Secure Login System
SLS is a new and complex web application that can be used to protect pages you need to be hidden from visitors and visible only to the registered members as well as an user management tool, because it comes in two packages:
- Minimal Version – which can be used only as a login application, for multiple users or single user
- Extended Version – which contains both the login application and, as an extension, a backend, for admin users only, where you can manage members
This application comes in two parts, one is the PHP Class that handles all the Server Side processes and other data, and one is the jQuery Plugin which handles the forms and all the processes with Ajax and smooth transitions, without page redirects.
jQuery Plugin
Is a jQuery Plugin that generates a login, register, recover and register form, with a lot of options and easy to edit if necessary.
Features:
- Generates a login form for the user just by including the latest jQuery library and by selecting the element you want the form to applied to
$('element').loginsys();
- Handles the login proccess and every action with Ajax
- Instead of throwing a message, if the credentials are wrong, it shakes ( custom function made for this, it doesn’t require jQuery UI )
- Smooth successful login or lockdown message without redirects
- Toogle button in case the user has to register or he forgot the password, or chose another way to login ( Twitter, Facebook, Google ), coming in the new version
- Smooth Register form genereated without redirects, in case the user chose to register
- Register process handled with Ajax and smooth form fade out and login form fade in if the registration is successful
- Recover Password form genereated without redirects, in case the user chose to register
- Recover process handled with Ajax and smooth form fade out and Reset Password form fade in if the email is valid and found in the database
- Reset password process handled with Ajax
- Smooth form fade out and login form fade in if the resetting is successful
- Debug option available, if the user chose to have every message in the console
- Center the forms and objects option, it can be canceled and done via CSS
- Autocomplete option for inputs, it can be turned off or on
- Actions options for Ajax handling for each form
- Shake options to control the login form and recover form number of shakes, the distance and the duration
- Option to link a different icon for the labels that have one and choose a different placeholder / label name
PHP Class
Is a php class that takes care of the login process and it’s related features ( registration, password recovery and password reset ) as well as the admin backend processes.
Features:
- This class has an advanced login process and a very secure hashing algorithm for passwords and secret password recovery codes
- It uses an complex algorithm to encrypt the username and the password for hashing process
- It creates a random salt key for the user, based on the previous encrypted username and password, an important note, the salt key is never stored in the database, in conclusion, without the salt key a hacker can never decrypt the password
- Then the password hash is created based on the sha512 hash_hmac algorithm ( using the typed password and the salt key generated before ), and then it’s either stored in the database in case this was done for registration or password reset or it is checked against the database if the login credentials are checked upon login
- User registration process with custom messages during it and a confirmation email upon successful registration
- Email validation when registering and captcha for human check as well as already registered username / email check
- Password recovery process with custom messages during it
- Reset password process with custom messages during it but only if the password recovery form is passed
- Password recovery process requires a valid and registered email ( checked against the database ) and if successful an authorization code is sent to the confirmed email address ( this code doesn’t get you logged in, it can be used only to reset the password but the specific email address for it is required )
- The reset password process has as well custom messages during it and it carries on as it follows: it’s a simple process that requires the authorization code provided in the email, the email address that the code was requested for and the new password, if all valid the password is successfuly changed / resetted
- Is important to know that this system uses sessions to check login and as well to login and logout
- This system has a simple way to verify if a user is logged in, it checkes a session, created only if the user is logged in, and if it’s not found it returns and json encoded message for possible ajax handleling ( I have used it like this but at any time you can add a redirect )
- The same priciple is applied when the user loggs out, the created session is destroyed
- It is very important to know that in each file in the “actions” folder there us a “sleep(2);” line, this makes sure that you are protected against brute force attacks
- As a supplimentary feature to be protected against brute force attacks, this login system has a lockdown mode which is activated if the numer of login attempts set in the “settings.php” file is exeeded, this makes the login useless because it doesn’t do anything from now on
- And finally as an extention to the class there is a backend for admins, a user management tool let’s say, and it has the following features:
- Admin User Password Change
- Create New Users
- Delete Users
- Assign Admin Role To Users
- Demode Admins To Simple Users
- Each of the above processes has custom messages set in the “settings.php” file
- The password changeing relies on the same principle as the password resetting does, but instead of the email you need your username which is already printed out, and instead of the authorization code you need to know your old password, the rest is the same
- Creating a new user is as simple as it gets, you only type a username, his email and the password, and it’s done, in case the email address or the username doesn’t exist already ( the email is also validate as well )
- Also deleting a user doesn’t require to be a skilled human, the users are listed in rows and you simply hit “Delete” to remove the desired user, a custom message is throwed in case it was deleted or not
- Assigning and Demoding Admins is the same, listed users ready to be made admins or demoded
- Another note, each time a connection to the database is made the table is optimized to avoid Overhead
- The class also has extensive settings, first of all you’ll need to open the “settings.php” file located in the same folder as the class, then you’ll see a lot of things there, but for each one you have an attached comment with an explanation to what each one does
Future tools attached to this application will come, such as Twitter / Facebook / Google / Linkedin login ( signup ) and other as users request. Also keep in mind that this application is very modular and well documented, so it would be easy to use only parts you need without having a headache with understanding the code. And more important, you don’t need to create forms for each of the features, all of it is created with a single line of code.
Resources:
- Spin JS – Used for the login form, during the processing, it’s open source and it’s not a part of this script, you can use anything you want instead of it ( Click to view )
- jQuery Tools – As well, does not take part of the script, I used it only to show you how this script works ( Click to view )
- Icons – This is part of the login script and if you want to buy it separately you can do so ( Click to view )
Changelog
Changelog Secure Login System -application v1.0 released 05.01.2012 -in pending for sale on Envato Marketplaces 05.01.2012 -rejected because of over saturation of similar scripts reasons 06.01.2012 -application v1.1 released 20.01.2012 -in pending for sale on Envato Marketplaces 20.01.2012 -approved for sale on Envato Marketplaces 21.01.2012