Simple Login System in PHP Without Database

This is a tutorial on how to create a simple login system using PHP without any database. This system can be use to protect multiple files and allow only logged in users access.

The Login Form

It is a simple form with 2 inputs – email and password.

<div>
  <h2>LOGIN</h2>
</div>	
<form action="login.php" method="post">
<div>
  <label>Email</label>
  <input type="text" name="email">
</div>

<div>
  <label>Password</label>
  <input type="password" name="password">
</div>
	
<div>
  <input type='submit' value="Login">
</div>

<!-- check for this value when form is submitted -->
<input type="hidden" name="submitted" value="1">

</form>


Since we are not using any database – we need to store these input values somewhere. The best place to store them is the login processing script that we will create shortly.

the login processing script

When the login form is submitted it is processed by a script which checks for valid Email and Password credentials and then logs in the user if valid.

<?php 
if ( ! isset( $_POST['submitted'] ) ) 
header('Location: ' . $_SERVER['HTTP_REFERER']); 

// Sample Email and password for demo 
// Email: 'test@example.com' 
// Password: labrador19 

$credentials = [ 
  'email' => 'test@example.com', 
  'password' => 'labrador19' 
]; 

if ( $credentials['email'] !== $_POST['email'] OR $credentials['password'] !== $_POST['password'] ) { 
   header('Location: ' . $_SERVER['HTTP_REFERER']); 
    exit(); 
} 

session_start(); 

// Storing session data 
$_SESSION["isLogged"] = "1"; 

// login successful - redirect user to any page you want // replace 'home.php' with your landing page url 

header('Location:' . '../home.php'); 

exit();

On submit the script checks for $_POST[‘submitted’] value and if that is not present user is redirected back to the login page.

if ( ! isset( $_POST['submitted'] ) )
header('Location: ' . $_SERVER['HTTP_REFERER']);

Next the $_POST[’email’] and $_POST[‘password’] values are matched up against the values stored in $credentials array. For this tutorial, these values are hard coded but can also be fetched from a flat file or a database.

$credentials = [
   'email' => 'test@example.com',
   'password' => 'labrador19'
];

if ( $credentials['email'] !== $_POST['email'] 
      and $credentials['password'] = $_POST['password'] )
{    
    header('Location: ' . $_SERVER['HTTP_REFERER']);
    exit();
}

If the input values match up the stored values then a PHP Session is started. Else the user is redirected back to the login page.

What is a php session – in simple terms a php session is a way to store information in variables to be accessed across various pages on a website.

After starting the session we store an arbitrary value on a variable called $_SESSION[‘isLogged’] and redirect the user to the intended landing page.

Here ‘isLogged‘ can be any arbitrary name and the entire value $_SESSION[‘isLogged’] can also be arbitrary. This value will be later used to check the logged in status of the user when the user accesses other pages.

session_start();
// Storing session data
$_SESSION["isLogged"] = "1";
// login successful - redirect user to any page you want
// replace 'home.php' with your landing page url
header('Location:' . '../home.php');
exit();

header(‘Location…’) is the php function used to redirect a page.

Protecting the pages

The landing page and any other page that we want to make protected, should have a bit of code at the top to check for session variables.

// Place this code at the top of all pages which you want to protect
session_start();
if ( ! isset( $_SESSION['isLogged'] ) or "1" != $_SESSION['isLogged'] )
header('Location: ' . '../1/index.php');

Here we are starting a PHP session so that the page can access session data from the login script. It is checking for a variable $_SESSION[‘isLogged’] which is set when the user logged in. We have already set the value of this variable to “1” in login script. If the value is not available the user is not logged in and the script will redirect the user back to index.php (which is the login page in this case).

the logout page

Lastly, we need a way to log out users.

<?php 
session_start(); 
if ( isset( $_SESSION['isLogged'] ) ) unset( $_SESSION['isLogged'] ); session_destroy(); 
header('Location:' . '../index.php'); 
?>

Again, we start a session with session_start(), then remove the session variable $_SESSION[‘isLogged’] with “unset” and then destroy the session to log out the user. Finally the user is redirected back to the login page, but can be redirected to any other page of our choice.

Download the full script here: