A PHP class giving you the basics: Login, Logout, Register, Forgot Password, and Change Password
Switch branches/tags
Nothing to show
Pull request Compare This branch is even with kostas123:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


This whole module is in PUBLIC DOMAIN, so you can do whatever you want with it as there are no license restrictions.


A PHP class giving you all the necessary functions for authenticating and managing users.

API Summary:

  • create_user($email, $password, $confirm_password)
  • login($email, $password)
  • change_password($email, $password, $new_password, $confirm_new_password)
  • reset_password($email)
  • logout()
  • check_hash($hash)
  • account_activated($hash)
  • set_password($email, $password)


  • Database settings, table structure, and email/SMTP settings are independant from the code. Just set once in Configuration file.
  • Passwords are hashed with Bcrypt using the PHPass framework.
  • The class can generate emails using the PHPMailer library, and sends an email for account activation and forgotten passwords.
  • Users login with their email address.
  • MySQL Prepared Statements are used to protect from injection.


The create_user() function inserts the user into the database, and sends an email with a confirmation link.

  • $auth -> create_user($email, $password, $confirm_password);

IMPORTANT: The return value of login MUST be checked. If it's TRUE, login() was successful, FALSE means wrong password, and integer 2 means the user still needs to click the registration confirmation link.

  • $auth -> login($email, $password);

The existing email/password confirmation is checked before a new password is set, so an error is returned if the user gets their old password, or the email address is not valid.

  • $auth -> change_password($email, $password, $new_password, $confirm_new_password);

Ask the user where they want the reset link emailed to. The link will contain a unique hash which corresponds to their email address in the database. The email they type in MUST be the same as the one they used when registering. Important note: when the reset_password() function is called, the existing password IS STILL VALID. I allowed this because sometimes a user asks for a password reset, but then suddenly remembers their old password, and tries to login with that.

  • $auth -> reset_password($email);

When the account activation link OR password reset link has been sent, the URL will contain a variable called 'hash.' You should check the contents of $_GET['hash'] on the same page that you linked to the user (check the Configuration file). The check_hash() function compares the hash in the URL with the database, and if the hash exists, it returns the type of hash i.e email validation OR a password reset. We check the type of hash to decide what we do next, either show a form for the user to type in a new password after a reset, OR call the account_activated() function.

$auth = new Authenticate();
if(strlen($_GET['hash']) == 42)
    $hash_type = $auth->check_hash($_GET['hash']);
    if($hash_type == 'unverified')
            echo 'Error: The hash does not exist. <br> REDIRECT TO LOGIN PAGE.';
            echo 'Your account has been activated. REDIRECT TO LOGIN PAGE';
    elseif($hash_type == 'reset')
        echo 'Link to "Set New Password" page.';

The account_activated() function changes the value of a boolean database column to 1, meaning the account has been activated. It also deletes the emailed_hash, so the emailed link is now dead.

Call set_password when the user has clicked on the link, and sees a form to type in a new password (one that they will remember this time!). This will return FALSE if the $email is not in the database.

  • $auth -> set_password($email, $password);

To destroy all session variables.

  • $auth -> logout();