A PHP implementation of password login


I needed a simple login code for individual PHP pages. For obvious security reasons I could not accept code that POSTs the password in cleartext. I could not accept code that POSTs a hashed password either, as a rogue can get access just by reusing the hashed password as is.

One popular type of robust authentication is the challenge/response scheme: the server generates a random string (challenge), the client sends back a one-way hash of the challenge combined with the password (response), the server creates its own copy of the response and compares it with the client's. Upon match, the authentication is successful. To implement this scheme the server must keep track of the several login requests and of the corresponding challenges issued, while client identification is done with cookies. Given the sessionless nature of the world wide web, the only way of doing this is by keeping a register of all requests and of all sessions. This is typically done in some database table PHP writes in. However, I didn't want to rely on a database: I was looking for some light code I could insert in as many individual pages as needed without messing with a database at every new situation. One can also use a flat file on the server as an alternative to a database table, but still I wanted to refrain from letting such "service" files proliferate.

So it looks like a hopeless set of requirements, but I found a way out that works for me, a sort of compromise between security and constraints. One compromise is that the password is written (or generated) in the PHP page; however, it never travels in the network nor shows in the HTML source code in client's browser. This was OK with me, because in order to read the PHP source code one would need to have my FTP login credentials (or be the server's administrator), but at that point he has power over my whole site, not just one page. The other compromise is that the challenge is not random; however, it is not easy to spoof as it is based on information the server has about the client, the most difficult to spoof being its IP address. Please be aware of such weaknesses if you intend to use this software. It is important to set a limited lifetime to a session, because if someone can spoof a valid cookie, he will be able to reuse it to the end of its life, and this is true even if the legitimate user has "logged out".




A complete example

require "PHPAuthentication.php";
$auth = new PHPAuthentication('my_secret_password');
$priv = $auth->check_privileges();
<title>PHPAuthentication proof-of-concept</title>
<?php $auth->javascript_login_function() ?>
<p><?php $auth->login_logout_link($priv) ?></p>
  print "<p style='color:#c00'>session active</p>";
  print "<p style='color:#00c'>session inactive ($auth->failure_reason)</p>";
Try it now. The password is my_secret_password.


Current version is v1.0 released on 27 Feb 2009.

This software is free under the terms of the GNU General Public License: use it, share it and have fun! If you use this software and are happy with it, please consider donating.


This is PHPAuthentication v1.0, a PHP implementation of password login.

Copyright © 2009 Alberto Longhi <>

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

For more information on the GNU General Public License please see

This program includes the MD5 JavaScript implementation by Paul Johnston. Thank you Paul.

Copyright © 2009