PHPackages phpauth/phpauth - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [Database & ORM](/categories/database) 4. / 5. phpauth/phpauth ActiveLibrary[Database & ORM](/categories/database) phpauth/phpauth =============== A secure user authentication class for PHP websites, using a powerful password hashing system and attack blocking to keep your website and users secure. 1.6.1(4mo ago)894196.1k↓37.3%306[17 issues](https://github.com/PHPAuth/PHPAuth/issues)3MITPHPPHP >=7.2.0CI passing Since Oct 6Pushed 4mo ago81 watchersCompare [ Source](https://github.com/PHPAuth/PHPAuth)[ Packagist](https://packagist.org/packages/phpauth/phpauth)[ Docs](https://phpauth.github.io/PHPAuth/)[ RSS](/packages/phpauth-phpauth/feed)WikiDiscussions master Synced 1mo ago READMEChangelog (10)Dependencies (5)Versions (31)Used By (3) [![PHPAuth banner](https://github.com/PHPAUth/PHPAUth/raw/master/banner_small.png?raw=true)](https://github.com/PHPAUth/PHPAUth/blob/master/banner_small.png?raw=true) [![All Contributors](https://camo.githubusercontent.com/ca88cf3830da504bd3c0bc15c2a99ce41326509bc2f02132398a881adc22b659/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f616c6c5f636f6e7472696275746f72732d362d6f72616e67652e7376673f7374796c653d666c61742d737175617265)](#contributors-) [![Build Status](https://camo.githubusercontent.com/0ebef1d53e1e983e54c4a460c126c940f30009d53757e74faddfb208fe2bfd64/68747470733a2f2f6170692e7472617669732d63692e6f72672f504850417574682f504850417574682e706e67)](https://travis-ci.org/PHPAuth/PHPAuth)[![PHP version from Travis config](https://camo.githubusercontent.com/22c3e491c33e98c8def19aa6f78d23f36f69d453ae3ea3d5d9b59ec7ffbe9564/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f7068702d762f706870617574682f706870617574682f6d6173746572)](https://camo.githubusercontent.com/22c3e491c33e98c8def19aa6f78d23f36f69d453ae3ea3d5d9b59ec7ffbe9564/68747470733a2f2f696d672e736869656c64732e696f2f7472617669732f7068702d762f706870617574682f706870617574682f6d6173746572)[![Discord server](https://camo.githubusercontent.com/dd1dc65bc9aacecc97f13c74653379b53f878daa192569142c90597e83644964/68747470733a2f2f696d672e736869656c64732e696f2f646973636f72642f3736313335343530383836303635333631393f6c6f676f3d646973636f7264)](https://discord.gg/ewGcMN4)[![Lines of code](https://camo.githubusercontent.com/7a84a5fa33ef9791717c87abceea7813bc8f274278d2d45384e56ad825ef5db0/68747470733a2f2f696d672e736869656c64732e696f2f746f6b65692f6c696e65732f6769746875622f504850417574682f50485041757468)](https://camo.githubusercontent.com/7a84a5fa33ef9791717c87abceea7813bc8f274278d2d45384e56ad825ef5db0/68747470733a2f2f696d672e736869656c64732e696f2f746f6b65692f6c696e65732f6769746875622f504850417574682f50485041757468)[![GitHub code size in bytes](https://camo.githubusercontent.com/afc77df325d46078389536182254a1df60370ad3549649171aed26b0959b0571/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c616e6775616765732f636f64652d73697a652f504850417574682f50485041757468)](https://camo.githubusercontent.com/afc77df325d46078389536182254a1df60370ad3549649171aed26b0959b0571/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c616e6775616765732f636f64652d73697a652f504850417574682f50485041757468)[![GitHub All Releases](https://camo.githubusercontent.com/a8c9d96a6ee4788e4aefb15281a013c04b908e0309aca6422c80e2d19f0c1f0f/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f646f776e6c6f6164732f504850417574682f504850417574682f746f74616c)](https://camo.githubusercontent.com/a8c9d96a6ee4788e4aefb15281a013c04b908e0309aca6422c80e2d19f0c1f0f/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f646f776e6c6f6164732f504850417574682f504850417574682f746f74616c)[![GitHub issues](https://camo.githubusercontent.com/63e5a089a1192377721db3b96a802654212db7abef11e766f82e404a7bc2208d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d7261772f504850417574682f50485041757468)](https://camo.githubusercontent.com/63e5a089a1192377721db3b96a802654212db7abef11e766f82e404a7bc2208d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d7261772f504850417574682f50485041757468)[![GitHub closed issues](https://camo.githubusercontent.com/b93187254bb952b035315b1b221987c14f5d4e8923fda13a48a296514d6ef683/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d636c6f7365642f504850417574682f50485041757468)](https://camo.githubusercontent.com/b93187254bb952b035315b1b221987c14f5d4e8923fda13a48a296514d6ef683/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d636c6f7365642f504850417574682f50485041757468)[![GitHub