I implemented a simple filesystem based user account system for my site which I'm pretty sure is bulletproof (provided none of your other scripts expose non-public parts of your filesystem...)
I'll dig it up and post relevant code here.
You can take care of the front end, though I could post my front end if you want it.
Also, in review, I realize that I don't check for parameter length on the PHP end. Oops. You may want to limit the username to 50 characters or something.
register.php
Code: <?PHP
include_once "functions.php";
$name = cleanup( $_POST["name"] );
$pass = $_POST["password"];
$passr = $_POST["passwordr"];
$email = $_POST["email"];
if( $pass !== $passr ){
die( "The passwords didn't match" );
}
if( file_exists( "../users/".$name ) ){
die( "User with that name already exists" );
}
if( !filter_var($email, FILTER_VALIDATE_EMAIL)) {
die( "That is an invalid E-Mail" );
}
$fp = fopen( "../users/".$name, "w");
$time = get_time();
fwrite( $fp,
"name: ".$name."\n".
"password: ".make_pass_hash( $name, $pass, $time )."\n".
"email: ".$email."\n".
"registered: ".$time."\n".
"ip: ".$_SERVER['REMOTE_ADDR']."\n".
"cancomment: true\n"
);
fclose($fp);
echo "<p>Registration Successful</p>";
?>
login.php
Code: <?PHP
include_once "functions.php";
if( count( $_POST ) == 0 ) die();
$name = cleanup( $_POST["name"] );
$pass = $_POST["password"];
if( !file_exists( "../users/".$name ) ){
die( "Error logging in" );
}
$file_handler = fopen( "../users/".$name , "r");
$contents = fread($file_handler, filesize( "../users/".$name ));
fclose($file_handler);
$pass = $_POST["password"];
$passhash = getf( $contents, "password" );
$time = getf( $contents, "registered" );
$newhash = make_pass_hash( $name, $pass, $time );
if( $newhash != $passhash ){
die( "Error logging in" );
}
$showname = getf( $contents, "name" );
$_SESSION["loggedin"] = true;
$_SESSION["name"] = $name;
$_SESSION["showname"] = $showname;
$_SESSION["postmain"] = getf( $contents, "canpost" ) == "true";
$_SESSION["postcomment"] = getf( $contents, "cancomment" ) == "true";
$_SESSION["postmaindelete"] = getf( $contents, "canpostdelete" ) == "true";
$_SESSION["postcommentdelete"] = getf( $contents, "cancommentdelete" ) == "true";
echo "<p>login successful</p>";
?>
logout.php
Code: <?php
include_once "functions.php";
if( get_index( $_SESSION, "loggedin" ) === true ){
session_unset();
session_destroy();
echo "Logged out";
}
else
echo "Error logging out";
?>