Develop a Login Form and Implement Session Management

[andrew21-mch]

Issue 4: Develop a Login Form and Implement Session Management

Description:

The objective of this task is to create a login feature that allows users to authenticate themselves and access their personal dashboard or profile. This includes building a login form, validating user credentials, implementing secure session management, and redirecting authenticated users to their respective pages.

Steps to Complete:

1. Design the Login Form:

   • Create a PHP file (e.g., login.php) within the public/ directory to serve as the login page.
   • The form should capture the following user credentials:
     • Username or Email
     • Password

2. Implement Client-Side Validation:

   • Use HTML5 attributes and JavaScript to perform basic client-side validation:
     • Ensure the username/email and password fields are not empty.
     • Provide feedback if fields are left empty before submission.

3. Handle Form Submission:

   • Upon form submission, process the form data in the same login.php file or another PHP script included via a POST request.
   • Sanitize the input data using PHP’s built-in functions to prevent SQL injection and cross-site scripting (XSS).
   • Example:

     $usernameOrEmail = filter_input(INPUT_POST, 'username_or_email', FILTER_SANITIZE_STRING);
     $password = filter_input(INPUT_POST, 'password', FILTER_SANITIZE_STRING);

4. Validate User Credentials:

   • Query the users table to find a user with the provided username or email.
   • Verify the provided password against the stored hashed password using PHP’s password_verify() function.
   • Example:

     $user == getUser();
     if ($user && password_verify($password, $user['password'])) {
      // Password is correct
     } else {
      // Invalid credentials
     }

5. Implement Session Management:

   • Start a session if the credentials are valid using session_start().
   • Store relevant user information in session variables (e.g., $_SESSION['user_id'], $_SESSION['username']).
   • Example:

     session_start();
     $_SESSION['user_id'] = $user['id'];
     $_SESSION['username'] = $user['username'];

   • Set session timeout if needed and implement session regeneration to prevent session fixation attacks.

6. Redirect Authenticated Users:

   • After successful authentication, redirect the user to their dashboard or profile page (e.g., dashboard.php).
   • If authentication fails, return the user to the login page with an appropriate error message.

7. Secure the Session:

   • Ensure that session data is stored securely:
     • Use session_regenerate_id() after successful login to prevent session fixation.
     • Implement secure cookie settings such as HttpOnly and Secure flags.
   • Implement logout functionality by destroying the session when the user logs out.

8. Provide Feedback and Error Handling:

   • Display user-friendly error messages for incorrect login credentials.
   • Provide a link for password recovery if the user forgets their credentials (implementation of password recovery may be a separate task).

9. Test the Login Process:

   • Test the login process with various scenarios:
     • Correct username/email and password.
     • Incorrect username/email.
     • Incorrect password.
     • Sessions persisting across pages after login.
   • Ensure that unauthenticated users cannot access protected pages by implementing access control checks.

Acceptance Criteria:

• The login form is fully functional, with both client-side and server-side validation.
• User credentials are verified securely, and successful logins initiate a session.
• Authenticated users are redirected to their dashboard or profile page.
• Appropriate feedback is provided for incorrect login attempts.
• Sessions are managed securely, with prevention measures against session fixation and hijacking.
• Unauthenticated users are prevented from accessing protected pages.