Creating A Secure Online Login Portal With PHP & MySQL

This requires an intermediate/advanced level of programming ability with PHP and MySQL. We will cover a basic solutions and then build layers of security that will help protect against potential attacks (nothing is 100% secure).

Security comes at the cost of development time, processing power and user experience. The level of security you decide upon should be proportional to the value of the information that you are protecting. However if you can avoid putting sensitive information on the internet in the first place then this should always be the prefered solution.

Disclaimer: XYZ Directories™ provides this tutorial on an as is basis, with no guarantees or warranties given for being fit for purpose. You may use the solutions and code detailed free of charge at your own risk, with the understanding that no solution provides 100% assurance of security and you must manage that risk against the sensitivity of information potentially being exposed.

First we will cover the basics required to create a secure platform:

  1. Authentication
  2. Session control
  3. log out

... And then everything else adds increased layers of security:

  1. Rewriting/customising PHP session handlers.
  2. Masking MySQL passwords within source code.
  3. SSL encryption.

Authentication: Essentially this checks if a valid username and password have been presented. The most basic method of doing this is to hard code the valid values into the page and simply compare against the input values. So the php code you might use to do this will look something like:


$username = 'mickeymouse';
$password = 'somethingrandom';

if( $_POST['username'] === $username && $_POST['password'] === $password ){
  // authentication successful
else {
  // authentication failed


Session Control: HTTP is a stateless language, which means that sessions are required to remember if a user has successfully logged in. A cookie is placed on the clients computer, which is a file containing a unique large random number called a session id that allows the web server to identify each client individually. The session id is remembered by the server and data can be stored on the server that relates to each clients session id. The session variable is where this data can be stored and accessed within PHP code.

Session Fixation: Is where an attacker creates a session id and tricks a legitamate user into using that session id. This is easily prevented by regenerating the session id when ever the user logs in or changes their security level.




Session Hijacking: Is where an attacker manages to obtain a valid session id and impersonates that user by presenting their session id. A valid session id can be obtained in a number of ways and the two most common methods are from sniffing internet data packets or taking the cookie session id from a victims computer when they visit the attackers website. SSL is the best way to prevent exposing packet information, but prevention of the second attack requires a bit more work and requires a random security id that is generated at login. The security id is stored in the session data on the server and is passed from one page to the next as a url variable. If the security id in the url does not match that in the session data then the user is prompted to login.


if ( $_SESSION['sid'] !== $_GET['sid'] ){
  // security check failed


27 Old Gloucester Street, London, WC1N 3AX - Tel: 020 7112 8799 - Fax: 020 7112 8558
Copyright © XYZ Directories - All Rights Reserved