diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..48b8bf9
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+vendor/
diff --git a/app/config/config.php b/app/config/config.php
new file mode 100644
index 0000000..22c03f3
--- /dev/null
+++ b/app/config/config.php
@@ -0,0 +1,20 @@
+<?php
+
+/* Configuration for Project */
+class Config {
+    const server_name = 'localhost';
+    const secret_key = 'dfJdHtKsNiMrr0JV6ebvD9CbTiHugBiDwCRkAJxu9KtXU+ig/fZlWNHr6xnZaeYFrempQFIjvxiYf3NTWOJq0w==';
+
+    const my_netid = 'jwb11006';
+    const db_host = 'localhost';
+
+    const db_name = 'db_jwb11006';
+    const db_user = 'db_jwb11006';
+    const db_pass = 'luckycharms';
+
+    const cookie_path = "/security_prj1";
+    const cookie_domain = "";
+    const cookie_name = 'csp1_jwb11006';
+}
+
+?>
diff --git a/app/controller/UserController.php b/app/controller/UserController.php
new file mode 100644
index 0000000..3e537aa
--- /dev/null
+++ b/app/controller/UserController.php
@@ -0,0 +1,36 @@
+<?php
+include(APP_DIR . 'model/User.php');
+
+class UserController {
+
+    public static function authenticate($request) {
+        $username = htmlspecialchars($request['username']);
+        $password = htmlspecialchars($request['password']);
+
+        $user = User::get($username);
+
+        if (!$user) {
+            return null;
+        }
+        
+        if (password_verify($password, $user->password)) {
+            $user->login_attempts = 0;
+            $user->save();
+            return $user;
+        } else {
+            $user->login_attempts++;
+            $user->save();
+            return null;
+        }
+    }
+
+    public static function create($request) {
+        $username = htmlspecialchars($request['username']);
+        $password = htmlspecialchars($request['password']);
+        $user = new User;
+        $user->username = $username;
+        $user->password = password_hash($password, PASSWORD_DEFAULT);
+        $user->save();
+    }
+}
+?>
diff --git a/app/database/Database.php b/app/database/Database.php
new file mode 100644
index 0000000..e04e87e
--- /dev/null
+++ b/app/database/Database.php
@@ -0,0 +1,10 @@
+<?php
+include_once(APP_DIR . 'config/config.php');
+
+class Database {
+    public static function connect() {
+        $db_str = 'mysql:host=' . Config::db_host . ';dbname=' . Config::db_name;
+        return new PDO($db_str, Config::db_user, Config::db_pass);
+    }
+}
+?>
diff --git a/app/database/init.php b/app/database/init.php
new file mode 100644
index 0000000..f523308
--- /dev/null
+++ b/app/database/init.php
@@ -0,0 +1,38 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', 'app/');
+include_once('app/config/config.php');
+include_once('app/database/Database.php');
+include_once('app/model/User.php');
+
+$dbh = new PDO('mysql:host=' . Config::db_host, Config::db_user, Config::db_pass);
+
+/* Create database if it doesn't exist */
+$dbh->exec('CREATE DATABASE IF NOT EXISTS ' . Config::db_name);
+
+/* Connect to database */
+$dbh = Database::connect();
+
+/* Create users table if it doesn't exist */
+$stmt = 'CREATE TABLE IF NOT EXISTS users (
+            id INT(6) UNSIGNED AUTO_INCREMENT PRIMARY KEY,
+            username VARCHAR(32) NOT NULL,
+            password VARCHAR(64) NOT NULL,
+            access VARCHAR(8) NOT NULL,
+            login_attempts INT(6) UNSIGNED NOT NULL
+)';
+$dbh->exec($stmt);
+
+/* Create user and admin if they don't exist */
+$user = new User;
+$user->username = 'user';
+$user->password = password_hash('userpass', PASSWORD_DEFAULT);
+$user->access = 'user';
+$user->save();
+
+$user = new User;
+$user->username = 'admin';
+$user->password = password_hash('adminpass', PASSWORD_DEFAULT);
+$user->access = 'admin';
+$user->save();
+
+?>
diff --git a/app/forms/change_password.php b/app/forms/change_password.php
new file mode 100644
index 0000000..aa1190d
--- /dev/null
+++ b/app/forms/change_password.php
@@ -0,0 +1,41 @@
+<?php
+if (isset($_GET['error'])) {
+    $error_message = "Incorrect password";
+} else {
+    $error_message = '&nbsp;';
+}
+?>
+
+<div class="row login-container valign-wrapper">
+  <div class="col l6 m8 s 10 offset-l3 offset-m2 offset-l1 valign">
+    <div id="login-form" class="row scale-transition scale-out">
+      <div class="col s12 card-panel">
+        <div class="row login-header"> <h5> Need to change your password? </h5> </div>
+        <div class="row">
+          <form class="col s12" action="change_password.php" method="post">
+            <div class="row">
