Authentication

Drat! Darn! Bejeebers!

You code is garbage:
- saveing pw in cookie
- no sql protection
- printing error message
- missing password_needs_rehash

Something has to be stored on the user's computer so the website can recognise whether the user is logged in or not. You can't authenticate a user using just sessions. And whatever is stored on the computer has to MATCH what is on the server that is assigned to the user. It doesn't matter if it's a password or a random string that's not a password, because it has to match up to what's on the server assigned to the user anyway.

You might want me to validate ip addresses for in case cookies are stolen, but if someone has a dynamic ip address, they'll experience the bother of being repeatedly logged out. For extra security, when logging in, the user's ip address can be checked against other ip addresses's that have logged in for that user in the past. It should be easy to add that feature into the code I shared.

I'll repeat again, the sql escaping functions that php provides programmers in their programming language, such as mysqli_real_escape_string, has been broken and can be exploited very easily by doing a quick search on Stack Overflow, so you should rely on a server firewall to protect against sql injections. Having faith in using php to escape sql is like having a front door to your house made of paper if you rely on php's sql escaping functions.

The error message is printed because on all my websites there is an email form for the user to email the admin (me), so if for some rare and strange reason they cannot register to the website not only do they see a generic "signing up failed, you could not sign up because of an error" they see the exact error so they can email me the error they saw.

If i used sentry all php errors would go to my email automatically but it is good to print the error for that reason as well just to be safe. There are some errors which sentry cannot catch as they are not exceptions, so it makes sense to print some errors just in case something goes wrong so the user can email you about it, rather than not print the error at all, the user repeats themselves 2-5 times, gets frustrated at the website not working, leaves and never comes back. Printing errors can improve user experience and increase retention. 

Not every error is an exception, so if I used Sentry to automatically send all php errors to my email address, it would not catch all errors, as not all errors are exceptions. It makes sense to print some errors.

The authentication code I provided uses bcrypt to encrypt the passwords. The password already is rehashed using bycrpt as it is using a default strength of 3-5 (I forgot the number). The bcrypt algorithm has not yet been cracked like md5 or sha16. With bcrypt it takes an exponential amount of time to brute force due to the fact that generating a password in bcrypt has a cost unlike mdfive or shathirtytwo where someone can pay for hundreds of amazon ectwo servers to crack passwords at a low price

And by the way, ehasing passwords doesnt make it any less likely to be cracked you can rehash an mdfive hash millions of times with a salt and it will still be cracked in five minutes.