Authentication: sessions and bcrypt

Email + password login done right: hashing, sessions, logout, brute-force protection.

Core 30 minutes Prerequisites: Routing and MVC

Password hashing

// Registration
$hash = password_hash($passwordInput, PASSWORD_BCRYPT, ["cost" => 12]);
// Login
if (password_verify($passwordInput, $userHash)) { /* ok */ }

Sessions

After login, you store user_id in the server-side session. The client gets a cookie with the session id, not the data.

What NOT to do

Store passwords in clear or with MD5/SHA1.
Keep sessions alive forever.
Show messages like "email not found" (they leak valid accounts).

What to do

Bcrypt or Argon2id, cost ≥ 12.
Cookies httponly, secure, samesite=lax.
Rate limit login attempts.

Recommended resources

docs Free

https://www.php.net/manual/en/function.password-hash.php

article Free

https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html

article Free

https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html