Storing Passwords
Before we can begin coding with PHP, we need to first take a brief look at passwords. There are many different ways to manage and store a user's login ID and passwords, but one common method is to store them in a database.

For security purposes, the passwords themselves should not be stored in the database in a plain text manner. Instead, the password can be processed by a one-way, irreversible encryption or hashing function and then the jumbled result is what is actually stored. That means the password supplied later will need to be encrypted/hashed before we compare it with the stored value. If they both match then we know the password is good.

PHP's sha1 function should suffice for our purposes. It accepts a string and returns a 40 character hexadecimal hash representation. This hash cannot be converted back to the original string. The following is an example of sha1 in action:

<?php
$password = "secret";

echo $password;
/* displays secret */

$password = sha1($password);

echo $password;
/* displays e5e9fa1ba31ecd1ae84f75caaa474f3a663f05f4 */
?>  


We'll assume for this tutorial that a database table named Users exists which stores the username and passwords hashed with the sha1 function.

It's common mistake to not make the password column large enough to store the entire hash. Using sha1, the column should be 40 characters.

Source: http://codewalkers.com/tutorials/82/2.html

Getting the User Login
An HTML form is used to obtain the user's login credentials. The form displays 2 input fields--one to obtain the login ID and another to obtain the password.


<form action="validate.php" method="post">
  <label for="userid">ID</label>
  <input type="text" name="userid" id="userid" />
  <br />
  <label for="password">Password</label>
  <input type="password" name="password" id="password" />
  <br />
  <input type="submit" name="submit" value="Submit" />
</form>  


The userid input field accepts the user's login id while the password field will accept the user's password. The password field might show asterisks or dots as the value is entered, but remember that the form will send it's data in clear text. A secure connection should be made using HTTPS. For more information on that subject see my tutorial Generating Your Own Security Certificates For Use With Apache/HTTPS.

The form here submits its information to a script named validate.php as specified by the form's action attribute. It's that script that will be responsible for checking the user's login ID and password in the database and allowing the user to continue.

Source: http://codewalkers.com/tutorials/82/3.html

Processing the Login
The actual authentication can take place once we have the user's login ID and password. We need to encrypt or hash the password the same way it was initially done.

$user = $_POST["userid"];
$pass = sha1($_POST["password"]);  


With the ID and password value, we can query the database for any matching records. The following SQL statement is designed to return records where the login ID and password hash match.

SELECT * FROM  Users WHERE User = '$user' AND Password = '$pass'  


If the query returns a record set then the login credentials are valid and the user may have access to the protected information. If the query fails to return a record then the credentials are invalid and access is denied.

The validate.php script that would accomplish all of that might resemble the following:

<?php
/* get the incoming ID and password hash */
$user = $_POST["userid"];
$pass = sha1($_POST["password"]);

/* establish a connection with the database */
$server = mysql_connect("localhost", "mysql_user",
          "mysql_password");
if (!$server) die(mysql_error());
mysql_select_db("myDatabase");
  
/* SQL statement to query the database */
$query = "SELECT * FROM Users WHERE User = '$user'
         AND Password = '$pass'";

/* query the database */
$result = mysql_query($query);

/* Allow access if a matching record was found, else deny access. */
if (mysql_fetch_row($result))
  echo "Access Granted: Welcome, $user!";
else
  echo "Access Denied: Invalid Credentials.";

mysql_close($server);  
?>  


Instead of simply echoing "Access Granted" or "Access Denied" as shown here, your script can set cookies or start sessions, redirect the user to the login form or perform whatever else is needed.

Source: http://codewalkers.com/tutorials/82/4.html

Persisting the Authentication
Once access to a resource has been granted to a user, it's typical for the access privileges to persist for a period of time. PHP sessions offer a nice way to carry information such as authentication throughout a series of pages. This way, a user won't have to provide a user ID and password each time a resource is accessed.

The validate.php script would initiate a session, set an access token and then redirect the user to the secured document.

<?php
if (mysql_fetch_row($result)) {
  /* access granted */
  session_start();
  header("Cache-control: private");
  $_SESSION["access"] = "granted";
  header("Location: ./secure.php");
} else
  /* access denied – redirect back to login */
  header("Location: ./login.html");
?>  


After which each secured resource would continue the session and check for the access token.

<?php
session_start();
header("Cache-control: private");
if ($_SESSION["access"] == "granted")
  header("Location: ./secure.php");
else
  header("Location: ./login.html");
?>  

Source: http://codewalkers.com/tutorials/82/5.html