PHP-based login systems


Two years ago I lamented how shitty the options were for finding a drop-in login system that I could use in the DNA Lounge store, so that we could remember your shipping address and whatnot.

Has the world gotten any better since then, or is everything still terrible?

What is the simplest way to bolt a login system onto my existing pile of ancient, framework-less PHP code?

Tags: , , , , , ,

17 Responses:

  1. Jeff Warnica says:

    .htaccess redirecting to a ripped down framework/app-skeleton which you've hacked in .htpasssword writing ability?

    But seriously, unless there is real magic in there, Symfony + a shopping cart add on & CSS, re-implementing any backend magic you really need may be the least effort.

    • jwz says:

      Just for the record, this comment is an example of "containing so little information or supporting evidence that I disregard it and continue to assume the answer to my question is no".

  2. sherm says:

    Still equally terrible.

    I've seen a couple of not-entirely-terrible implementations of Amazon's Cognito service. I don't know what your feelings on AWS are, but I can probably guess.

    • jwz says:

      Last time, several people suggested, "Stop talking to and your merchant account directly, and use some service in The Clown to run your store back-end for you."

      Maybe that is the right answer, but it costs more per transaction, and also would be a huge amount of work. It's no longer "bolt logins onto the side", now it's, "replace the beating heart of the store without killing the patient".

  3. I've had good experiences with Auth0, who seem to do a good job of designing client libs and of commuicating with their customers. However, their default styling is kind of glaring, their pricing model is baroque, and the option of having more than two "social" logins is blocked behind that pricing model.

    If you're of the (reasonable) opinion that you shouldn't have to pay a third party to consume a handful of social login buttons, then they may not be a fit. Otherwise, have a look?

  4. Ryan says:

    I dug into this pretty deeply recently and came up frustrated and empty handed.

    The two best things I found are not exactly what you're looking for, but:


    This is basically drop-in and self-contained, and I trust it to be possibly even more secure than necessary. But it is a little heavy and complicated and modern, though stratospherically less so than most of what you likely found and are subsequently picturing when I say that....


    This is a fantastic service that you don't get to host, but they've actually solved all the annoying problems and exposed dead simple APIs. They have a 7000 user free plan, which is a far cry from actually free, but realistically should hold you for the foreseeable future (and deep condolences on the grim meathookedness of your foreseeable future per your latest backstage update). Also, they support open source, so given that you are who are you, an email to them might raise that limit considerably. Again, not exactly what you want, but almost certainly the actual simplest route, and it could be up and running in less than an afternoon, which is a blessing compared to the other much worse options...?

    Will keep refreshing this post to see if someone else has a more perfect solution.

    • Ryan says:

      (Apologies to Owen for the Auth0 repeat. I was very slow in posting this and didn't refresh before submitting.)

  5. John Adams says:

    I don't know how deep you want to integrate with this, but I'm hearing a lot of good things about Userfrosting --

    There's no framework dependencies there, it's mostly PHP Classes. They do like XAMPP, but mostly the DNA server is already set up for that so that could work.

    Alternately you could try a framework, but I have a feeling you wouldn't be happy about that. Many, many plugins exist for CakePHP to do user logins, but these days most people are using Laravel for a PHP framework. A small user registration tutorial is here --

    You should probably post what you want the scope of 'registration' to be, and then I can suggest better options.

    I assume: login, logout, password recovery, and then simple registration of user details/settings, with possibly some sort of option for credit card reuse later on.

    • jwz says:

      Your assumption about requirements is correct.

      I'd only add to your list, "change email address", "verify email address with a mailed link", "Facebook login, plus prompting for what FB doesn't provide", and "throttle repeated login attempts". But one would assume those would go without saying with any modern login system.

  6. elvy says:

    Must refactor old pile.

    World evolved.

    CakePHP + HybridAuth.

    Easier / faster than you think.

    Ping if you need help.

    • winston says:

      cakephp + hybridauth? That is just so last five minutes. Surely the cool kids are refactoring in something else by now?

      • elvy says:

        Good point, it might be Laravel + socialite in that case. Worth checking both some frameworks (and symfony) and picking the flavour that resonates with you.

        In terms of complete "dropped in" thing, there are some Auth as a service APIs out there that will abstract all that for you too.

  7. Martin says:

    What is the simplest way to bolt a login system onto my existing pile of ancient, framework-less PHP code?

    You already know that most frameworks suck and that's a pain in the ass to integrate them into your ancient system.
    As you take great pride in your "pile of shit" - as you call it, either bite the bullet and hack it yourself or ... maybe... pay someone to do it for you. That would be a simple solution.

    Or leave it as is (simple but secure) and spare your customers the hassle of one more account that holds their personal data forever.

    • jwz says:

      I take no pride in it. I just value working code more than just about anything.

      "Pay someone to do it for me" sounds great until I get to the part where I have to find someone who is all of: capable, available, affordable, and whom I trust, and then it sounds pretty hard indeed.

      The reason I'm thinking about this again should be obvious: it's hard to build a membership or rewards program without logins.

  8. Tom says:

    Just leave it to the facebooks and the twitters:

    And you could point it at the WordPress via openid or oauth2 if you really want to offer up the option to store passwords yourself.

  9. Jason W says:

    Hey Bro,

    Perhaps these may be of help.

    Symfony Security Component:

    Symfony is probably the way to go. Although it is a complete framework its components layer is a reusable set of modules. However that is surface level, it is a somewhat opinionated software and I'm not sure how straight forward it would be to integrate something like this with a legacy PHP code base. However if successful this might be a good pathway to transition away from your old stack bit by bit.

    PHPClasses is just a bucket where people upload the shit they wrote too, I vouch for nothing in there! However occasionally I have found some useful gems in it, perhaps you can too.

    Hope these help!

    Cheers, Jason.