Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Develop a Login Form and Implement Session Management #4

Open
andrew21-mch opened this issue Aug 16, 2024 · 0 comments
Open

Develop a Login Form and Implement Session Management #4

andrew21-mch opened this issue Aug 16, 2024 · 0 comments
Labels

Comments

@andrew21-mch
Copy link
Contributor

Issue 4: Develop a Login Form and Implement Session Management

Description:

The objective of this task is to create a login feature that allows users to authenticate themselves and access their personal dashboard or profile. This includes building a login form, validating user credentials, implementing secure session management, and redirecting authenticated users to their respective pages.

Steps to Complete:

  1. Design the Login Form:

    • Create a PHP file (e.g., login.php) within the public/ directory to serve as the login page.
    • The form should capture the following user credentials:
      • Username or Email
      • Password
  2. Implement Client-Side Validation:

    • Use HTML5 attributes and JavaScript to perform basic client-side validation:
      • Ensure the username/email and password fields are not empty.
      • Provide feedback if fields are left empty before submission.
  3. Handle Form Submission:

    • Upon form submission, process the form data in the same login.php file or another PHP script included via a POST request.
    • Sanitize the input data using PHP’s built-in functions to prevent SQL injection and cross-site scripting (XSS).
    • Example:
      $usernameOrEmail = filter_input(INPUT_POST, 'username_or_email', FILTER_SANITIZE_STRING);
      $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);
  4. Validate User Credentials:

    • Query the users table to find a user with the provided username or email.
    • Verify the provided password against the stored hashed password using PHP’s password_verify() function.
    • Example:
      $user == getUser();
      if ($user && password_verify($password, $user['password'])) {
          // Password is correct
      } else {
          // Invalid credentials
      }
  5. Implement Session Management:

    • Start a session if the credentials are valid using session_start().
    • Store relevant user information in session variables (e.g., $_SESSION['user_id'], $_SESSION['username']).
    • Example:
      session_start();
      $_SESSION['user_id'] = $user['id'];
      $_SESSION['username'] = $user['username'];
    • Set session timeout if needed and implement session regeneration to prevent session fixation attacks.
  6. Redirect Authenticated Users:

    • After successful authentication, redirect the user to their dashboard or profile page (e.g., dashboard.php).
    • If authentication fails, return the user to the login page with an appropriate error message.
  7. Secure the Session:

    • Ensure that session data is stored securely:
      • Use session_regenerate_id() after successful login to prevent session fixation.
      • Implement secure cookie settings such as HttpOnly and Secure flags.
    • Implement logout functionality by destroying the session when the user logs out.
  8. Provide Feedback and Error Handling:

    • Display user-friendly error messages for incorrect login credentials.
    • Provide a link for password recovery if the user forgets their credentials (implementation of password recovery may be a separate task).
  9. Test the Login Process:

    • Test the login process with various scenarios:
      • Correct username/email and password.
      • Incorrect username/email.
      • Incorrect password.
      • Sessions persisting across pages after login.
    • Ensure that unauthenticated users cannot access protected pages by implementing access control checks.

Acceptance Criteria:

  • The login form is fully functional, with both client-side and server-side validation.
  • User credentials are verified securely, and successful logins initiate a session.
  • Authenticated users are redirected to their dashboard or profile page.
  • Appropriate feedback is provided for incorrect login attempts.
  • Sessions are managed securely, with prevention measures against session fixation and hijacking.
  • Unauthenticated users are prevented from accessing protected pages.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
Status: No status
Development

No branches or pull requests

1 participant