Home    scripts    login mysql

Mysql login system with attempts and ban auditing

A light-weight MYSQL driven login system that uses PBKDF2 hashing algorithm to authenticate users, appropriate for immediate use on small to medium projects. The database login tables setup itself is not optimized to support large amounts of data. In such case it would be better to store information as binary data. The code would also have to be modified for such purpose. However, for immediate use, I suppose you wouldn't have to worry about rapid data increase. Just in case, there is a shell script included in the .zip file that handles data from login_attempts and login_banned tables. The code itself is explained here.


File: mysql_login.zip
Licence: MIT
Last update: 24.11.2017



Security aspect to consider

The script, as is, is safe to use under certain conditions. There is still a posibility of man in the middle(MITM) attack to steal credentials or hijack a session without TLS/SSL encryption. Another potential danger is accessing db_config file and/or sql_clean shell script to get the MYSQL database credentials. So to tighten up things a bit, here are things to consider:

Implement TLS/SSL encryption

Someone listening on unencrypted HTTP traffic, especially in case of coffee shop free wifi network, could get the login credentials or session id in plain text and use it to gain unauthorized access to admin system. A solution is to use secure socket layers (SSL) that would guarantee that all the traffic between server and user is encrypted.

Secure sensitive files

A way to secure the config file that has database information is to move it outside of the root folder and then call the full path in PHP. Same thing can be done with shell script that can be run by cron from anywhere you want. This would prevent the files being accessed from URL.