How do I protect a login with multiple users using password_verify in PHP?

Question

I want to create multiple users to enter a site (without a database).

Let's say I've generated a user and password combination in PHP with password_hash. (Method found here.)

$userhash = password_hash('exampleusername', PASSWORD_BCRYPT, $useroptions);
$passhash = password_hash('examplepass', PASSWORD_BCRYPT, $pwoptions);

Then I saved the hashed files somewhere.

$hasheduser = file_get_contents("private/user"); 
$hashedpass = file_get_contents("private/pass");

Set the username and password combination against the hash for a $_POST from a form.

$userhash = password_hash($_POST['user'], PASSWORD_BCRYPT, $useroptions);
$passhash = password_hash($_POST['pass'], PASSWORD_BCRYPT, $pwoptions);

Now if the user/pass combo are correct, a session will be set and checked.

if (
    (password_verify($_POST['user'], $hasheduser)) 
    && (password_verify($_POST['pass'], $hashedpass))
) {
    session_start();    
    $_SESSION['validuser'] = $_POST['user'];
}

My question is, how can I create multiple usernames and passwords without constantly duplicating the same code?

Making multiple users...

$hasheduser = file_get_contents("private/user"); 
$hashedpass = file_get_contents("private/pass"); 
$hasheduser2 = file_get_contents("private/user2"); 
$hashedpass2 = file_get_contents("private/pass2");

Checking multiple users...

if (
    (password_verify($_POST['user'], $hasheduser)) 
    && (password_verify($_POST['pass'], $hashedpass))
) elseif (
    (password_verify($_POST['user'], $hasheduser2)) 
    && (password_verify($_POST['pass'], $hashedpass2))
)

Is there a way to loop through users to enter the login screen instead of multiple elseif statements?

Any help appreciated.

I'm thinking maybe I need to put the user/pass combos in an array...(my incorrect attempt).

$users = array(
   file_get_contents("private/user1") => file_get_contents("private/pass1"),
   file_get_contents("private/user2") => file_get_contents("private/pass2")
);

foreach ($users as $key => $value) {
    if ((password_verify($username, $key)) && (password_verify($pass,$value))) {}
}

But that would just endlessly duplicate the login form.

Thank you, any help is appreciated.

Sidenote: is there a specific reason as to why you're not using a database? — Funk Forty Niner, Jan 18 '17 at 19:40
No specific reason, only that there will only be maybe three or four users. — Tania Rascia, Jan 18 '17 at 19:41
a) why not a database? use a database. that's what databases are for. b) why are you hashing the username? c) unless you protect `private` with a htaccess, everybody can get the hashed data. that's not good. d) have you heard about *functions*? e) you could save yourself a lot of trouble if you serialize your data (or example with json_encode) and store it in *one* file. — Franz Gleichmann, Jan 18 '17 at 19:42
c) Private is protected with htaccess/Deny from all. d) Go on... — Tania Rascia, Jan 18 '17 at 19:43

score 1 · Accepted Answer · answered Jan 18 '17 at 19:56

1

You can have single file with users and pass, like (You can have a JSON file or whathever):

$usersInfo = array(
   "userhash1" => "passwordhash1"
   "userhash2" => "passwordhash2",
);

Then

if(isset($usersInfo[$userhash]) && $usersInfo[$userhash] === $passhash)
{
    //Successful login
    session_start();    
    $_SESSION['validuser'] = $_POST['user'];
}

answered Jan 18 '17 at 19:56

Pipe

2,379
2
19
33

Thank you, I made a JSON file, decoded it, put it in a foreach loop to test userhash against userpass, and used that if statement. – Tania Rascia Jan 18 '17 at 21:07

score 0 · Answer 2 · answered Jan 18 '17 at 19:43

Tania Rascia, Just do one thing that all username and password store in csv file, and on every login you can check that entered username & password does exist in file or not. After successful authentication you can set session. This method can resolve your problem.

How do I protect a login with multiple users using password_verify in PHP?

2 Answers2