+              <div class="input-field col s12 valign-wrapper">
+                <i class="material-icons prefix valign">lock</i>
+                <input id="password" name="password" type="password" class="validate">
+                <label for="password">Current password</label>
+              </div>
+              <div class="input-field col s12 valign-wrapper">
+                <i class="material-icons prefix valign">lock</i>
+                <input id="new_password" name="new_password" type="password" class="validate">
+                <label for="new_password">New password</label>
+              </div>
+              <button
+                class="btn col s4 offset-s4 waves-effect waves-light"
+                type="submit" name="action"
+              >
+                Change
+                <i class="material-icons right">send</i>
+              </button>
+              <span class="error-message col s12 center-align"> <?php echo $error_message ?> </span>
+            </div>
+          </form>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/app/forms/create.php b/app/forms/create.php
new file mode 100644
index 0000000..2acc73d
--- /dev/null
+++ b/app/forms/create.php
@@ -0,0 +1,39 @@
+
+<!-- Modal Structure -->
+<form id="create-modal" class="modal" action="create.php" method="post">
+  <div class="modal-content">
+    <h4 class="row">Create a new user</h4>
+    <div class="row">
+      <div class="col s12">
+        <div class="row">
+          <div class="input-field col s12 valign-wrapper">
+            <i class="material-icons prefix valign">account_circle</i>
+            <input id="username" name="username" type="text" class="validate">
+            <label for="username">Username</label>
+          </div>
+          <div class="input-field col s12 valign-wrapper">
+            <i class="material-icons prefix valign">lock</i>
+            <input id="password" name="password" type="password" class="validate" />
+            <label for="password">Password</label>
+          </div>
+          <div class="input-field col s12">
+            <h6> Access level: </h6>
+            <input class="with-gap" name="access" type="radio" id="access1" value="admin" checked="checked" />
+            <label for="access1">Admin</label> <br />
+            <input class="with-gap" name="access" type="radio" id="access2" value="user" />
+            <label for="access2">User</label>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+  <div class="modal-footer input-field">
+    <button
+      class="waves-effect waves-green btn-flat"
+      type="submit" name="action"
+      onclick="Materialize.toast('User created', 4000)"
+    >
+        Create
+    </button>
+  </div>
+</form>
diff --git a/app/forms/edit.php b/app/forms/edit.php
new file mode 100644
index 0000000..0b50ace
--- /dev/null
+++ b/app/forms/edit.php
@@ -0,0 +1,40 @@
+<!-- Modal Structure -->
+<form id="edit-modal-<?php echo $user->id ?>" class="modal" action="create.php" method="post">
+  <div class="modal-content">
+    <h4 class="row">Edit account for <?php echo $user->username ?></h4>
+    <div class="row">
+      <div class="col s12">
+        <div class="row">
+          <input name="username" type="hidden" value="<?php echo $user->username ?>" />
+          <div class="input-field col s12 valign-wrapper">
+            <i class="material-icons prefix valign">lock</i>
+            <input id="password" name="password" type="password" class="validate" />
+            <label for="password">New password</label>
+          </div>
+          <div class="input-field col s12">
+            <h6> Access level: </h6>
+            <input
+                class="with-gap" name="access" type="radio"
+                id="access-edit1-<?php echo $user->id ?>" value="admin" checked="checked"
+            />
+            <label for="access-edit1-<?php echo $user->id ?>">Admin</label> <br />
+            <input
+                class="with-gap" name="access" type="radio"
+                id="access-edit2-<?php echo $user->id ?>" value="user"
+            />
+            <label for="access-edit2-<?php echo $user->id ?>">User</label>
+          </div>
+        </div>
+      </div>
+    </div>
+  </div>
+  <div class="modal-footer input-field">
+    <button
+      class="waves-effect waves-green btn-flat"
+      type="submit" name="action"
+      onclick="Materialize.toast('User updated', 4000)"
+    >
+        Change
+    </button>
+  </div>
+</form>
diff --git a/app/forms/login.php b/app/forms/login.php
