PHP Secure Login


This is a GPT-5 generated client/server sodium example that uses a KDF‑derived per‑message subkey with timestamp replay protection. It uses a local PHP instance to encrypt user credentials into the data payload so they can't be recorded in server transaction logs. This method ensures credentials are never sent unencrypted, each message has its own unique subkey, and replay attacks are blocked. Client (client.php) <?php // Master key (32 bytes, securely provisioned once) $masterKey = hex2bin('0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef'); // User-supplied variables $user = "demoUser"; $pass = "demoPass123"; $name = "John Doe"; $rank = "Captain"; $serial = "12345"; // Timestamp for replay protection $timestamp = time(); // Pack data $payload = [ 'User' => $user, 'Password' => $pass, 'Name' => $name, 'Rank' => $rank, 'Serial' => $serial, 'Timestamp' => $timestamp ]; // Random salt (public, sent with ciphertext) $salt = random_bytes(16); // Derive per-message subkey from master key + salt $subkey = hash_hmac('sha256', $salt, $masterKey, true); // 32 bytes // Encrypt payload $nonce = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $cipher = sodium_crypto_secretbox(json_encode($payload), $nonce, $subkey); // Transport: base64(salt \|\| nonce \|\| cipher) $wire = base64_encode($salt . $nonce . $cipher); // POST to server $ch = curl_init("https://yourserver/server.php"); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, ['payload' => $wire]); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); curl_close($ch); echo "Server response: $response\n"; ?> Server (server.php) <?php try { $pdo = new PDO("mysql:host=localhost;dbname=your_database;charset=utf8mb4", "your_username","your_password", [PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION, PDO::ATTR_DEFAULT_FETCH_MODE=>PDO::FETCH_ASSOC, PDO::ATTR_EMULATE_PREPARES=>false]); // Master key (same as client) $masterKey = hex2bin('0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef'); if (empty($_POST['payload'])) throw new Exception("Missing payload."); $bin = base64_decode($_POST['payload']); // Extract salt, nonce, cipher $offset = 0; $salt = substr($bin, $offset, 16); $offset += 16; $nonce = substr($bin, $offset, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $offset += SODIUM_CRYPTO_SECRETBOX_NONCEBYTES; $cipher = substr($bin, $offset); // Derive subkey $subkey = hash_hmac('sha256', $salt, $masterKey, true); // Decrypt $json = sodium_crypto_secretbox_open($cipher, $nonce, $subkey); if ($json === false) throw new Exception("Decryption failed."); $vars = json_decode($json, true); if (!$vars) throw new Exception("Invalid JSON."); // Replay protection: timestamp must be within 60 seconds if (abs(time() - ($vars['Timestamp'] ?? 0)) > 60) { throw new Exception("Request expired."); } // Extract variables $user = trim($vars['User'] ?? ''); $pass = trim($vars['Password'] ?? ''); $name = trim($vars['Name'] ?? ''); $rank = trim($vars['Rank'] ?? ''); $serial = trim($vars['Serial'] ?? ''); // Validation if ($user==='' \|\| $pass==='' \|\| $name==='' \|\| $rank==='' \|\| $serial==='') {throw new Exception("Missing required parameters."); } if (!preg_match("/^[a-zA-Z\s'-]+$/",$name)) throw new Exception("Invalid name."); if (!preg_match("/^[a-zA-Z0-9\s\/-]+$/",$rank)) throw new Exception("Invalid rank."); if (!preg_match("/^[0-9-]+$/",$serial)) throw new Exception("Serial must be numeric or hyphenated."); // Authenticate user $stmt = $pdo->prepare("SELECT password_hash FROM users WHERE username=:u LIMIT 1"); $stmt->bindValue(':u',$user,PDO::PARAM_STR); $stmt->execute(); $row = $stmt->fetch(); if(!$row \|\| !password_verify($pass,$row['password_hash'])) throw new Exception("Authentication failed."); // Insert record $stmt = $pdo->prepare("INSERT INTO personnel (Name,Rank,Serial) VALUES (:n,:r,:s)"); $stmt->bindValue(':n',$name,PDO::PARAM_STR); $stmt->bindValue(':r',$rank,PDO::PARAM_STR); $stmt->bindValue(':s',$serial,PDO::PARAM_STR); $stmt->execute(); echo json_encode(["status"=>"success","id"=>$pdo->lastInsertId()]); } catch(Exception $e) { http_response_code(400); echo json_encode(["status"=>"error","message"=>$e->getMessage()]); } ?>

This is a GPT-5 generated client/server sodium example that uses a KDF‑derived per‑message subkey with timestamp replay protection.
It uses a local PHP instance to encrypt user credentials into the data payload so they can't be recorded in server transaction logs. 
This method ensures credentials are never sent unencrypted, each message has its own unique subkey, and replay attacks are blocked.

