Thread: Signup Script

ok, just about to start doing a website ive been thinking about for well over a year.. its rather complex compared to anything I have ever done before, and its my first foray into MySQL databases.

I have gone through a number of websites looking for php signup scripts (no need to create the wheel right) and found the following 2 which are good:

PHP Login script tutorial
http://www.evolt.org/PHP-Login-Syste...Admin-Features

The later is pretty good, but its from 2004, and with PHP5 being out now I dont think it would be wise to use it.

Anyone got any suggestions on a script to use?

hehe well hack and slashing code together.. ive got together a login section, signup section and lost password section.. all with encrypted passwords... so I think I may not actually need much else at the moment

As you say, why reinvent the wheel ;o)

PHP5 Login Script » Products » Crisp Webdesign

Thanks welshstew, have you used it?

£2.50 cant complain and may give it a whirl.

I am having a bit of a whirl creating my own script, always good to spend some time learning.

Totally agree with you.

I haven't used it myself, as everything I have built has used either a cms or not required a login function.

Hehe well getting there now

When signing up will check if user already exists, if it is banned and if the passwords match, if not it will fail. get new password, login and signup done..

\o/

...
http://www.evolt.org/PHP-Login-Syste...Admin-Features
...

Originally Posted by Tom

This script is one of the best I have seen online, but by briefly reviewing it, I believe it could benefit from at least a couple of enhancements. Session IDs being regenerated often seems to be the norm when considering a session fixation attack, and this script never regenerates IDs. This is an easy fix. Also, the script doesn't count unsuccessful login attempts, or try to block logins after X amount of unsuccessful logins. If a person/bot was trying to guess usernames and/or passwords, the login system would ideally place either the login name or their IP address on hold for X amount of minutes. Another problem, unless I just missed it, was that there is no protection against session hijacking. The norm is to use some sort of token, and I don't see any. Perhaps I should take a closer look at the code?

I think the script is a great starting point, and is worth a lot compared to most login systems/classes I've seen. Familiarizing yourself with the script, and building upon it would certainly produce a solid authentication system that you could count on.

I've sort of been advertising that I would like to combine forces with other developers to create a rock solid login system, with any and all common features, and release it as open source. I've got a code foundation done already, and if anyone is qualified, and interesed in such a project, feel free to contact me through my website. (link in sig). I'd be interested in hearing from ethical hacker types too. My code is procedural, and I'm not necessarily interested in making it object oriented, but if you are an OOP master, perhaps you would like to do a conversion. I'm not opposed to OOP, but I just prefer procedural.

how do skunkbad, i would like to help but i know little about php so my coding skills would do little to help.

That script is really good, but I dont like to use peoples code blindly, much prefer to follow a tut and then chop and change things where needed, helps me learn.

Ill be working on my script again next once, once ive got most of it settled ill be turning as much as I can into functions (my first ever) and then ill be adding some ajax into the form to do validation etc.

Just came across this rather good tutorial on creating ACL (Access Control List) which is pretty interesting:

A Better Login System - Nettuts+

Will hopefully get some time to work on my script some more, ill show you all once its done.

Cool, thanks for that, good reading.