new file mode 100644
index 0000000..80be14f
--- /dev/null
+++ b/app/forms/login.php
@@ -0,0 +1,43 @@
+<?php
+if (isset($_GET['error']) && $_GET['error'] == '1') {
+    $error_message = "Incorrect username or password";
+} else if (isset($_GET['error']) && $_GET['error'] == '2') {
+    $error_message = "Too many login attempts. Contact the system administrator.";
+} else {
+    $error_message = '&nbsp;';
+}
+?>
+
+<div class="row login-container valign-wrapper">
+  <div class="col l6 m8 s 10 offset-l3 offset-m2 offset-l1 valign">
+    <div id="login-form" class="row scale-transition scale-out">
+      <div class="col s12 card-panel">
+        <div class="row login-header"> <h5> Please enter your credentials </h5> </div>
+        <div class="row">
+          <form class="col s12" action="login.php" method="post">
+            <div class="row">
+              <div class="input-field col s12 valign-wrapper">
+                <i class="material-icons prefix valign">account_circle</i>
+                <input id="username" name="username" type="text" class="validate">
+                <label for="username">Username</label>
+              </div>
+              <div class="input-field col s12 valign-wrapper">
+                <i class="material-icons prefix valign">lock</i>
+                <input id="password" name="password" type="password" class="validate">
+                <label for="password">Password</label>
+              </div>
+              <button
+                class="btn col s4 offset-s4 waves-effect waves-light"
+                type="submit" name="action"
+              >
+                SIGN IN
+                <i class="material-icons right">send</i>
+              </button>
+              <span class="error-message col s12 center-align"> <?php echo $error_message ?> </span>
+            </div>
+          </form>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
diff --git a/app/include/http.php b/app/include/http.php
new file mode 100644
index 0000000..e3696e2
--- /dev/null
+++ b/app/include/http.php
@@ -0,0 +1,24 @@
+<?php
+
+class Http {
+
+    public static function redirect($url, $params = []) {
+        $query = empty($params) ? '' : '?' . http_build_query($params);
+        header('Location: ' . $url . $query);
+        exit();
+    }
+
+    public static function cookie($name) {
+        return isset($_COOKIE[$name]) ? $_COOKIE[$name] : null;
+    }
+
+    public static function remove_cookie($name) {
+        setcookie($name, "", time() - 3600);
+    }
+
+    public static function post_params() {
+        return $_POST;
+    }
+
+}
+?>
diff --git a/app/model/User.php b/app/model/User.php
new file mode 100644
index 0000000..606b228
--- /dev/null
+++ b/app/model/User.php
@@ -0,0 +1,106 @@
+<?php
+use \Firebase\JWT\JWT;
+require_once(APP_DIR . '../vendor/autoload.php');
+include_once(APP_DIR . 'database/Database.php');
+include_once(APP_DIR . 'include/http.php');
+
+class User {
+    protected static $table = 'users';
+
+    /* Properties of a user */
+    public $id;
+    public $username;
+    public $password;
+    public $access;
+    public $login_attempts = 0;
+
+    /**
+     * Stores this information pertaining to this User in the DB
+     */
+    public function save() {
+        $dbh = Database::connect();
+        if (User::exists($this->username)) {
+            $stmt = $dbh->prepare("UPDATE users SET password=:password, access=:access, login_attempts=:attempts WHERE username=:username");
+        } else {
+            $stmt = $dbh->prepare("INSERT INTO users (username, password, access, login_attempts) VALUES (:username, :password, :access, :attempts)");
+        }
+        $stmt->bindParam(':username', $this->username);
+        $stmt->bindParam(':password', $this->password);
+        $stmt->bindParam(':access', $this->access);
+        $stmt->bindParam(':attempts', $this->login_attempts);
+        $stmt->execute();
+        $this->id = $dbh->lastInsertId();
+    }
+
+    public function delete() {
+        $dbh = Database::connect();
+        $stmt = $dbh->prepare("DELETE FROM users WHERE id=:id");
+        $stmt->bindParam(':id', $this->id);
+        $stmt->execute();
+    }
+
+    public static function exists($username) {
+        $dbh = Database::connect();
+        $stmt = $dbh->prepare("SELECT count(*) FROM users WHERE username = :username");
+        $stmt->bindParam(':username', $username);
+        $stmt->execute();
+        return $stmt->fetchColumn() > 0;
+    }
+
+    public static function get($username) {
