Anyone know where to start when making a website with user registration and login? I'm just getting into more detailed web working and don't know how to manage cookies and all the other stuff to make log-ins work. Thanks.

It's fairly easy using PHP, although you should really mention what sort of tools you're using to make your website. That would help a lot with helping you :)

I'm trying to use Javascript and PHP with a MySQL database. Just a simple user login tool.

There are tons of tutorials outthere. Do a Google search and you'll find a few.

For login access you only need PHP and a MySQL database to store the data.

php.net is also an excellent API reference. You'll probably want to look up sessions, as that's a good way to keep them logged in. You can use something as simple as two text fields and a button (username/password/submit) and a database of users to do the logging in.

I think I've got this figured out, but it's not quite working. Here are a few of my functions:

function logInUser($name, $password, $useCookie) {
$password = md5($password);

if(!userExists($name)) {
return 1;
}
else if(!confirmUserMD5($name, $password)) {
return 2;
}

$_SESSION['username'] = $name;
$_SESSION['password'] = $password;

if($useCookie) {
setcookie("cookname", $_SESSION['username'], time() + 60 * 60 * 24 * 365, "/");
setcookie("cookpass", $_SESSION['password'], time() + 60 * 60 * 24 * 365, "/");
}
}

function isLoggedIn() {
if(isset($_COOKIE['cookname']) && isset($_COOKIE['cookpass'])) {
$_SESSION['username'] = $_COOKIE['cookname'];
$_SESSION['password'] = $_COOKIE['cookpass'];
}

if(isset($_SESSION['username']) && isset($_SESSION['password'])) {
if(!confirmUser($_SESSION['username'], $_SESSION['password'])) {
unset($_SESSION['username']);
unset($_SESSION['password']);
return false;
}

return true;
}
else {
return false;
}
}

I've tested userExists(), confirmUserMD5(), and isLoggedIn(), but after running the logInUser() method (and having it succeed), isLoggedIn() still returns false for me. Anything I'm doing wrong here?

I don't see why you're using $_COOKIE. Once you set
$_SESSION['username'] = $name;
$_SESSION['password'] = $password;
any further reads from $_SESSION (even in a later script) should return what you set.

The basic idea for logging in is that you check the username/password against a stored hash of the password in your database. If it's correct, you store the username/uid/whatever in $_SESSION['user'].

Then, you can always refer to that variable to see who is logged in. Make sure you call session_start() or whatever the function is at the start of every invocation of your scripts to recall the stored variables.

I'm using the cookie for those Remember Me buttons. Other than that, I'm doing what you said. I'm using session_start(), but it doesn't seem to be working. I'll work on it some more and maybe post more code later.

Probably not a great idea to store the password in a cookie anyway. Just a thought.

you should really never ever store passwords in plaintext because its a major security flaw, look up hashing functions like MD5 (http://uk.php.net/md5) or SHA1 (http://uk.php.net/manual/en/function.sha1.php) or somthing similar.

Don't reinvent the wheel:

http://pear.php.net/package/Auth

you should really never ever store passwords in plaintext because its a major security flaw, look up hashing functions like MD5 (http://uk.php.net/md5) or SHA1 (http://uk.php.net/manual/en/function.sha1.php) or somthing similar.
I do use md5. It doesn't show in the code, but it's there somewhere. Now I actually do some string manipulation first and then use md5 for a little boost of security.

Twiddling the string a bit first probably won't increase security at all - if you're really paranoid, you could use SHA-1...

(That is, unless you're salting it or something, in which case it could help)

The problem isn't whether you are hashing it or not, the problem is where you set the "cookpass" cookie to be the users's password in plaintext. Anyone dropping by and viewing the user's cookies will be able to grab their password in plaintext. You should change that.