phpUserAuth
phpUserAuth is a free PHP User authentication/management system which is secure, flexible, customizable and yet lightweight and easy to use. It offers all the goodies minus the complicated setup and bulk of other programs. Insipiration comes from a lot of existing scripts out there, so a big thanks to them!
Demo DownloadFeatures
- Secure with support for sessions based and/or cookie based authentication
- Tons of configuration option for those who know what they are doing. For others, its easy as a cake!
- Passwords are *always* hashed before they are sent over the network, with fallback to plain text if JavaScript is not supported in the browser
- Only salted, hashed passwords are saved in the database. Even if the DB is stolen, it is almost impossible to get the original password
- Support for multiple simultaneous sessions or a single active session
- Administrator can choose how users are activated after they signup. It can be automatic activation, manual activation by the admin, or an activation mail can be sent to the user
- Password is NEVER sent over the email. If the user forgets his password, he can request a password reset mail.
- User defined access control levels
- Flexible. If the administrator wants to add another field, simply updated the configuration file, and put the field in the signup form! The rest is taken care of by the script!
- Prevention from XSS attacks - all data sent to the server is cleaned using the excellent InputFilter class
- Support for template based HTML email notifications with changeable templates
- Emailing done through the excellent PHPMailer with support for SMTP+SSL
- Custom redirection after login/logout
- Pre-designed forms
- Snap in install - Simply drop the folder into your existing application, configure a few site options and database settings, and you are done!
Requirements
- PHP 5+ as the core classes are OO
- MySQLi support
- MySQL 5+ database server
Is that too much to ask? That being said, if you run a fairly recent server, all these should be there by default. For testing, you can check out XAMPP which is available for Windows, Mac and Linux!
License
I'm planning to release it under some open source license. If that doesn't work out, it will still be FREE
Download
It is not completely done yet. The admin area needs some work. So it will be released, when its done
Notes
1) As always, it isn't perfect! If you find any bugs, errors, or know a way where things can be done better, please leave a comment!
2) The application hasn't been profiled yet. There WILL be places where I might have complicated things. Will be taken care of after its been released
June 12th, 2010 - 09:31
Please let me know when this is available. I am very interested in this project. If you’d like, I can help with debugging.
Best regards,
June 17th, 2010 - 22:17
Hi,
Great start on PHPAuth! The demo looks great!
Any idea when you’ll be releasing any code?
I’ll be happy to help in any way. I can help with the code, or with writing the documentation.
If you think it will be a while before any release, then maybe you could suggest another project I could use?
Thanks!
Melissa
June 18th, 2010 - 10:17
@Ben, thanks for your interest. I hope to release it by next weekend. Really busy with work, so will have to find some time during the weekend to finish it up.
@Melissa, thanks for your feedback. Much appreciated! I will be releasing it in another 10 days or so. If you can improve it in any way, or write a quick start user guide, it would be really nice
June 20th, 2010 - 17:14
Looking forward to your script; the features look very nice! Definately wanting to try this out!
July 7th, 2010 - 15:09
Hey there!
Any idea when you will release this module?
July 26th, 2010 - 01:38
Thanks a lot, I’ll be downloading this and try to get it working this week!
August 3rd, 2010 - 13:24
Looks pretty great.
Question, will you add some kinda of option to protect whole folders?
I have photos and simillar that I want to “protect”, but I do not want to make a page for each/all to protect it. I might have missunderstood something (english is not my 1st language), but I get the impression I can “only” can protect pages?
August 3rd, 2010 - 09:58
This script is for PHP scripts that you would invoke through your browser. If you want to password protect a directory as such, you can try using .htpasswd as shown here – http://www.javascriptkit.com/howto/htaccess3.shtml
It should be possible to use this script as the backend for user authentication as well. You will need to send out the corresponding http auth headers and get the username/password. But I don’ think session control, timeout, cookies can be done that way
August 20th, 2010 - 22:26
Hey ! this script looks awesome but I’m not sure I understand what it really does anymore.. (after last comment).
I have a “clients” subdomain with a different directory for each client. I would like to password protect each directory (and their content) with a different user (client). Would this script be able to accomplish that ?
If not, did you hear of any script (other than .htaccss/.htpasswd – I want to be able to style the login page – so not a popup..) ?
Many thanks,
Nicolas
August 21st, 2010 - 10:09
Password protecting directories is a different thing. This is for PHP scripts (like a webapp) where you need to give authentication/authorization for users to access a particular page. For example, if only registered users must be able to access purchase.php in your application, this will help you do that.
Technically, you should be able to achieve what you want using this script. As far as I know, you cannot style HTTP Authorization cause it is sent out with the header and you need to provide it with the username/password before the body of your page is sent out. So I don’t think you can style it.
Now what you can do for each directory is have a .htaccess file that redirects it to the login page. There you can make sure the user logs in. Then display the directory/files you want to show the user from within a PHP script. This can be effective since you will have all the session timeout/userlevel checks also. This way, even if the user directly tries to access his/her folder, it will be redirected to the login page.
I can try to cook up some code to show this, but no guarantees
August 23rd, 2010 - 20:02
Hey! thanks alot, yeah .htpasswd is not a viable solutions for us.. But I will try and see if I can tweak your code so it would accomplish what I am looking for (I tried the .htaccess redirect to login page thing but got stuck in a never ending loop – I am not really experiented with apache code). Anyway, if you get to have the time to cook up some code it would be really appreciated, and if I find a solution, either from your script or whatever, I’ll post it here too.
Thanks again,
Nicolas
September 19th, 2010 - 08:03
Doesn’t work. Full of errors and is not compatible with PHP5.3 and MySQL 5
September 19th, 2010 - 08:27
Well, I develop and test it on PHP 5.3.1 and MySQL 5.1. It works fine. I could probably check if you give me specific error messages.
October 13th, 2010 - 22:48
Hey m8,
first of all, the script looks great!
but i got some problems with installing. i work with php version 5.2.9 and the screen is full of errors like:
Notice: Use of undefined constant DB_USER – assumed ‘DB_USER’ in D:\****\htdocs\www.*****.com\2010\application\user\lib\userauth.class.php on line 49
Some mysql erros and some Session errrors
thanks
October 15th, 2010 - 18:52
Please make sure the config.php file is in the correct path. Also, if you use any other config files for you application, the DB setting constants shouldn’t clash with these constants: DB_USER, DB_PASS, DB_NAME
October 16th, 2010 - 15:41
Getting this error when re-sending the activation email.
SMTP Error: Could not connect to SMTP host. There was an error sending the mail. Please try again later
Thanks
October 17th, 2010 - 14:08
You will need to change SMTP settings in config.php to meet your server settings. For example, if you are using a gmail account, you can use that:
define(“USE_SMTP”, TRUE);
define(“SMTP_HOST”, “smtp.gmail.com”);
define(“SMTP_PORT”, “465″);
define(“SMTP_USER”, “you@gmail.com”);
define(“SMTP_PASS”, “yourpassword”);
define(“USE_SSL”, TRUE);
October 26th, 2010 - 08:00
I’m having the same smtp problems. I tried it in my gmail account as well as network solutions (hosting service) and neither works.
Also, any progress to report on further development?
October 26th, 2010 - 10:03
I’m not sure what’s wrong as it works for me. I may need to check if I uploaded an older build than the one I’m using. Will do that in a couple of days and update the post. Also, if there is any particular feature that you need, let me know. Since I haven’t gotten much feedback from the very few people that are interested in it, I’m not sure what further development is needed.
November 8th, 2010 - 00:26
I have done set up which working fine. When I clink url below
http://www.nictmbd.com/quizmember/user/login.php
I enter user : admin
Password as per your readme file.
I see the following error.
User not found
Could u help me . what could be the problem ?
November 8th, 2010 - 10:29
If you created the tables in your database using the userauth.sql script, it should work properly. To verify, use a tool like phpMyAdmin and check if there if the table has been created properly, and if a row exists with username admin
November 10th, 2010 - 23:19
Thanks a lot ! It’s working fine now. great script. I will need yr help if i find some problem.
November 12th, 2010 - 20:25
http://www.nictmbd.com/quizmember/user/login.php
I have set up everything now. How can I password protect my quiz.html page ? Is there any faq available? Is it possible to create password protect page for each individual member?
thanks
November 13th, 2010 - 10:44
Please read the Readme.txt file. It contains all the instructions. You will need to create a php page instead of a HTML.
November 9th, 2010 - 23:04
Thanks. But I think I am not doing it correctly ! I would like to send u my Cpanel & FTP password & my database password etc . Could you give me your e-mail ID , please. Please e-mail me : ebicain@yahoo.com U can help me this way …I shall be thankful.
December 22nd, 2010 - 19:47
I followed the instructions and get this error message: Parse error: syntax error, unexpected T_STRING, expecting T_OLD_FUNCTION or T_FUNCTION or T_VAR or ‘}’ in /srv/disk2/toble89/www/hemligheten.awardspace.info/members/lib/userauth.class.php on line 20
December 23rd, 2010 - 14:07
Which version of PHP are you using? I’ve never encountered an error on that line.
December 29th, 2010 - 23:38
Nice script !!! Thanks!!
January 6th, 2011 - 16:20
good script, works fine, but when i change this entry
define(“SESSION_TIMEOUT”, 60*3);
to: define(“SESSION_TIMEOUT”, 60*10);
nothing happend.
how i must change the entry to get 10 min for time_out?
January 7th, 2011 - 07:48
Yes, what you did is right. I just checked the timeout and it works fine. Note that it doesn’t automatically signout the user after the defined time. If the user performs some action, then it will show an error saying “Session Timeout”
January 11th, 2011 - 22:14
Am receiving this error message please help.
Fatal error: Class ‘mysqli’ not found in D:\inetpub\vhosts\smngh.com\httpdocs\login\lib\userauth.class.php on line 49
January 12th, 2011 - 07:06
Seems like you don’t have MySQLi support. You will need that as all DB calls are made through it. Check with your hosting provider if they support MySQLi
January 15th, 2011 - 14:16
Hi Srinath,
thanks for this awesome package, I think it’s really great and a good example for good coding.
I followed the instructions given in Readme and I have changed configuration file so everything is working but the email sending feature, when I am trying to send emails it gives this error (activation email):
“SMTP Error: Could not authenticate. There was an error sending the activation mail. Please try again later”
I have to mention that is how email settings look:
/* MAIL SETTINGS */
define(“USE_SMTP”, TRUE);
define(“SMTP_HOST”, “smtp.gmail.com”);
define(“SMTP_PORT”, “465″);
define(“SMTP_USER”, “myEmail@gmail.com”);
define(“SMTP_PASS”, “myEmailPassword”);
define(“USE_SSL”, TRUE);
and may I ask how may I set “From”,”Subject” and “Body” params.
btw I am running PHP 5.3.3 on Ubuntu 10.10
your help is highly appreciated..
January 15th, 2011 - 15:03
I just solved the problem, I had forgotten to change the admin email!
thank you very much for this wonderful script again
January 16th, 2011 - 05:32
Hello there,
i have installed your script, but after installation i get theses
errors “Warning: mysqli::mysqli() [mysqli.mysqli]: (28000/1045): Access denied for user ‘webdev47_conad ‘@’10.33.248.79′ (using password: YES) in /home/webdev47/public_html/lib/userauth.class.php on line 49
Error: DB Connection Error: Access denied for user ‘webdev47_conad ‘@’10.33.248.79′ (using password: YES)”
and YES my db details are correct, how can i fix this please?
Site is here http://idev.x10.mx/
Thanks
January 16th, 2011 - 10:12
Well it definitely is related to DB access. This error is thrown when the script cannot connect to the DB server using the username/password supplied. Try cross checking it.
January 16th, 2011 - 11:00
Thanks for the great script. It is very useful.
February 9th, 2011 - 19:22
hey,
I can’t login to the username admin with the pass that is givin in the readme…
i tells me this:
Notice: Trying to get property of non-object in C:\wamp\www\Login_folder\phpuserauth\user\lib\userauth.class.php on line 130
what do I do wrong?
February 23rd, 2011 - 20:22
Hey,
Is there any update on the update mentioned above your page?
Update: Oct 29th 2010: Many users are facing problems with the script. I digged into the code and realized that I’ve used php short tags instead of the standard tags in a few files. I apologize for the error and will fix the errors and upload it this weekend.
If i download the package i get errors.
Kind regards,
Oliver Bril.
February 25th, 2011 - 14:26
Sorry, Never mind forgot to enable some modules. Running fine now.
Kind regards,
Oliver Bril.
February 28th, 2011 - 05:02
I’m getting this error on registration…Error inserting user into database. Please contact the site administrator…and it seems as if there are other issues…should globals be turned “ON” for this script?
March 4th, 2011 - 18:01
Hi,
I love your script.
Thank you so much.
But I have one question…
I added some custom level groups.I want to customize the areas on the page that are visible to specific group. Maybe this is not clear enough so I’ll give you an example:
When guest – “Hello Guest – register or login here”(seen only for guests)
When logged in – Hello User – and user now sees the page.
But when users has rights for editing the page – Hello User – and user sees the ‘edit’ button and can access this function in the file (such as case – function edit($nid,$user)).
Simple questions is: how can I make ‘else’ clauses ?
e.g. if ($user->is(‘MOD’)) { Change } else { echo “” }.
Because now it just returns true of error state and I cannot close the cycle.
April 17th, 2011 - 13:12
Right now you cannot use a if else block to show different parts of the same page to a user. This is because if the first if($user->is(“MOD”)) fails, then the script will not continue and an error message will be shown. So you will need to put the logic for the different parts in different php files and load the one appropriate to the logged in user level.
