authentication


After a backend application is created, you might run at a risk of allowing access to everybody into the application and manipulate the database. So, authentication is very essesntial in order to prevent unwanted users from accessing the application. In authentication, we'll create a basic login form that will appear while trying to access the dashboard. The ones with the authorized username and password will get access past it while the others will be redirected to some other pages as defined. It's a good practice to name it index.php as it'll be loaded automatically when the uri request for backend application is sent via url.

BASIC PHP USER LOGIN FORM

Let's create a basic login form then along with a div to display login error message on top.

<?php	
include_once('connect.php');	
?>
<?php if(isset($_SESSION['error_message'])) : ?>
	<div class="alert alert-danger">
		<= $_SESSION['error_message'] ?>
		<php unset($_SESSION['error_message']); ?>
	</div>
<?php endif: ?>	
<form method="POST">
	Username: <input type="text" name="user" />
	Password: <input type="password" name="password" />
	<input type="submit" name="submit" value="Log In" />
</form>

BASIC PHP USER LOGIN VERIFICATION AND SESSION UPDATE CODE

Now, the processing part. Since there is no action defined in the form tag, the data will be processed in the same page. Let's add some blocks of php codes there to make the login form function properly.

<?php
	// check for data 
	if(isset($_POST['submit'])){

	// store posted data in some variables
	$user = $_POST['user'];
	$password = md5($_POST['password']);
	//using md5 to encrypt the password to match and verify with the one in database

	// check for matching username and password in database using sql statement
	$query = "SELECT * FROM tbl_user WHERE username='$user' AND password='$password'"; 

	// execute query 
	$result = mysqli_query($connect,$query); 

	// authentication condition
	$count = mysqli_num_rows($result);
	if($count == 1){
		// store username and password in session
		$_SESSION['username'] = $_POST['user'];
		$_SESSION['password'] = $_POST['password'];
		header('location:display-post.php');
	}else{
		$_SESSION['error_message'] = 'Login Attempt Failed!! Unauthorized Username nad Password';
		header('location:backend/index.php');
	}
}
?>  

REDIRECTING UNAUTHORIZED USERS ACCESS ATTEMPTS

Once the session command is created you can redirect the url request to any other url if the userdata doesn't match with the existing data in the database user table. If the user credentials matches with one of the username and password in the database, the user will be redirected to one of the backend pages. Here, I opted to send the user to the display-post.php file. If the posted data doen't match with the existing ones, you can redirect it to any page. Here, I hold the user on the same page with login error message displayed.

For authentication to function properly, you need to verify the existence of the session variables named username and password using if statement as shown below.

<?php
// start session if not started earlier
session_start();
if(!isset($_SESSION['username'])){
header('location:backend/index.php');
}
?>              

So, the main.php file checks for the username in session. If it's not set in the session, the user'll be sent to the login page.

DESTROY SESSION ON USER LOGOUT

Once you created a login page, you'll need a logout page too in order to destroy the session started and ask the user to log in again once the session is destroyed. You can add the link to the logout page in main.php to get the session destroyed on a single click. This logout.php file will be quite simple where the session will be started then destroyed.

<?php
session_start();
if(isset($_SESSION['username'])){
	session_destroy();
	header('location:backend/index.php');
}
?>