Introduction and project setup
  • Introduction
  • Install a PHP web server and a database server on your computer
  • Install the PHP MVC framework
  • Configure the web server to use the framework
  • Create a new database and configure the framework to use it
New user signup: create the registration form and save the data in the database
  • Uniquely identify users: username or email address?
  • Store passwords as securely as possible in the database
  • Generate secure salted password hashes
  • Create a database table to store user accounts
  • Create and display the signup page
  • Add the form to the signup page
  • Create the signup action in the controller
  • Understand the danger from SQL injection attacks
  • Avoid SQL injection attacks using PDO
  • Add a user model with a save method
  • New user signup
Validate the signup data on the server
  • Validate the data before saving the new user record
  • Validate the email address is unique in the user table
  • Display validation error messages in the signup form
  • Prevent duplicate form submissions using the Post / Redirect / Get pattern
  • Redirecting to another page using PHP: how, why and best practices
  • Redirect to the success page after a successful signup
  • Validate the signup data on the server
Validate the signup data in the browser
  • Why you should validate data on the server as well as the client
  • Validate the signup page in the browser using HTML5 validation
  • Add a JavaScript validation library
  • Validate the signup page in the browser using JavaScript
  • Validate the format of the password with a custom validation method
  • Validate the email address is unique using an Ajax request
  • The password confirmation field: why it's a problem and how to fix it
  • Remove the password confirmation field and add a show password button
  • Validate the signup data in the browser
Login: authenticate the user using their email address and password
  • Create and display the login page
  • Create the login action in the controller
  • Find the user object using the email address
  • Authenticate the user by verifying their password is correct
  • Redisplay the email address in the login form when authentication fails
  • Add a redirect method to the core controller
  • Sessions in PHP: make the web browser remember you
  • Use the session to remember the login and view the logged-in status
  • Sessions in PHP: completely destroy a session, even without closing the browser
  • Destroy the session to log the user out
  • Sessions in PHP: prevent session fixation attacks
  • Login
Restrict access to authenticated users only
  • Add a class to organise the authentication code in one place
  • Restrict a page to logged-in users only
  • Redirect back to the originally requested page after login
  • Add a method to the core controller for requiring login
  • Require login for all action methods in a controller
  • Add a base controller that requires login for all action methods
  • Get the current authenticated user in controllers and views
  • Simplify the code: remove the isLoggedIn method
Flash messages: display status messages to users
  • Flash notification messages: display status messages to users
  • Add a flash message when requiring login
  • Display the flash messages to the user
  • Add flash messages when logging in
  • Add a flash message when logging out
  • Add a CSS style sheet and style the flash messages
  • Add flash message types and give them different styles
Remember me: give users the option of remembering the login
  • How to remember the login after closing the browser
  • Generate unique, random tokens and secure hashes
  • Add a class to generate and create hashes of random tokens
  • Create a database table to store remembered logins
  • Add a remember me checkbox to the login form
  • Remember the login in the database
  • Cookies in PHP: the basics
  • Remember the login in a cookie
  • Log in automatically using the token in the cookie
  • Prevent automatic login if the remember token has expired in the database
  • Forget the remembered login when logging out
  • Remember me
Password reset part 1: securely request reset of a forgotten password
  • Allow users to securely reset their passwords when they forget them
  • Get access to an email service
  • Add a class to send emails
  • Create and display the forgotten password page
  • Process the forgotten password form in the controller
  • Add password reset fields to the user table in the database
  • Save a new password reset token and expiry with the user record
  • Send the password reset email to the user
  • Get the email content from a view template
Password reset part 2: securely reset a forgotten password
  • Add an action to process the link and get the token from the URL
  • Get the user based on the token and check the expiry
  • Create and display the password reset form
  • Extract repeated JavaScript code out into a separate file
  • Process the password reset form in the controller
  • Remove duplicated code and add an expired token view
  • Validate the password reset form on the server
  • Reset the user's password and clear the token and expiry
  • Password reset
Account activation: confirm the user's email address before allowing login