Finish log-in system

Author: kudosscience

data/data.sqlite

@@ -1,6 +1,8 @@
 <?php
 require_once 'lib/common.php';
 
+session_start();
+
 // Connect to the database, run a query, handle errors
 $pdo = getPDO();
 $stmt = $pdo->query(

index.php

@@ -131,4 +131,55 @@ function getCommentsForPost($postId)
         array('post_id' => $postId, )
     );
     return $stmt->fetchAll(PDO::FETCH_ASSOC);
+}
+
+function tryLogin(PDO $pdo, $username, $password)
+{
+    $sql = "
+        SELECT
+            password
+        FROM
+            user
+        WHERE
+            username = :username
+    ";
+    $stmt = $pdo->prepare($sql);
+    $stmt->execute(
+        array('username' => $username, )
+    );
+    // Get the hash from this row, and use the third-party hashing library to check it
+    $hash = $stmt->fetchColumn();
+    $success = password_verify($password, $hash);
+    return $success;
+}
+/**
+ * Logs the user in
+ *
+ * For safety, we ask PHP to regenerate the cookie, so if a user logs onto a site that a cracker
+ * has prepared for him/her (e.g. on a public computer) the cracker's copy of the cookie ID will be
+ * useless.
+ *
+ * @param string $username
+ */
+function login($username)
+{
+    session_regenerate_id();
+    $_SESSION['logged_in_username'] = $username;
+}
+
+/**
+ * Logs the user out
+ */
+function logout()
+{
+    unset($_SESSION['logged_in_username']);
+}
+function getAuthUser()
+{
+    return isLoggedIn() ? $_SESSION['logged_in_username'] : null;
+}
+
+function isLoggedIn()
+{
+    return isset($_SESSION['logged_in_username']);
 }

lib/common.php

@@ -1,3 +1,31 @@
+<?php
+require_once 'lib/common.php';
+// We need to test for a minimum version of PHP, because earlier versions have bugs that affect security
+if (version_compare(PHP_VERSION, '5.3.7') < 0)
+{
+    throw new Exception(
+        'This system needs PHP 5.3.7 or later'
+    );
+}
+
+session_start();
+
+// Handle the form posting
+$username = '';
+if ($_POST)
+{
+    // Init the database
+    $pdo = getPDO();
+    // We redirect only if the password is correct
+    $username = $_POST['username'];
+    $ok = tryLogin($pdo, $username, $_POST['password']);
+    if ($ok)
+    {
+        login($username);
+        redirectAndExit('index.php');
+    }
+}
+?>
 <!DOCTYPE html>
 <html>
     <head>
@@ -8,13 +36,25 @@
     </head>
     <body>
         <?php require 'templates/title.php' ?>
+
+        <?php // If we have a username, then the user got something wrong, so let's have an error ?>
+        <?php if ($username): ?>
+            <div style="border: 1px solid #ff6666; padding: 6px;">
+                The username or password is incorrect, try again
+            </div>
+        <?php endif ?>
+
         <p>Login here:</p>
         <form
             method="post"
         >
             <p>
                 Username:
-                <input type="text" name="username" />
+                <input
+                    type="text"
+                    name="username"
+                    value="<?php echo htmlEscape($username) ?>"
+                />
             </p>
             <p>
                 Password:

login.php

@@ -0,0 +1,5 @@
+<?php
+require_once 'lib/common.php';
+session_start();
+logout();
+redirectAndExit('index.php');

logout.php

@@ -1,5 +1,10 @@
 <div style="float: right;">
-    <a href="login.php">Log in</a>
+    <?php if (isLoggedIn()): ?>
+    Hello <?php echo htmlEscape(getAuthUser()) ?>.
+        <a href="logout.php">Log out</a>
+    <?php else: ?>
+        <a href="login.php">Log in</a>
+    <?php endif ?>
 </div>
 
 <a href="index.php">

templates/title.php

@@ -2,6 +2,8 @@
 require_once 'lib/common.php';
 require_once 'lib/view-post.php';
 
+session_start();
+
 // Get the post ID
 if (isset($_GET['post_id']))
 {
@@ -91,5 +93,7 @@
                 </div>
             </div>
         <?php endforeach ?>
+
+        <?php require 'templates/comment-form.php' ?>
     </body>
 </html>