Chapter 12. User Authentication


  • Designing the MySQL database

  • Basic HTTP-based authentication

  • Digest HTTP-based authentication

  • Pure PHP authentication

  • Securing user information in cookies

  • Access Control Lists

PHP is particularly well suited for user authentication, and where PHP is used for authentication you will usually find a MySQL database behind it. It doesn't take long for an application to grow to the point where it needs an authentication system, which will most likely include:

  • User login and logout

  • User roles (administrator, guest, and so on)

  • User management

Similarly, it often isn't long before built-in Apache or IIS authentication becomes insufficient. In many cases, the authentication system is one of the first scripts that a PHP programmer attempts to write. Expert PHP programmers recognize that security — especially when it comes to sensitive user information — is paramount, and if the developer is not careful, it is easy to leave an application open to attacks such as session theft and replay attacks.

This chapter covers techniques and best practices for storing user account information, authenticating users, and maintaining sessions.

The chapter finishes off with a brief overview of Access Control List (ACL).


Two topics that are not covered in this chapter are OpenID and OAuth. Both are methods for authenticating users with third-party login credentials. Each method warrants discussion and is appropriate to use in many if not most applications. However, ...

Get Expert PHP and MySQL® now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.