Build Status Minimum PHP Version


What is it

PHPAuth is a secure user authentication class for PHP websites, using a powerful password hashing system and attack blocking to keep your website and users secure.

PHPAuth is work in progress, and not meant for people that doesn’t know how to program, its meant for people that know what they are doing.. We cannot help everyone because they dont understand this class..



User actions


Composer Support

PHPAuth can now be installed with the following command:

composer require phpauth/phpauth:dev-master

Then: require 'vendor/autoload.php';


The database table config contains multiple parameters allowing you to configure certain functions of the class.

The rest of the parameters generally do not need changing.

CAPTCHA Implementation

If isBlocked() returns verify, then a CAPTCHA code should be displayed. The method checkCaptcha($captcha) is called to verify a CAPTCHA code. By default this method returns true, but should be overridden to verify a CAPTCHA.

For example, if you are using Google’s ReCaptcha NoCaptcha, use the following code:

    private function checkCaptcha($captcha)
 try {

        $url = '';
        $data = ['secret'   => 'your_secret_here',
            'response' => $captcha,
            'remoteip' => $this->getIp()];

        $options = [
            'http' => [
                'header'  => "Content-type: application/x-www-form-urlencoded\r\n",
                'method'  => 'POST',
                'content' => http_build_query($data)

        $context  = stream_context_create($options);
        $result = file_get_contents($url, false, $context);
        return json_decode($result)->success;
    catch (\Exception $e) {
        return false;

If a CAPTCHA is not to be used, please ensure to set attempt_before_block to the same value as attempts_before_verify.

Also, Auth::checkReCaptcha() method can be called.

How to secure a page

Making a page accessible only to authenticated users is quick and easy, requiring only a few lines of code at the top of the page:



$dbh = new PDO("mysql:host=localhost;dbname=phpauth", "username", "password");

$config = new PHPAuth\Config($dbh);
$auth   = new PHPAuth\Auth($dbh, $config);

if (!$auth->isLogged()) {
    header('HTTP/1.0 403 Forbidden');
    echo "Forbidden";





require_once 'vendor/autoload.php';

use PHPAuth\Config as PHPAuthConfig;
use PHPAuth\Auth as PHPAuth;

$dbh = new PDO("mysql:host=localhost;dbname=phpauth", "username", "password");

$config = new PHPAuthConfig($dbh);
$auth = new PHPAuth($dbh, $config);

if (!$auth->isLogged()) {
    header('HTTP/1.0 403 Forbidden');
    echo "Forbidden";



NB: required package installed via composer: composer require phpauth/phpauth:dev-master!!!

Custom config sources

By default, config defined at phpauth_config data table.

It is possible to define custom config from other sources: ini-file, other SQL-table or php-array:

Config($dbh, $config_type, $config_source, $config_language)


new Config($dbh); // load config from SQL table 'phpauth_config', language is 'en_GB'

new Config($dbh, '', 'my_config'); // load config from SQL table 'my_config', language is 'en_GB'

new Config($dbh, 'ini', '$/config/phpauth.ini'); // configuration will be loaded from INI file, '$' means Application basedir

new Config($dbh, 'array', $CONFIG_ARRAY); // configuration must be defined in $CONFIG_ARRAY value

new Config($dbh, '', '', 'ru_RU'); // load configuration from default SQL table and use ru_RU locale

Message languages

The language for error and success messages returned by PHPAuth can be configured by passing in one of the available languages as the third parameter to the Auth constructor. If no language parameter is provided then the default en_GBlanguage is used.

Example: $auth = new PHPAuth\Auth($dbh, $config, "fr_FR");

Available languages:


All class methods are documented in the Wiki
System error codes are listed and explained here


Anyone can contribute to improve or fix PHPAuth, to do so you can either report an issue (a bug, an idea…) or fork the repository, perform modifications to your fork then request a merge.