Somewhat secure authentication using PHP

This TechByte contains a method of doing user authentication on a PHP site without simply passing and storing plain text passwords. It explains briefly some techniques you can use when building your login page.

First you need a login form so someone can enter their username and password. As you can see the following form passes the username and password to dologin.php.

<form method="POST" action="dologin.php">
<input type="input" name="txtUsername" value=""><br \>
<input type="password" name="txtPassword" value=""><br \>
<input type="submit" name="cmdLogin" value="Login"><br \>
</form>

Now, you could just put the plain text password in your script or your database, however, this isn't very secure as anyone who gets read access to your script or database can easily get all the passwords. The solution to this is to use a hashing algorithm. In this example we will use the MD5 hashing algorithm because it is easily implemented in PHP and MySQL.

The following script is an example of a php script which stores the password in the PHP script itself but as a MD5 hash. This is an example of the dologin.php script.

$UserAuthenticated = false;

if($_POST['txtUsername'] == "administrator") {
  $PasswordHash = md5($_POST['txtPassword']);
  if($PasswordHash == "098f6bcd4621d373cade4e832627b4f6") {
    $UserAuthenticated = true;
  }
}

As you can see, storing the password like this makes it much more difficult for someone who gets a glance at your script to know your password. The password can still be cracked from this password hash but depending on the complexity of the password, it is much more difficult.

In order to store the password like this you must first compute the MD5 hash for the password you want to use, you can do this by making your own PHP script, or by visiting a page which allows your to compute your own like this.

The above example stores the password in the script, but you can also use this with a MySQL database by first hashing the password and then checking it against the password hash which is stored in the database.

This method makes the storage of the password slightly more secure, however the password is still transmitted in plain text from the client to the dologin.php (This is assuming the data is being passed over a standard http and not https connection). In order to protect against passing the password plaintext, you must hash the password before it is sent to the dologin.php. This requires a client side script, like this javascript MD5 implementation.

That's all for this TechByte. The methods discussed in this article are by no means 100% secure and a HTTPS connection is definitely something that should be considered by anyone sending important information over the internet. If you're just looking for a way to make a simple authentication page a little more secure, then this will work great!

Author: DPAK
Created: Oct 1 2005 (last modified Oct 3 2005)
Categories: PHP
TechByte #40

Warning: By visiting this site and/or by using any information contained herein, you agree to the Techbytes.ca terms of use.