Building Block

Auth & Members

Session-based login, role-based access control, and Stripe subscription gating — Claude deploys a complete PHP authentication system in a single conversation. No auth plugin, no third-party identity service.

Get started — from £6.99/month All building blocks

Code Patterns

Authentication & membership patterns

Three auth system patterns — from simple login/register to full Stripe membership gating. Pure PHP PDO, bcrypt passwords, and MySQL. No Auth0, no Firebase, no WordPress user tables.

Pattern 1 — Session-Based Login & Registration

A complete login, registration, and logout system in PHP. Passwords hashed with password_hash() (bcrypt), sessions managed server-side, and a password reset flow via SMTP link. Drop auth_check.php at the top of any page to protect it.

PHP PDO Bcrypt Sessions MySQL SMTP
  • MySQL users table: id, email, password_hash, name, created_at, email_verified
  • register.php: email + password form, server-side validation, password_hash() bcrypt, duplicate email check, SMTP verification email
  • login.php: password_verify() check, session start on success, configurable redirect-after-login URL, brute-force delay on failure (500ms usleep)
  • logout.php: destroys session, clears cookie, redirects to login
  • reset.php: generates a time-limited token (1 hour), stores hash in MySQL, sends SMTP reset link; reset-confirm.php validates token and accepts new password
  • auth_check.php: one-line include at the top of any PHP page to redirect unauthenticated users to /login
Prompt to use with Claude

Build a PHP login and registration system for my site. Create register.php, login.php, logout.php, and reset.php (password reset via SMTP link). Store users in a MySQL users table with bcrypt password hashing. Create auth_check.php that I can include at the top of any page to redirect unauthenticated users to /login. After login, redirect to /[members-page]. Send a verification email on registration via SMTP. CSS in theme.css, no inline styles.

Pattern 2 — Role-Based Access Control

Extends the session login with user roles — admin, member, and guest tiers. A single require_role() function gates any page or section to the required role. Role-gated content blocks can also be shown or hidden within a single page without a redirect.

PHP MySQL Role Middleware Sessions
  • MySQL users table: adds role column with values admin / member / guest (default: guest)
  • auth.php helper: require_role('admin') function — sends 403 or redirects to /login if role not met
  • Role stored in session on login — refreshed from DB on each request to pick up role changes without re-login
  • Inline gating: <?php if (has_role('member')): ?> blocks inside page templates for partial-page role gating
  • admin/users.php: admin-only page listing all users with a role dropdown per row — role update saves to MySQL on change
  • Easily extended: add new roles (e.g. editor, premium) by adding a row to a roles reference table
Prompt to use with Claude

Extend my PHP login system with role-based access control. Add a role column (admin/member/guest) to the users table. Create auth.php with a require_role() function and a has_role() helper. Gate /admin/* pages to admin role. Gate /members/* pages to member and admin roles. Create admin/users.php where admins can view all users and change their roles. Store the role in the session on login and refresh it from the DB on each request. CSS in theme.css.

Pattern 3 — Stripe Subscription Membership Gating

Gate member-only content to active Stripe subscribers. The Stripe webhook keeps MySQL in sync with subscription status — no polling the Stripe API on every page load. A PHP include checks the local DB record, not a remote API call, so gating is fast and reliable even under load.

PHP Stripe Subscriptions Webhook MySQL Session Auth Customer Portal
  • MySQL members table: user_id, stripe_customer_id, stripe_subscription_id, plan, status (active / past_due / cancelled), current_period_end
  • Stripe Checkout in subscription mode — client_reference_id set to user_id to link session to account
  • Webhook events handled: customer.subscription.created, customer.subscription.updated, customer.subscription.deleted, invoice.payment_failed — all update the members table
  • member_check.php: reads members.status from MySQL (not Stripe API), redirects to /pricing if not active
  • Grace period option: allow access for past_due members for up to 7 days while payment retries
  • Customer Portal link: portal.php creates a Stripe Billing Portal session and redirects the logged-in member for self-service billing management
  • SMTP welcome email on customer.subscription.created; payment failure warning on invoice.payment_failed
Prompt to use with Claude

Build Stripe subscription gating for my site. Users log in with the existing PHP session system. On subscribe, create a Stripe Checkout Session in subscription mode with the logged-in user_id as client_reference_id. Create webhook.php handling subscription.created, subscription.updated, subscription.deleted, invoice.payment_failed — update a MySQL members table with status and period_end. Create member_check.php to include at the top of gated pages — check members.status from MySQL (not Stripe API), redirect to /pricing if not active. Create portal.php to redirect members to the Stripe Customer Portal. CSS in theme.css.

What you get

Every auth pattern includes

Your data, your server

No Auth0 user database, no Firebase account, no third-party identity service. User records live in your MySQL database on your own hosting — fully portable.

Secure by default

Bcrypt password hashing, time-limited reset tokens, CSRF protection on all forms, brute-force delays, and prepared statements throughout. Claude writes security-first PHP.

One include to protect a page

Drop <?php require 'auth_check.php'; ?> at the top of any PHP file and it’s protected. Unauthenticated requests redirect to login. No middleware config, no route guard setup.

Iterable in seconds

Add a new role, a new user field, or an admin panel. Describe the change to Claude and it updates your live authentication system — no separate deployment pipeline.

More building blocks

Pair auth with

Combine authentication with these building blocks for a complete membership or SaaS site.

Payment & Checkout

Gate member content using Stripe subscription status — webhooks keep your MySQL in sync automatically.

View patterns

Pricing Tables

Show your membership plans with a pricing table and link each tier to its Stripe Checkout Session.

View patterns

Booking & Scheduling

Gate your appointment booking form to logged-in members only — combine auth_check.php with the booking form.

View patterns

Deploy your first members area today

From £6.99/month. First month free — no credit card required.

View pricing All building blocks