May 5th, 2011 - 07:59
This is not entirely correct. You can use the $user-is() to secure the page, then use if($user->getProperty(‘level’)==MOD) to display (or not) the sections that you want within the same php file.
March 4th, 2011 - 18:18
Hello, phpUserAuth woks perfect, but I’m getting this error when I am trying to send emails:
SMTP Error: Could not connect to SMTP host. There was an error sending the mail. Please try again later
My mail settings:
/* MAIL SETTINGS */
define(“USE_SMTP”,TRUE);
define(“SMTP_HOST”,”smtp.gmail.com”);
define(“SMTP_PORT”,”465″);
define(“SMTP_USER”,”***@gmail.com”);
define(“SMTP_PASS”,”***”);
define(“USE_SSL”,TRUE);
I´ve changed SMTP settings, ADMIN_NAME , ADMIN_EMAIL , …. what do I do wrong?
Thanks (and sorry for my english)
April 17th, 2011 - 13:14
Your settings seem correct. Double check if you got your user name/password correct. Else, try using some other server to check it that works
March 18th, 2011 - 13:00
Hello, phpUserAuth not woks error
Notice: Use of undefined constant TABLE_FIELDS – assumed ‘TABLE_FIELDS’ in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 41
Notice: unserialize() [function.unserialize]: Error at offset 0 of 12 bytes in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 41
Notice: Use of undefined constant SESSION_FIELDS – assumed ‘SESSION_FIELDS’ in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 42
Notice: Use of undefined constant SESSION_FIELDS – assumed ‘SESSION_FIELDS’ in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 43
Notice: Use of undefined constant DB_HOST – assumed ‘DB_HOST’ in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 49
Notice: Use of undefined constant DB_USER – assumed ‘DB_USER’ in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 49
Notice: Use of undefined constant DB_PASS – assumed ‘DB_PASS’ in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 49
Notice: Use of undefined constant DB_NAME – assumed ‘DB_NAME’ in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 49
Warning: mysqli::mysqli() [mysqli.mysqli]: (HY000/2005): Unknown MySQL server host ‘DB_HOST’ (11004) in F:\xampp\htdocs\phpuserauth\user\lib\userauth.class.php on line 49
Error: DB Connection Error: Unknown MySQL server host ‘DB_HOST’ (11004)
Notice: Use of undefined constant SESSION_VARIABLE – assumed ‘SESSION_VARIABLE’ in F:\xampp\htdocs\phpuserauth\user\login.php on line 33
Thanks!
April 17th, 2011 - 13:17
Seems like you have not set your mysql database settings in the config.php file. Also, change the setting DEV_MODE in config.php to false to disable the notices and warnings. Will look into this problem and check if it needs a fix.
April 15th, 2011 - 20:24
Hi,
I’m getting this error message on the after logging in. (http://www…….com/user/account.php)
Warning: date() [function.date]: It is not safe to rely on the system’s timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected ‘Europe/London’ for ’1.0/DST’ instead in C:\xampp\htdocs\insert_management\user\lib\userauth.class.php on line 210
Any ideas?
April 17th, 2011 - 13:10
Which version of PHP are you using? Try commenting this line in config.php and try again
ini_set("date.timezone","Asia/Calcutta");July 15th, 2011 - 17:32
Great script. Fast and clean. Have been working on a function that will recognize admin-level users at login, and then redirect them to a separate landing page. At the moment, all users (including admin) are directed to the same landing page, which is not suitable for my purposes. As I am not an accomplished coder (and therefore unlikely to find a solution to this matter), I do hope that you’ll include this feature in your next release. In the meantime, I’ll be sure to let you know if I manage to resolve this matter. Keep up the great work. Your PHP user management script – designed for PHP 5 – is the best I’ve seen.
July 18th, 2011 - 13:54
Thank you Paul. I have moved the code to github and will start working on the next version shortly. I cannot give a timeline (as always), but will keep your suggestions in mind when I work on it.
July 15th, 2011 - 18:52
Regarding the login redirect issue that I submitted earlier, I have since discovered that your PHP user management script does, in fact, recognize admin-level users who are promptly redirected to a separate landing page (the admin control panel page). This is accomplished by pointing your browser to the “admin” folder, or to the index.php page found in this same folder. Upon doing so, you are presented with a login page, and after successfully logging in as an admin-level user, you are then redirected to the admin control panel page (the same index.php page found in the admin folder). Conversely, and when attempting to login as a “non-admin” user, you are presented with the following Error Message: “Error: Insufficient Privilege,” and denied access to the Admin Control Panel page. It should be noted, however, that such users are still logged into the system, although not at the admin level. Further, and although logged in, they are not redirected to the users landing page (account.php). Perhaps this is their punishment for attempting to access the admin area.
July 29th, 2011 - 14:05
Thanks, it’s a great little package that works well.
I wanted to add a few extra commands to the admin page, in particular a ‘delete’ and ‘send invite’button for each row, and an ‘add user’ at the bottom of the page so the admin can create users by their email etc etc, but I couldn’t decipher the JS files you had used.
This isn’t JQuery, could you direct me to the JS library you used?
Thanks heaps
August 3rd, 2011 - 12:54
Thanks for your comments. I’ve used a custom js library for the table. It was something I wrote sometime back, and I’m not sure it can be extended. Unfortunately, the js files in the default package are minified and packed. I will locate the source files and upload them to the git repo here: https://github.com/Checksum/phpUserAuth
November 19th, 2011 - 17:25
Testing a bit with the software. Look promessing so far. But 1 thing I find a bit weird:
If a user requests a password reset, he gets a link (ok), clicks it (ok) and get’s a page the enter his current password and a new one twice… I tried with a new password in all three fields and that works fine, but it might be a bit confusing for the average user. Would it not be better to create a page with only the 2 change password fields?
Second question, I want to use the user activation AND a admin activation to verify the users email and additional checks by the admin. Can that be done somehow?
November 21st, 2011 - 12:03
You will be redirected to the account page only if you are already logged in. If the user requests reset (and he hasn’t logged in obviously), only the new password is requested.
If you want both user and admin activation, you can probably change the code which does the activation. I will look into the corresponding file and let you know how it can be done.
December 15th, 2011 - 02:09
Hi, it’s me again…
On the admin validation subject.
Would it be possible to send an CC or BCC from the user verification email to myself by somehow changing this $mailer->AddAddress($to); and then just leaving the user level empty after the user verifies his email? I can manually change the users level as a validation step without major changes to the appication…. but how would i go about adding the second email adress. I run a lamp and as i understand the email library does not like cc or bcc fields….
Michiel
December 15th, 2011 - 10:00
Although I would not suggest that, you can add a CC or BCC using the $mailer->AddCC or $mailer->AddBCC functions. If you are using an SMTP server to deliver your mail, it should work fine.
December 16th, 2011 - 03:29
If i’m starting to annoy you, just let me know…
Tested the AddCC… work great. Thanks….
Then I found a kind of error, hidden feature or ommision (whatever you want to call it) in the readme.
My lamp currently has to directories /user and /catalog. The /catalog/index.php is secured with $user->is(‘ADMIN,VALUSER’);. config.php contains define(“VALUSER”, 4);
first issue, admin index.php page needs to have {“name”:”Val user”,”value”:”4″}, and else if($list[$i]["userlevel"] == 4) {$list[$i]["userlevel"] = “Val user”;} added. Without it you are not able to user the admin page to correctly update.
Second issue, user gets stopped by account.php because it contains $user->is(). Replaced it with $user->is(‘ADMIN,USER,MOD,VALUSER’); and it works as designed…. (I love this software and the support
)
Maybe you can use this info to your advantage…
Michiel
December 16th, 2011 - 06:34
Yes, any new user level that you add must be added manually in the admin page. It isn’t much work and that allows flexibility. Secondly, the account.php file contains only $user->is() as it checks only for any logged in user by default. If you need a specific use case, you will have to edit it as required.
phpUserAuth is more of a general framework. No software can cover all the use cases, and that is why I made it as flexible as possible. I am currently working on some fixes now, so if you need a general feature, do let me know.
November 19th, 2011 - 17:31
O, and a third question, what would i have to change to add a field to the registration page (appart from adding it to the database….)
November 21st, 2011 - 12:03
You can add the corresponding HTML to the register.php file, add the field to the config.php field list and modify your database accordingly.
November 29th, 2011 - 19:26
Field added work like a charm. Thanx.
But as allways, one more question.. I’m validating the additional field using FILTER_SANITIZE_STRING, but do you think that is enough for a plain text field?
November 30th, 2011 - 06:55
Yes, that should be enough. If you are allowing some HTML tags, then you need to filter them accordingly.
December 20th, 2011 - 19:43
Just wanted to say I am starting using this for simple projects that need an authentication system. I tried coding my own from scratch but I needed something NOW (There was no way to make something of this quality from scratch in a few dayss with everything else going on) , and your fit the bill nicely. I love it as it is simple to find everything to make work. Obviously I haven’t found anything wrong yet, but when I do I will send you a copy of what I did to correct this / and any additions I make to it.
Great job!