+        $users = User::all();
+        foreach ($users as $user) {
+            if ($user->username == $username) {
+                return $user;
+            }
+        }
+        return null;
+    }
+
+    public static function all() {
+        $dbh = Database::connect();
+        $stmt = $dbh->prepare("SELECT * from users");
+        $stmt->execute();
+        return array_map(function ($row) {
+            $user = new User;
+            $user->id = $row['id'];
+            $user->username = $row['username'];
+            $user->password = $row['password'];
+            $user->access = $row['access'];
+            $user->login_attempts = $row['login_attempts'];
+            return $user;
+        }, $stmt->fetchAll());
+    }
+
+    public static function authenticated() {
+        try {
+            $jwt = Http::cookie(Config::cookie_name);
+            if (!$jwt) return null;
+            $token = JWT::decode($jwt, base64_encode(Config::secret_key), ['HS512']);
+            return $token->data;
+        } catch (Exception $e) {
+            Http::remove_cookie(Config::cookie_name);
+            return null;
+        }
+    }
+
+    public function token() {
+        $data = [
+            'iat' => time(),
+            'jti' => base64_encode(random_bytes(32)),
+            'iss' => Config::server_name,
+            'nbf' => time(),
+            'exp' => time() + (7 * 24 * 60 * 60),
+            'data' => [
+                'userid' => $this->id,
+                'username' => $this->username,
+                'access' => $this->access,
+            ],
+        ];
+
+        $key = base64_encode(Config::secret_key);
+
+        return JWT::encode($data, $key, 'HS512');
+    }
+}
+?>
diff --git a/composer.json b/composer.json
new file mode 100644
index 0000000..9af63b0
--- /dev/null
+++ b/composer.json
@@ -0,0 +1,5 @@
+{
+    "require": {
+        "firebase/php-jwt": "^4.0"
+    }
+}
diff --git a/composer.lock b/composer.lock
new file mode 100644
index 0000000..3dc6e22
--- /dev/null
+++ b/composer.lock
@@ -0,0 +1,61 @@
+{
+    "_readme": [
+        "This file locks the dependencies of your project to a known state",
+        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#composer-lock-the-lock-file",
+        "This file is @generated automatically"
+    ],
+    "content-hash": "97857c969035c5b9de48fb918b6ceca2",
+    "packages": [
+        {
+            "name": "firebase/php-jwt",
+            "version": "v4.0.0",
+            "source": {
+                "type": "git",
+                "url": "https://github.com/firebase/php-jwt.git",
+                "reference": "dccf163dc8ed7ed6a00afc06c51ee5186a428d35"
+            },
+            "dist": {
+                "type": "zip",
+                "url": "https://api.github.com/repos/firebase/php-jwt/zipball/dccf163dc8ed7ed6a00afc06c51ee5186a428d35",
+                "reference": "dccf163dc8ed7ed6a00afc06c51ee5186a428d35",
+                "shasum": ""
+            },
+            "require": {
+                "php": ">=5.3.0"
+            },
+            "type": "library",
+            "autoload": {
+                "psr-4": {
+                    "Firebase\\JWT\\": "src"
+                }
+            },
+            "notification-url": "https://packagist.org/downloads/",
+            "license": [
+                "BSD-3-Clause"
+            ],
+            "authors": [
+                {
+                    "name": "Neuman Vong",
+                    "email": "neuman+pear@twilio.com",
+                    "role": "Developer"
+                },
+                {
+                    "name": "Anant Narayanan",
+                    "email": "anant@php.net",
+                    "role": "Developer"
+                }
+            ],
+            "description": "A simple library to encode and decode JSON Web Tokens (JWT) in PHP. Should conform to the current spec.",
+            "homepage": "https://github.com/firebase/php-jwt",
+            "time": "2016-07-18T04:51:16+00:00"
+        }
+    ],
+    "packages-dev": [],
+    "aliases": [],
+    "minimum-stability": "stable",
+    "stability-flags": [],
+    "prefer-stable": false,
+    "prefer-lowest": false,
+    "platform": [],
+    "platform-dev": []
+}
diff --git a/public/account.php b/public/account.php
new file mode 100644
index 0000000..5da3ac2
--- /dev/null
+++ b/public/account.php
@@ -0,0 +1,14 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+
+if (!User::authenticated()) {
+    Http::redirect('index.html');
+}
+
