Registration system with login and reset option
Here is a complete registration system with registration form, user login and password reset option written in PHP and MYSQL. The login system concept was taken from this post but the code was modified to accomodate the system and also for transparency reasons. MYSQL tables, needed for the system to run, are included in the package. Additionally, there is a shell script included to log and then delete login attempts and ban records. It also logs and then deletes non-activated users and their activation keys after expiry date(3 days), and deletes expired password reset tokens(12 hours). Concept code explained here and here
Package summary:
- - activate.php
- - captcha.php
- - con_functions.php
- - db_config.php
- - index.php
- - login.php
- - logout.php
- - registration.php
- - reset.php
- - sql_clean
- - tables.sql
- - LICENCE
Note that you will have to manually configure the captcha file. It needs the background image, the chosen font and paths to them to work properly
Download:
File: registration_system.zip
Licence: MIT
Last update: 23.12.2017
Checksum(SHA256):
d12660df61400984d7a58da7cd981822e719401449a20b619e3716adbe2fe53f
Security aspect to consider
The system is safe against SQL injections because every input ever needed for the queries is escaped. However, the inputs are NOT encoded with htmlentites() or htmlspecialchars() when saving information to database. This in itself is not a problem but, to prevent XSS, you need to make sure that the elements, got from database, are encoded when echoed
Implement TLS/SSL encryption
Someone listening on unencrypted HTTP traffic, especially in case of coffee shop free wifi network, could get the login credentials or session cookie in plain text and use it to gain unauthorized access to admin system. A solution is to use TLS/SSL that would guarantee that all the traffic between server and user is encrypted.
Secure sensitive files
Consider saving database config file outside of the project's root folder so it cannot be accessed from url. In such case, you will need to modify the path of the config file in several files. The cleanup shell script should also not remain anywhere inside the project's folder.