Create a login application to practice user authentication and input validation.

Question

Create a login application to practice user authentication and input validation.

The login application will support:

1. Login with different roles

The user can login with their username or email address(both should be unique) and the correct password. The login should support at least three different roles: normal user, super user, and admin user. The different user has different privileges. Your application should prevent a user from manipulating with their privileges.

2. Log out with a button or a hyper link

3. User registration

The user needs to provide a username, email address, password during the enrollment. You should require the password to be a strong password. For example, require that the password must be greater than a certain length and has a combination of alphanumeric and special characters. When the user first registered, he can only be a normal user. The admin user will have the power to upgrade a specific user to super user or admin user.

Requirements:

All the user information should be saved to a database or a file on the back end. If you are using a database in the backend, you have to make sure that the database connection is secured and is not prone to SQL injection attack. If you are using a file, you should make sure that attacker can’t get access to your application by viewing or changing the files. You may consider having all the information saved to file encrypted or hashed.

All the passwords should be saved as salted hashing using sha256 or more secure hashing.

It will be an open assignment. You can implement it with The Web, or GUI based interface. You can use any language or framework you prefer.

Explanation / Answer

Sample Code:

Have done this in PHP

3. User registration
-Create database and user table

CREATE DATABASE user_management;

CREATE TABLE IF NOT EXISTS users_login_info (
id int(8) NOT NULL AUTO_INCREMENT,
user_name varchar(30) NOT NULL,
email varchar(60) NOT NULL,
password varchar(40) NOT NULL,
user_type int NOT NULL,
PRIMARY KEY (id),
UNIQUE KEY user_name (user_name),
UNIQUE KEY email (email)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=1 ;

consider user type as follows: 1- as a normal user, 2-super user and 3-admin user.

regiseration_form.php

<?php
session_start();
//connect to mysql database
$con = mysqli_connect("localhost", "username", "password", "user_management") or die("Error " . mysqli_error($con));
$error = false;
if (isset($_POST['register'])) {
    $user_name = mysqli_real_escape_string($con, $_POST['username']);
    $email = mysqli_real_escape_string($con, $_POST['email']);
    $password = mysqli_real_escape_string($con, $_POST['password']);

    //name can contain only alpha characters and space
    if (!preg_match("/^[a-zA-Z ]+$/",$user_name)) {
        $error = true;
        $user_name_error = "Name must contain only alphabets and space";
    }
    if(!filter_var($email,FILTER_VALIDATE_EMAIL)) {
        $error = true;
        $email_error = "Please Enter Valid Email ID";
    }
    if(strlen($password) < 6) {
        $error = true;
        $password_error = "Password must be minimum of 6 characters";
    }

    if (!$error) {
       //-- by default user type as 1- normal user.
        if(mysqli_query($con, "INSERT INTO users(user_name,email,password, user_type) VALUES('" . $user_name . "', '" . $email . "', '" . md5($password) . "', 1)")) {
            $successmsg = "Successfully Registered! <a href="login.php">Click here to Login</a>";
        } else {
            $errormsg = "Error in registering...Please try again later!";
        }
    }
}
?>
<!DOCTYPE html>
<html>
<head>
    <title>User Registration</title>
    <meta charset="UTF-8">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.0/jquery.min.js"></script>
</head>
<body>
<div class="container">
    <form class="form-signin" method="POST" >
        <h2 class="form-signin-heading">User Registeration:</h2>
        <div class="input-group">
            <span class="input-group-addon">User Name</span>
            <input type="text" name="username" class="form-control" placeholder="Username" required>
            <br/>
            <span><?php if (isset($user_name_error)) echo $user_name_error; ?></span>
        </div><br/>
       <div>
           <span class="input-group-addon">Email address</span>
           <input type="email" name="email" id="inputEmail" class="form-control" placeholder="Email address" required autofocus>
           <br/>
           <span><?php if (isset($email_error)) echo $email_error; ?></span>
       </div><br/>
        <div>
            <span class="input-group-addon">Password</span>
            <input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" required>
            <br/>
            <span><?php if (isset($password_error)) echo $password_error; ?></span>
        </div><br/>
        <div>
            <input type="submit" name="register" id="register" value="Register">
        </div>
    </form>
</div>
</body>
</html>

1.Login page:
<?php
session_start();
//connect to mysql database
$con = mysqli_connect("localhost", "username", "password", "user_management") or die("Error " . mysqli_error($con));
$error = false;
//check if form is submitted
if (isset($_POST['login1']) && $_POST['usr_nme_eml'] != '' && $_POST['password']!='') {
    $user_input = mysqli_real_escape_string($con, $_POST['usr_nme_eml']);
    if(strpos($_POST['usr_nme_eml'], '@') !== false && strpos($_POST['usr_nme_eml'], '.') !== false){
        $user_input = "email = '".$user_input."'";
    }else{
        $user_input = "user_name = '".$user_input."'";
    }
    $password = mysqli_real_escape_string($con, $_POST['password']);
    $result = mysqli_query($con, "SELECT * FROM users WHERE '" . $user_input. "' and password = '" . md5($password) . "'");

    if ($row = mysqli_fetch_array($result)) {
        $_SESSION['usr_id'] = $row['id'];
        $_SESSION['usr_name'] = $row['user_name'];
        $_SESSION['usr_email'] = $row['email'];
        $_SESSION['usr_type'] = $row['user_type'];
        header("Location: index.php");
    } else {
        $errormsg = "Incorrect Email or Password!!!";
    }
}
?>
<!DOCTYPE html>
<html>
<head>
    <title>User Registration</title>
    <meta charset="UTF-8">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.0/jquery.min.js"></script>
</head>
<body>
<div class="container">
    <form class="form-signin" method="POST" >
        <h2 class="form-signin-heading">User Login:</h2>
        <span><?php if (isset($errormsg)) echo $errormsg; ?></span>
        <div class="input-group">
            <span class="input-group-addon">User Name or Email</span>
            <input type="text" name="usr_nme_eml" class="form-control" placeholder="User name or Email" required>
        </div><br/>
        <div>
            <span class="input-group-addon">Password</span>
            <input type="password" name="password" id="inputPassword" class="form-control" placeholder="Password" required>
        </div><br/>
        <div>
            <input type="submit" name="login" id="login" value="Login">
        </div>
    </form>
</div>

</body>
</html>

2. Log out with a button or a hyper link

Logout link should be displayed when the user logged in. So you must check logged in session first, like $_SESSION['signed_in'], if you named log in session as signed_in

<?php if(isset($_SESSION['signed_in']) && $_SESSION['signed_in'] != '') { ?>
   <a href="logout.php">Click here to log out</a>
<?php } ?>

when user click on this link it will redirect to logout page. In logout page,

logout.php
<?php
session_start();
session_destroy();
header('Location: /index.php'); //-- once the session is cleared or destroyed then rediect to home page or default page.
?>

Related Questions

Navigate

• Browse (All)
• Browse C
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.