Let Them Log In!

So know that we have a fully functional user registration system, we need a way for those users to authenticate themselves. We will know create a simple login script that will check the submitted form data, check it against the users table and start a authenticated session if a match is found.

File: login.php

<?php
require_once('common.inc.php');

// check if user is already authenticated
if (AUTH) {
    header('location:account.php');
}

// initialize containers
$post = array();
$errors = array();

// check for submission
if (isset($_POST['submit'])){
    // get post data
    $post = $_POST;
    
    // sanitze post data
    foreach($post as $k => $v){
        $post[$k] = escape_data($v);
    }
    // check for blank fields
    if (!strlen($post['username']) > 0)
        $errors['username'] = 'Username Required';
    
    if (!strlen($post['password']) > 0)
        $errors['password'] = 'Password Required';

// Other code

After including our common file we check to see if the AUTH constant has been set to true signifying that the user is already logged in and therefore redirecting them away from the login page. We then initialize some containers and check to see if the form has been submitted and sanitize and check the form values for blank fields.

File: login.php(cont.)

// Other code
    // check for errors
    if (count($errors) == 0) {
       
        // get redirect address from session if exists
        if (isset($_SESSION['REQUESTED'])){
            $uri = $_SESSION['REQUESTED'];
        } else {
            $uri = 'account.php';// default auth user home
        }
       
        if (ValidUserCredentials($post)) {
           
            if($user = loadUserData($post['username'])) {
               
                // store all data except password in the auth session
                foreach ($user as $k => $v) {
                    if ($k != 'password') {
                        $_SESSION['authenticated'][$k] = $v;
                    }
                }
               
                // Store the users current IP adress in the session, can be used to prevent hijacked sessions
                $_SESSION['authenticated']['ip_address'] = $_SERVER['REMOTE_ADDR'];
               
                updateUserLogin($post['username']);
               
                // redirect the user to to appropriate URI
                unset($_SESSION['REQUESTED']);
                header('location:' . $uri);
                exit;
               
            } else {
                $errors['debug'][] = "Error loading user data in authUtils.php function 'loadUserData'";
            }
           
        } else {
            $errors = true;
        }
    }
    
} else { // not submitted
    
}
?>

Next we checked to see if we had encountered any errors. If not we proceed to check for a previously requested URL that would have been stored by the restrict_auth() function in common.inc.php. If this is not set we set the URL value to account.php. We then check that the user submitted data is valid against the database, load the user data and apply it to a session along with the users IP address. Then we update the users table to reflect the successful login, unset the previously requested page and redirect the user to the URL determined earlier. If we encounter any errors along the way we store those in our $errors array.

File: login.php(cont.)

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title>My Login Form</title>
    <style type="text/css">
        .error {
            color : #f00;
            font-weight : bold;
        }
    </style>
</head>
<body>
    <h3 style="text-align:center;color:red;">Log in to <?php echo SITE_NAME; ?></h3>
    <hr />
    <?php // display debuging errors
        if(@count($errors['debug']) > 0 && DEBUG):
            echo '<div class="error">Debug Errors<br />';
         
            foreach($errors['debug'] as $error) {
                echo $error . '<br />';
            }
            echo '</div>';
    
        endif;
    ?>
    <form action="login.php" method="post" >
        <fieldset>
            <legend>Log In to Your Account</legend>
            <?php if (count($errors) > 0) {
                echo '<div class="error">Invalid Login</div>';
            }?>
               
            <div class="form_row">
                <label for="username">Username:</label>
                <input type="text" name="username" value="<?php if(isset($post['username'])){echo $post['username']; } ?>" />
                <?php if(isset($errors['username'])){
                    echo '<div class="error">' . $errors['username'] . '</div>';
                }?>
            </div>
            <div class="form_row">
                <label for="password">Password:</label>
                <input type="password" name="password" value="" />
                <?php if(isset($errors['password'])){
                    echo '<div class="error">' . $errors['password'] . '</div>';
                }?>
            </div>

            <div class="submit">
                <input type="submit" name="submit" value="Login">
            </div>
            <div style="text-align:center;">
                <a href="reset.php">Lost Password</a> | <a href="register.php">Sign Up</a>
            </div>
        </fieldset>
    </form>
</body>
</html>

As you can see, we close out the script by displaying the form with PHP placeholders to display any information or errors generated previously. Next lets look at how we can allow a user to reset their password if they need to.