PHP Authentication Flow· 811 words · 5 minutes
When creating websites that will allow users to create accounts, the developer always needs to consider the proper authentication flow for their app. For example, some developers will utilize an API for authentication, some will use OAuth, and some may just use their own simple database.
For those using pre-built libraries, authentication may simply be a problem of copying and pasting the code from their library's documentation. For example, here's the code I use to authenticate users with the Tumblr OAuth API for my Tumblr client, Vox Populi:
However, developers creating authentication flows from scratch will need to think carefully about when to make sure a web page will check the user's authenticity.
In this article, we're going to look at a simple authentication flow using a MySQL database and PHP.
Creating User Accounts
The beginning to any type of user authentication is to create a user account. This process can take many formats, but the simplest is to accept user input from a form (e.g. username and password) and send it over to your database. For example, here's a snippet that shows how to get username and password parameters that would come when a user submits a form to your PHP script.
Note: Ensure that your password column is large enough to hold the hashed value (at least 60 characters or longer).
Validate Returning Users
To be able to verify that a returning user has a valid username and password in your database is as simple as having users fill out a form and comparing their inputs to your database.
Storing Authentication State
Once you've created the user's account, now you're ready to initialize the user's session. You will need to do this on every page you load while the user is logged in. To do so, simply enter the following code snippet:
Once you've initialized the session, the next step is store the session in a cookie so that you can access it later.
Now that the session name has been stored, you'll be able to check if there's an active session whenever you load a page.
Removing User Authentication
The next logical step is to give your users the option to log out once they are done using your application. This can be tricky in PHP since a few of the standard ways do not always work.
Now you should be ready to begin your authentication programming with PHP. You can create user accounts, create sessions for users across different pages of your site, and then destroy the user data when they're ready to leave.
For more information on this subject, I recommend reading the PHP Documentation. Specifically, you may want to look at HTTP authentication with PHP, session handling, and hash.