How Do You Create A Secure Loging? with PHP and mySQL

I've read a few articles, and looked up the code of certain files and some of them seem to work differently. I'm trying to create a login script, which would require PHP and mySQL to run, however, I'm not quite sure how to approach it since I'm only just learning PHP. I'd like to know, what is the most secure and effective login? I've heard you can add a salt to encrypted passwords, etc, and well as using sessions (sid). It's just like to know what methods are best for creating a secure login script. Thank yo ufor readin this.

So what are you trying to do? Is it a membership login, securing pages, etc?What usually happens is people build web applications in which they believe is secure, someone comes along and breaks it and then they fix those problems.There's really no 100% safe way, it's always a trial and error experience.Large companies don't rely on just those technologies and sometimes have 3rd party software involved as well.If you have code snippets that you think would be good, you should post those, that way I could help with sifting through what I would consider safe.The basics is you've got a Username field a Password field and a login button. All data entered by the user must be checked against.Never match user with password, just grab the user's row and then compare the password from the results, if the user doesn't exist you'd know because the database couldn't return the results, if the password doesn't match from the results returned from the database, also it will be incorrect.Make sure you use either crypt() or md5() (heard md5 has collission problems, which doesn't mean it's that insecure just means multiple passwords could equal the same hash) to encrypt the password, if possible, you should have it connect over a Secure Connection.Always have a counter to count the times someone attempts to connect to that login multiple times, after 3 or more, present them with another login form which requires the visual representation of letters/numbers to be inserted, as well as a means to reset their password if they have forgotten it.Sessions should be given to every user who connects to your site, even if they have not signed in, this is to help you monitor them.Do not give back too much information that went wrong, e.g. if the username was incorrect, say either the username or password were incorrect (basically make it out that both were incorrect).Using a salt for password is basically for random generating a password, it's probably best to use this and send this type of password to the user's email before allowing them to create and change there password, this way, you also verify their email address and can also send them changes/updates etc. Also try to make sure they use strong passwords and not weak ones.There's tonnes more that would need to be talked about, even the security of your database and files etc, basically trying to make sure there's no weak links, since you might have the most secure login page in the world, yet your database security let you down and exposed everything, etc.Cheers,MC

I won't repeat everything once more) just see my answer a bit below your topic.

I made a login script for my website that has a sha1 encrypted password stored in the databse and cross-checks that with the password the user supplied.It stores the users name, id, clearance and username in cookies for ease of use around my website instead of connecting to the database every time and doesn't store information such as password and email in cookies, but I am just wondering how secure that is. I would have used sessions but they don't like me.It isn't that much finished but upon registration an email is sent to their email address requiring them to confirm their account before login and the confirmation page requires username, password and email address before they are allowed to log in.Half of my features aren't finished but I know how I am going to do them such as the following: - Resend confirmation email - Forgot my password - Change settings and profile - Automatically delete any unconfirmed users that have been registered for 72 hours (Ample to time to confirm account or to send out confirmation email again)If anybody would like a copy of the completed script or would like to help in any way PM me.

Use the mcrypt function (Not built into PHP as standard) MCrypt FTP Site
or mhash
MHash Download Site
You can encrypt and decrypt strings using both extensions to PHP.

If you cant install either, you can encrypt strings using the following code

<?php$str="Hello, I am going to be encypted";$enc_str = md5($str);echo $str . "<br />" . $enc_str;?>