pull requests](https://camo.githubusercontent.com/14640a573c93ad3c74a69f43c49e73093c4f10be680ab4a0549419b3f37e24f6/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d70722f504850417574682f50485041757468)](https://camo.githubusercontent.com/14640a573c93ad3c74a69f43c49e73093c4f10be680ab4a0549419b3f37e24f6/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d70722f504850417574682f50485041757468)[![GitHub closed pull requests](https://camo.githubusercontent.com/09cc18e2bf76ef805ec44885fdf62fb6421af4943ace7d48de672c781c71717d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d70722d636c6f7365642f504850417574682f50485041757468)](https://camo.githubusercontent.com/09cc18e2bf76ef805ec44885fdf62fb6421af4943ace7d48de672c781c71717d/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6973737565732d70722d636c6f7365642f504850417574682f50485041757468)[![GitHub forks](https://camo.githubusercontent.com/7998cc7a99dc6ba3c77f859416d747c28e8b531871e119ccac099bece34a4cfc/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f666f726b732f504850417574682f504850417574683f6c6162656c3d466f726b73267374796c653d706c6173746963)](https://camo.githubusercontent.com/7998cc7a99dc6ba3c77f859416d747c28e8b531871e119ccac099bece34a4cfc/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f666f726b732f504850417574682f504850417574683f6c6162656c3d466f726b73267374796c653d706c6173746963)[![GitHub Repo stars](https://camo.githubusercontent.com/02f017f993c028ebf081f5ce0100bd4a9ee0653fa7e76afb413fd6f685ac3fdb/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f504850417574682f504850417574683f7374796c653d706c6173746963)](https://camo.githubusercontent.com/02f017f993c028ebf081f5ce0100bd4a9ee0653fa7e76afb413fd6f685ac3fdb/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f73746172732f504850417574682f504850417574683f7374796c653d706c6173746963)[![GitHub watchers](https://camo.githubusercontent.com/9969b8097100c09b2285a3286babd4c9342f467114b7403604784fa589d638a0/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f77617463686572732f504850415574682f504850417574683f7374796c653d706c6173746963)](https://camo.githubusercontent.com/9969b8097100c09b2285a3286babd4c9342f467114b7403604784fa589d638a0/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f77617463686572732f504850415574682f504850417574683f7374796c653d706c6173746963)[![GitHub release (latest by date)](https://camo.githubusercontent.com/23d6ffaccff7c1dbda5f16e20f1515e4c390c11bb320b3f7458abf495a9875fe/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f504850417574682f50485041757468)](https://camo.githubusercontent.com/23d6ffaccff7c1dbda5f16e20f1515e4c390c11bb320b3f7458abf495a9875fe/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f762f72656c656173652f504850417574682f50485041757468)[![GitHub contributors](https://camo.githubusercontent.com/a4dcfea305c5a8f92a08c827470aa7d9db7e10b04acbc051c9c724fbf5c6e558/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6e7472696275746f72732f706870617574682f70687061757468)](https://camo.githubusercontent.com/a4dcfea305c5a8f92a08c827470aa7d9db7e10b04acbc051c9c724fbf5c6e558/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f636f6e7472696275746f72732f706870617574682f70687061757468)[![GitHub last commit](https://camo.githubusercontent.com/a316219146855da2404f3be5b678b03b387d33362f8d53138b8be7734c72fbaa/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6173742d636f6d6d69742f706870617574682f70687061757468)](https://camo.githubusercontent.com/a316219146855da2404f3be5b678b03b387d33362f8d53138b8be7734c72fbaa/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f6c6173742d636f6d6d69742f706870617574682f70687061757468)[![MIT license](https://camo.githubusercontent.com/08cef40a9105b6526ca22088bc514fbfdbc9aac1ddbf8d4e6c750e3a88a44dca/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f4c6963656e73652d4d49542d626c75652e737667)](https://lbesson.mit-license.org/)[![Open Source? Yes!](https://camo.githubusercontent.com/33dfddb9625820bb8277bc598e5aae0c2e4c3e8f5bd0c0c958ae28502e4250bc/68747470733a2f2f62616467656e2e6e65742f62616467652f4f70656e253230536f757263652532302533462f5965732532312f626c75653f69636f6e3d676974687562)](https://github.com/PHPAuth/PHPAuth) PHPAuth ======= [](#phpauth) Notice! (pr 