The best way to learn, at least for me, is to see how it's done. Download phpBB (it's free) http://www.phpbb.com/downloads/ and study the code. It's well-written, clean and, if you understand PHP, you should be able to follow it.



The only stupid questions are the one that was just answered (and you weren't paying attention) and one you don't want the answer to. This wasn't one.

1) PHP and MySQL

2) http://pajhome.org.uk/crypt/md5/



For non-SSL web authentication, you basically need to be able to (1) log in while keeping passwords secure and (2) validate sessions.



Logging In:

You should create a login form with a two text fields, user-name and password, and two hidden fields, server_salt and server_challenge. The user fills out user-name and password and then a script is run on the form submission (onSubmit). This script will use an hmac hash function (md5 or sha-1 usually) like so: hmac(hmac(password,server_salt),server_challenge). This hashed value is replaces the password and then the form goes POST.



At the server side, when your determining if this is a valid login, you use an SQL query to find the password value associated with the username. NOTE!!! The values associated with the username should be hmac(password,server_salt). You're server_salt can be kept public, but you need to make sure to use to prevent rainbow table attacks. The value you pulled from SQL is the hashed with the server challenge in POST. If the new hash matches the password hash in POST, then this is a valid login.



server_challenge can be a timestamp or a random number. Timestamps tend to not be very secure, as a cracker could just replay the login credentials. You can prevent these attacks by keeping track of server challenges and rejecting repeats.



Session Validation:

So once a user has passed login, we drop them a Session ID cookie. The Session ID should be randomly created (you can use PHP $_SESSION[] if you want, but it might be accessible to others on shared hosting, breaking your system). The Session ID is then stored in an SQL table along with the user its associated with. For additional security, you should consider storing the User-Agent and the time of the last action



Whenever the user lands on a secure page, a PHP validation script will check to see if the SessionID exists. If it does, you then check to see if the current User-Agent matches the stored User-Agent. You also check to make sure that the session has not expired (i.e. if the last action was 3 hours ago, invalidate the session). Once they've cleared these barriers, you give them access.



If they fail to clear the barriers, make them log in again and generate a new session ID.





Hope that helps

I literally just set up a sign up/sign in system for my website using PHP and MySQL (MySQL is what you need for a database with the usernames, passwords, and emails. It comes with most web hosts). I didn't even know anything about PHP when I started this so it took me awhile to grasp what I needed to do, but I'll try to explain what you need and then give you the website that has all the PHP codes and stuff. You need a sign up form, a sign in form, a code to put at the top of members only pages that will forward them to a sign in form, a sign out link, and a little code that will display the username of the person signed in. This is the website I used after a lot of searching: http://www.swish-db.com/tutorials/view.php/tid/601. I'm not sure that it has every thing I mentioned. You may have to look up whatever is missing on google. There is no perfect sign up/sign in system system, so you basically have to piece it together yourself. The good news is that you will feel very comfortable with PHP after setting this thing up. Good luck, and if you have any other questions or want a PHP code that you can't find, let me know and I'll email it to you.

You will need to know:

* HTML

* PHP

* MySQL syntax, and how to use the MySQLi extension with PHP [ http://php.net/mysqli ]

* Using cryptographic hashes [ http://phpsec.org/articles/2005/password-hashing.html | http://php.net/hash ]

* Using sessions (or, optionally, cookies) [ http://no.php.net/manual/en/book.session.php ]



It is actually quite simple to set up a basic user system - it's probably a bit more advanced when you start taking security measures, such as using cryptographic hashes, but still not very advanced.



I also came across this basic tutorial that might be helpful:

http://net.tutsplus.com/tutorials/php/user-membership-with-php/