Client (client.php)
<?php
// Master key (32 bytes, securely provisioned once)
$masterKey = hex2bin('0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef');

// User-supplied variables
$user   = "demoUser";
$pass   = "demoPass123";
$name   = "John Doe";
$rank   = "Captain";
$serial = "12345";

// Timestamp for replay protection
$timestamp = time();

// Pack data
$payload = [
    'User'      => $user,
    'Password'  => $pass,
    'Name'      => $name,
    'Rank'      => $rank,
    'Serial'    => $serial,
    'Timestamp' => $timestamp
];

// Random salt (public, sent with ciphertext)
$salt = random_bytes(16);

// Derive per-message subkey from master key + salt
$subkey = hash_hmac('sha256', $salt, $masterKey, true); // 32 bytes

// Encrypt payload
$nonce  = random_bytes(SODIUM_CRYPTO_SECRETBOX_NONCEBYTES);
$cipher = sodium_crypto_secretbox(json_encode($payload), $nonce, $subkey);

// Transport: base64(salt || nonce || cipher)
$wire = base64_encode($salt . $nonce . $cipher);

// POST to server
$ch = curl_init("https://yourserver/server.php");
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, ['payload' => $wire]);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);

echo "Server response: $response\n";
?>

Server (server.php)
<?php
try {
    $pdo = new PDO("mysql:host=localhost;dbname=your_database;charset=utf8mb4",
                   "your_username","your_password",
                   [PDO::ATTR_ERRMODE=>PDO::ERRMODE_EXCEPTION,
                    PDO::ATTR_DEFAULT_FETCH_MODE=>PDO::FETCH_ASSOC,
                    PDO::ATTR_EMULATE_PREPARES=>false]);

    // Master key (same as client)
    $masterKey = hex2bin('0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef');

    if (empty($_POST['payload'])) throw new Exception("Missing payload.");
    $bin = base64_decode($_POST['payload']);

    // Extract salt, nonce, cipher
    $offset = 0;
    $salt   = substr($bin, $offset, 16); $offset += 16;
    $nonce  = substr($bin, $offset, SODIUM_CRYPTO_SECRETBOX_NONCEBYTES); $offset += SODIUM_CRYPTO_SECRETBOX_NONCEBYTES;
    $cipher = substr($bin, $offset);

    // Derive subkey
    $subkey = hash_hmac('sha256', $salt, $masterKey, true);

    // Decrypt
    $json = sodium_crypto_secretbox_open($cipher, $nonce, $subkey);
    if ($json === false) throw new Exception("Decryption failed.");

    $vars = json_decode($json, true);
    if (!$vars) throw new Exception("Invalid JSON.");

    // Replay protection: timestamp must be within 60 seconds
    if (abs(time() - ($vars['Timestamp'] ?? 0)) > 60) {
        throw new Exception("Request expired.");
    }

    // Extract variables
    $user   = trim($vars['User'] ?? '');
    $pass   = trim($vars['Password'] ?? '');
    $name   = trim($vars['Name'] ?? '');
    $rank   = trim($vars['Rank'] ?? '');
    $serial = trim($vars['Serial'] ?? '');

    // Validation
    if ($user==='' || $pass==='' || $name==='' || $rank==='' || $serial==='') {throw new Exception("Missing required parameters.");
    }
	if (!preg_match("/^[a-zA-Z\s'-]+$/",$name)) throw new Exception("Invalid name.");
    if (!preg_match("/^[a-zA-Z0-9\s\/-]+$/",$rank)) throw new Exception("Invalid rank.");
    if (!preg_match("/^[0-9-]+$/",$serial)) throw new Exception("Serial must be numeric or hyphenated.");

    // Authenticate user
    $stmt = $pdo->prepare("SELECT password_hash FROM users WHERE username=:u LIMIT 1");
    $stmt->bindValue(':u',$user,PDO::PARAM_STR);
    $stmt->execute();
    $row = $stmt->fetch();
    if(!$row || !password_verify($pass,$row['password_hash'])) throw new Exception("Authentication failed.");

    // Insert record
    $stmt = $pdo->prepare("INSERT INTO personnel (Name,Rank,Serial) VALUES (:n,:r,:s)");
    $stmt->bindValue(':n',$name,PDO::PARAM_STR);
    $stmt->bindValue(':r',$rank,PDO::PARAM_STR);
    $stmt->bindValue(':s',$serial,PDO::PARAM_STR);
    $stmt->execute();

    echo json_encode(["status"=>"success","id"=>$pdo->lastInsertId()]);

} catch(Exception $e) {
    http_response_code(400);
    echo json_encode(["status"=>"error","message"=>$e->getMessage()]);
}
?>