: git, curl, composer (the tutorial shows how to do)
- for professional mail sending: an SMTP account (I use SMTP2GO)
- activated mod_rewrite on your server (the tutorial shows how to do)
Licensed under MIT. Totally free for private or commercial projects.
Please commit only in develop branch. The master branch will always contain the stable version.
If you think this script is useful and saves you a lot of work, then think about supporting the project:
- Rent your next server at DigitalOcean.
- Donate via PayPal or GitTip
- Contribute to this project.
Due to the possible consequences when publishing a bug on a public open-source project I'd kindly ask you to send really big bugs to my email address, not posting this here. If the bug is not interesting for attackers: Feel free to create an normal GitHub issue.
See active issues and requested features here: https://github.com/panique/php-login/issues?state=open
See the milestone tracking of 2.0 and the upcoming 3.0 (early 2015) here: https://github.com/panique/php-login/issues/milestones
- How to install php-login on Ubuntu 12.04 LTS
- How to install php-login on Ubuntu 14.04 LTS
- How to install php-login on Windows 7 / 8 (for development)
This installation guideline uses Ubuntu 12.04 LTS (as it is the standard and by far the most long-term supported mainstream server OS (supported until 2017). For more, see the Wikipedia page of Ubuntu versions.
When developing in a Vagrant box: please note that it's quite difficult to identify a Vagrant box to Facebook's App API, so currently there's no guideline on how to use the Facebook login-feature when using a LOCAL Vagrant box. For more, see this StackOverflow question.
- install Apache, MySQL, PHP and eventually PHPMyAdmin: How to setup a LAMP stack on Ubuntu 12.04
- install mod_rewrite and activate it: How to enable mod_rewrite in Ubuntu 12.04 LTS
- install Composer: How to install Composer on Ubuntu
- install GD (for the Captcha):
sudo apt-get install php5-gd
, restart Apachesudo service apache2 restart
- install OpenSSL (to send mails):
sudo apt-get install openssl
, restart Apachesudo service apache2 restart
- remove all files from the /var/www (should only be Apache's index.html and your phpinfo()-containing .php right now) with
rm -r /var/www/*
, otherwise things will get messy and git won't download the repo into a non-empty folder - copy the contents of the extracted php-login repository into /var/www ! In this tutorial we don't use a sub-folder, so your index.php should go into /var/www !
Best way to do is cloning via git:
git clone https://github.com/panique/php-login.git /var/www
or by creating the project via Composer:composer create-project panique/php-login /var/www dev-master
- Make the repo's folder public/avatars writable via
chmod 775 /var/www/public/avatars
and check its rights withstat /var/www/public/avatars
- Run the three SQL statements in the application/_installation/sql_statements folder (the installation folder has an underscore in front of its name, but GitHub doesn't show this due to a bug in its README-parser), via PHPMyAdmin (look at the files directly on https://github.com/panique/php-login/) or do it via mysql command-line
In application/config/config.php:
- enter your database credentials in DB_USER, DB_PASS etc.
- enter your project URL into URL, don't forget the trailing slash!
- edit COOKIE_DOMAIN to the above URL
- in the SMTP block, set EMAIL_USE_SMTP tp
true
and put in your SMTP provider credentials ((I use SMTP2GO)). Please remember: You cannot simply send emails with PHP's mail() function, this does not really work due to a lot of reasons. For development it could make sense to set PHPMAILER_DEBUG_MODE to 2 as this will echo out errors and notices when sending mails. - OPTIONAL for development (better leave it like it is !), but necessary for production environments: Change the text, reply-mail-address etc. of the EMAIL_PASSWORD_RESET_SUBJECT etc.
In .htaccess:
- Change the RewriteBase: when using the script within a sub-folder, put this path here, like /mysubfolder/ ! If your app is in the root of your web folder, then delete this line or comment it out.
- go into the base folder of your application (where composer.json is) (
cd /var/www
) and docomposer install
on the command line
Voila! You app should now run fine.
Note: Facebook changes the look, the UI and the way the Facebook App pages work permanently. But you'll find out what's meant. Go to https://developers.facebook.com/apps/ and create a new app. Go to "preferences" or whatever it is called, enter your email adress, leave "App Domain" empty, click on "Add platform" and put your URL in "Site URL" (completely with "https://www."), save. For local development "localhost" works. Things like "127.0.0.1" don't seem work. In earlier version of Facebook's App API you needed to set "sandbox mode" to "deactivated", now... well... I don't know, they have removed the button but the app still says "in development mode".
Set FACEBOOK_LOGIN
in application/config/config.php to true
and put your Facebook app id and the secret token
in FACEBOOK_LOGIN_APP_ID
and FACEBOOK_LOGIN_APP_SECRET
.
You should see the Facebook login / register buttons on the login / register page of your php-login app now.
- How to use PDO
- A short guideline on how to use the PHP 5.5 password hashing functions and its PHP 5.3 & 5.4 implementations
- How to setup latest version of PHP 5.5 on Ubuntu 12.04 LTS
- How to setup latest version of PHP 5.5 on Debian Wheezy 7.0/7.1 (and how to fix the GPG key error)
- Notes on password & hashing salting in upcoming PHP versions (PHP 5.5.x & 5.6 etc.)
- Some basic "benchmarks" of all PHP hash/salt algorithms
- How to prevent PHP sessions being shared between different apache vhosts / different applications
You can find more in the project's github wiki.
Then have a look into the partner project PHP-MVC on https://www.php-mvc.net and https://github.com/panique/php-mvc. A super-reduced and naked bare-bone application.
https://github.com/facebook/facebook-php-sdk
https://developers.facebook.com/docs/php/gettingstarted/
PHPMailer https://packagist.org/packages/phpmailer/phpmailer
PHP password compatibility library https://packagist.org/packages/ircmaxell/password-compat
Facebook SDK https://packagist.org/packages/facebook/php-sdk
Gregwar's Captcha https://packagist.org/packages/gregwar/captcha
Kint (a better var_dump) https://packagist.org/packages/raveren/kint
This project is kindly powered by PHPStorm. A big "Thank You!" to IntelliJ for giving php-login free licenses of this wonderful IDE.
I'm available for freelance work, mainly PHP and frontend. Remote worldwide or locally around Central Europe. Please send a mail if you like, you can find out my email address easily.