1/10/2020) ---------------------- [](#notice-pr-1102020) PHPAuth is undergoing a complete rewrite to bring the code up to date, the project has been on hold for way to long time now, and I decided to work on it again making sure EVERYONE can use it and not just advanced programmers. My goal is to make an Auth framework that is secure, extendable and usable for everyone. It will take some time, but we have a good amount of users already using this code which are happily to help out. #### Goals: [](#goals) - Bring code up to latest PHP version with min. of v7.1 to v7.4 (If new version comes out while rewriting the code will be pushed up to that version also) - [PHP 7 improvements](https://github.com/PHPAuth/PHPAuth/pull/482) - Making the code even more secure to use by adding things like one time keys (OTP, 2FA etc) - Make sure that the code can be used by everyone, also beginners. - Write much better documentation. - Make database queries faster. - Optimize the code. - Bring down issue count. - Respond faster to issue and PRs. - And much more! What is it ---------- [](#what-is-it) PHPAuth is a secure user authentication class for PHP websites, using a powerful password hashing system (Thanks to [ZxcvbnPhp\\Zxcvbn](https://github.com/bjeavons/zxcvbn-php)) and attack blocking to keep your website and users secure. PHPAuth is work in progress, and not meant for people that don't know how to program, its meant for people that know what they are doing. We cannot help everyone because they don't understand this class. IT'S NOT ONLY FOR BEGINNERS! Features -------- [](#features) - Authentication by email and password combination - Uses [bcrypt](http://en.wikipedia.org/wiki/Bcrypt) to hash passwords, a secure algorithm that uses an expensive key setup phase - Uses an individual 128 bit salt for each user, pulled from /dev/urandom, making rainbow tables useless - Uses PHP's [PDO](http://php.net/manual/en/book.pdo.php) database interface and uses prepared statements meaning an efficient system, resilient against SQL injection - Blocks (or verifies) attackers by IP for any defined time after any amount of failed actions on the portal - No plain text passwords are sent or stored by the system - Integrates easily into most existing websites, and can be a great starting point for new projects - Easy configuration of multiple system parameters - Allows sending emails via SMTP or sendmail - Blocks disposable email addresses from registration User actions ------------ [](#user-actions) - Login - Register - Activate account - Resend activation email - Reset password - Change password - Change email address - Delete account - Logout Requirements ------------ [](#requirements) - PHP 7.4+ - MySQL / MariaDB database or PostGreSQL database Composer Support ---------------- [](#composer-support) PHPAuth can be installed with the following command: `composer require phpauth/phpauth` Then: `require '/path/to/vendor/autoload.php';` Installing without composer not recommended. Configuration ------------- [](#configuration) The database table `config` contains multiple parameters allowing you to configure certain functions of the class. - `site_name` : the name of the website to display in the activation and password reset emails - `site_url` : the URL of the Auth root, where you installed the system, without the trailing slash, used for emails. - `site_email` : the email address from which to send activation and password reset emails - `site_key` : a random string that you should modify used to validate cookies to ensure they are not tampered with - `site_timezone` : the timezone for correct DateTime values - `site_activation_page` : the activation page name appended to the `site_url` in the activation email - `site_activation_page_append_code` : `1` to append /key to the `site_url` in the activation email to simpler UX, a RESTful API should be implemented for this option - `site_password_reset_page` : the password reset page name appended to the `site_url` in the password reset email - `site_password_reset_page_append_code` : `1` to append /key to the `site_url` in the reset email to simpler UX, a RESTful API should be implemented for this option - `cookie_name` : the name of the cookie that contains session information, do not change unless necessary - `cookie_path` : the path of