WebReference.com has posted the third part of their "user personalization" series today with a look at the gateway to your protected application - the login script.

This script does the very important job of authenticating a user and can make or break the application in the sense that if it is weak security wise, then any attacker can easily penetrate our application and cause damage. In this case, we will try to make it as difficult as possible for attackers to break our application.

Their script is a simple username/password form with some validation on the input - not empty, password is above a certain length and that the random number generated is the same as the one in the session. Only if it passes these is the user information checked via a database query. They also include a logout and user confirmation script that uses an md5 hash to validate the link.