On signup you get the password from the user input and generate its has using password_hash()
:
$hash = password_hash($_POST['password'], PASSWORD_BCRYPT);
You can provide it a custom salt to use, in a third parameter, but the documentation recommends to not do this:
Caution It is strongly recommended that you do not generate your own salt for this function. It will create a secure salt automatically for you if you do not specify one.
You save this hash in the database. Make sure you put it in a CHAR
/VARCHAR
field of 60 characters or longer.
When the user wants to log in you check the password they input against the hash previously saved using password_verify()
:
$auth = password_verify($_POST['password'], $hash);
Of course, you get the correct value of $hash
from the database, searching by the provided username.
If $auth
is TRUE
then the provided password matches its hash computed on the registration and the user is authenticated.