Jinsi ya Kutengeneza User Login System Secure

Mfumo wa User Login ni muhimu kuhakikisha tu watumiaji waliojiandikisha wanaweza kuingia kwenye mfumo.
Misingi muhimu ya login salama:

Prepared statements – kuzuia SQL Injection.

Password hashing – hifadhi password kwa usalama.

Session management – kudhibiti utambulisho wa mtumiaji.

HTTPS – kuhakikisha data haiwaki wazi kwenye network.

⚙️ 2. Faili la Database Connection (config.php)
<?php
$dsn = "mysql:host=localhost;dbname=user_system;charset=utf8mb4";
$username = "root";
$password = "";

try {
$pdo = new PDO($dsn, $username, $password);
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
} catch (PDOException $e) {
die("❌ Connection failed: " . $e->getMessage());
}
?>

🧩 3. Login Form (login.php)
<?php
include 'config.php';
session_start();

if ($_SERVER['REQUEST_METHOD'] === 'POST') {
$email = trim($_POST['email']);
$password = $_POST['password'];

// Tumia prepared statement kupata user
$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => $email]);
$user = $stmt->fetch(PDO::FETCH_ASSOC);

// Kagua password
if ($user && password_verify($password, $user['password'])) {
// Password sahihi - anza session
session_regenerate_id(true); // inazuia session fixation
$_SESSION['user_id'] = $user['id'];
$_SESSION['username'] = $user['username'];

echo "✅ Login successful! Welcome, " . htmlspecialchars($user['username']);
// redirect example: header("Location: dashboard.php");
} else {
echo "<p style='color:red;'>❌ Invalid email or password!</p>";
}
}
?>

<h2>🔑 User Login</h2>
<form method="POST">
<input type="email" name="email" placeholder="Enter email" required><br><br>
<input type="password" name="password" placeholder="Enter password" required><br><br>
<button type="submit">Login</button>
</form>
<p>Don't have an account? <a href="register.php">Register here</a></p>

🔒 4. Vidokezo vya Usalama

Prepared Statements:

$stmt = $pdo->prepare("SELECT * FROM users WHERE email = :email");
$stmt->execute(['email' => $email]);


Inazuia SQL Injection.

Password Hashing:

Hifadhi password kwa password_hash() wakati wa registration.

Tumia password_verify() wakati wa login.

Session Security:

session_regenerate_id(true);


Inazuia session fixation attacks.

HTTPS:

Hakikisha forms zinatumia HTTPS.

Rate Limiting / Lockouts:

Ongeza attempt limits ili kuzuia brute-force attacks.

🔑 5. Session Check (Protect Dashboard)

dashboard.php

<?php
session_start();
if (!isset($_SESSION['user_id'])) {
header("Location: login.php");
exit;
}
?>

<h2>Welcome, <?= htmlspecialchars($_SESSION['username']) ?></h2>
<p>This is a protected page.</p>
<a href="logout.php">Logout</a>

❌ 6. Logout Script (logout.php)
<?php
session_start();
$_SESSION = [];
session_destroy();
header("Location: login.php");
exit;
?>


✅ Hii inahakikisha session inafutwa kikamilifu baada ya logout.

🧠 7. Muhtasari wa Flow

Register User: hash password na hifadhi PDO table users.

Login: validate input, check password, start session.

Session Check: zuia user kuingia pages bila login.

Logout: destroy session.

✅ 8. Hitimisho

Login system salama inahitaji prepared statements, password hashing, na session management.

Ni msingi wa user authentication na husaidia kuunda secure PHP applications.

🔗 Tembelea:

👉 https://www.faulink.com/

Kwa mafunzo zaidi ya PHP, MySQL, PDO, na security best practices.