the session cookie, do not change unless necessary - `cookie_domain` : the domain of the session cookie, do not change unless necessary - `cookie_samesite` : the [same-site setting](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite) of the cookie. It defaults to Strict, do not change unless necessary - `cookie_secure` : the HTTPS-only setting of the session cookie, by default only allows calls over an HTTPS channel, do not change unless necessary - `cookie_http` : the [HTTP only protocol](https://owasp.org/www-community/HttpOnly) setting of the session cookie, true by default, do not change unless necessary - `cookie_remember` : the time that a user will remain logged in for when ticking "remember me" on login. Must respect PHP's [strtotime](http://php.net/manual/en/function.strtotime.php) format. - `cookie_forget` : the time a user will remain logged in when not ticking "remember me" on login. Must respect PHP's [strtotime](http://php.net/manual/en/function.strtotime.php) format. - `cookie_renew` : the maximum time difference between session expiration and last page load before allowing the session to be renewed. Must respect PHP's [strtotime](http://php.net/manual/en/function.strtotime.php) format. - `allow_concurrent_sessions` : Allow a user to have multiple active sessions (boolean). If false (default), logging in will end any existing sessions. - `bcrypt_cost` : the algorithmic cost of the bcrypt hashing function, can be changed based on hardware capabilities - `smtp` : `0` to use sendmail for emails, `1` to use SMTP - `smtp_debug` : `0` to disable SMTP debugging, `1` to enable SMTP debugging, useful when you are having email/SMTP issues - `smtp_host` : hostname of the SMTP server - `smtp_auth` : `0` if the SMTP server doesn't require authentication, `1` if authentication is required - `smtp_username` : the username for the SMTP server - `smtp_password` : the password for the SMTP server - `smtp_port` : the port for the SMTP server - `smtp_security` : `NULL` for no encryption, `tls` for TLS encryption, `ssl` for SSL encryption - `verify_password_min_length` : minimum password length, default is `3` - `verify_email_min_length` : minimum EMail length, default is `5` - `verify_email_max_length` : maximum EMail length, default is `100` - `verify_email_use_banlist` : use banlist while checking allowed EMails (see `/files/domains.json`), default is `1` (`true`) - `attack_mitigation_time` : time used for rolling attempts timeout, default is `+30 minutes`. Must respect PHP's [strtotime](http://php.net/manual/en/function.strtotime.php) format. - `attempts_before_verify` : maximum amount of attempts to be made within `attack_mitigation_time` before requiring captcha. Default is `5` - `attempt_before_ban` : maximum amount of attempts to be made within `attack_mitigation_time` before temporally blocking the IP address. Default is `30` - `password_min_score` : the minimum score given by [zxcvbn](https://github.com/bjeavons/zxcvbn-php) that is allowed. Default is `3` - `translation_source`: source of translation, possible values: 'sql' (data from <table\_translations> will be used), 'php' (default, translations will be loaded from languages/*.php), 'ini' (will be used languages/*.ini files) - `table_translations` : name of the table with translation for all messages - `table_attempts` : name of the table with all attempts (default is 'phpauth\_attempts') - `table_requests` : name of the table with all requests (default is 'phpauth\_requests') - `table_sessions` : name of the table with all sessions (default is 'phpauth\_sessions') - `table_users` : name of the table with all users (default is 'phpauth\_users') - `table_emails_banned` : name of the table with all banned email domains (default is 'phpauth\_emails\_banned') - `recaptcha_enabled`: 1 for Google reCaptcha enabled, 0 - disabled (default) - `recaptcha_site_key`: string, contains public reCaptcha key (for javascripts) - `recaptcha_secret_key`: string, contains secret reCaptcha key - `uses_session` : 1 to use Session, 0 - disabled (default) to use cookies The rest of the parameters generally do not need changing. How to secure a page -------------------- [](#how-to-secure-a-page) Making a page accessible only to authenticated users is quick and easy, requiring only a few lines of code at the top of the page: ```