Q&A for How to Create a Secure Login Script in PHP and MySQL

You could add an extra value to each of your users in the database which contains their rank. Then, check their rank when they access the page and handle accordingly. However, if you only want a certain user to access a page you could also check for their username.

I recommend against reverse engineering the password -- too risky. Instead, try generating a random password, then update the user's password and send an email "with a link to a special registration page" to the email address on file (don't forget the temporary password). Add "old password" to the input fields and validate that against the database, then pass the new password as a post to registration. If you want to get fancy, you can create a separate "users" table in the database with code and a password with a challenge question. Successful login will update the real user password.

The Github code is different from the code in the tutorial above. In the functions.php you pulled from Github, replace the login function with the one from the tutorial above -- just copy and paste it. That fixed the same problem for me.

This has to do with their sec_session_start() function. If you replace that function call with the regular session_start() function, your code will work. I couldn't figure this out for the longest time. I don't know what is wrong with their custom function, but I can't make it work.

Check the file names and the database names as well -- it's quite possibly just a simple word mistake.

Set $secure = true only if you are using a secured server (SSL). Set it to false if you are using an unsecured server.

Go to the given Github project link and download the project. Then replace the functions.php code to the latest version.

You may be using the database members table without the updated $salt. This $salt is used in the login() function in the functions.php. If you add the $salt to your table it should work.

Yes, if you use href, you can make a link that redirects you to the page you want it to redirect to.

PHP 5 >= 5.6.0, PHP 7 There are functions available that replicate the behavior for older versions. Google it.

Check if you have placed the JS correctly. If you did, check the names of the files. Maybe see if you have added extra field in the DB or modified the pw field. Same to do with the email. Make sure these exist include_once 'db_connect.php'; include_once 'psl-config.php'; and also if you have added extra field add these at line 8 and the bottom of the page. Also check the path.

Try using a different browser. I have found issues with Internet Explorer on pages that worked fine with Chrome. If that fails, check for typos. Another option is to break the page in reverse. Set the Login check == False. This will display the protected page, and you can work through any additional bugs.

In your php.ini file, change the value of "session.gc_maxlifetime". It's the time in seconds before the session gets destroyed.

If you used the package from the Github project link, replace the login function in function.php with the one as shown above.

This is because this tutorial is incomplete, and there is no "password_verify" function. This will have to be built by the developer!

Check if session is set with var_dump($_SESSION). If not, check if you have start the session with sec_session_start().

Check the Process-login.php to make sure the variables are being passed properly. Change line header('Location: ../index.php?error=1'); to header('Location: ../index.php?error=1['.$email.', '.$password.']'); [ & ] are there just to highlight the information. It will print [] if variables are empty. It would be necessary to have additional information to be more helpful.