+include 'template/header.html';
+include 'template/user_menu_button.php';
+include(APP_DIR . 'forms/change_password.php');
+include 'template/footer.html';
+
+?>
diff --git a/public/admin.php b/public/admin.php
new file mode 100644
index 0000000..23229dd
--- /dev/null
+++ b/public/admin.php
@@ -0,0 +1,73 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+if (!$data || $data->access != 'admin') {
+    Http::redirect('index.php');
+}
+
+$users = User::all();
+
+include 'template/header.html';
+include 'template/user_menu_button.php';
+?>
+
+<div class="row admin-container">
+    <div class="col l8 m10 s12 offset-l2 offset-m1">
+        <div class="row">
+            <div class="col s12">
+                <h1> Users </h1>
+            </div>
+        </div>
+        <?php foreach ($users as $user) { ?>
+            <div class="row card-panel scale-transition scale-out user-tile">
+                <div class="col s3 blue-text valign-wrapper">
+                    <i class="small material-icons">perm_identity</i>
+                    <span class="valign username"> <?php echo $user->username ?> </span>
+                </div>
+                <div class="col s5 red-text valign-wrapper">
+                    <i class="small material-icons">verified_user</i>
+                    <span class="valign access_level">Access level: <?php echo $user->access ?> </span>
+                </div>
+                <div class="col s2">
+                    <a
+                        class="modal-trigger btn tooltipped waves-effect waves-light"
+                        data-position="bottom" data-delay="50" data-tooltip="Edit"
+                        href="#edit-modal-<?php echo $user->id ?>"
+                    >
+                        <i class="small material-icons">mode_edit</i>
+                    </a>
+                </div>
+                <div class="col s2">
+                    <form action="delete.php" method="post">
+                        <button
+                            type="submit" class="btn tooltipped waves-effect waves-light"
+                            data-position="bottom" data-delay="50" data-tooltip="Delete"
+                            onclick="Materialize.toast('User deleted', 4000)"
+                        >
+                            <i class="small material-icons">delete</i>
+                            <input name="username" value="<?php echo $user->username ?>" />
+                        </button>
+                    </form>
+                </div>
+            </div>
+        <?php } ?>
+    </div>
+</div>
+
+<div class="fixed-action-btn">
+  <a class="modal-trigger btn-floating btn-large red" href="#create-modal">
+    <i class="large material-icons waves-effect waves-light">add</i>
+  </a>
+</div>
+
+<?php
+
+foreach ($users as $user) {
+    include(APP_DIR . 'forms/edit.php');
+}
+include(APP_DIR . 'forms/create.php');
+include 'template/footer.html';
+?>
diff --git a/public/change_password.php b/public/change_password.php
new file mode 100644
index 0000000..5df27b2
--- /dev/null
+++ b/public/change_password.php
@@ -0,0 +1,21 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'controller/UserController.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+if (!$data) {
+    Http::redirect('index.html');
+}
+
+$info = ['username' => $data->username, 'password' => $_POST['password']];
+$user = UserController::authenticate($info);
+
+if (!$user) {
+    Http::redirect('account.php', ['error' => '1']);
+}
+
+$user->password = password_hash($_POST['new_password'], PASSWORD_DEFAULT);
+$user->save();
+
+Http::redirect('index.php');
diff --git a/public/create.php b/public/create.php
new file mode 100644
index 0000000..bf30f96
--- /dev/null
+++ b/public/create.php
@@ -0,0 +1,20 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+if (!$data || $data->access != 'admin') {
+    Http::redirect('index.php');
+}
+
+/* TODO: Validate input */
+$params = Http::post_params();
+$user = new User;
+$user->username = $params['username'];
+$user->password = password_hash($params['password'], PASSWORD_DEFAULT);
+$user->access = $params['access'];
+$user->save();
+
+Http::redirect('admin.php');
+?>
diff --git a/public/css/admin.css b/public/css/admin.css
new file mode 100644
index 0000000..3b7ee42
--- /dev/null
+++ b/public/css/admin.css
@@ -0,0 +1,15 @@
+#create-modal {
+  background: white;
+}
+
+span.username {
+  padding-left: 10px;
+}
+
+.admin-container {
+  padding-top: 50px;
+}
+
+.edit-modal {
+  position: absolute;
+}
diff --git a/public/css/app.css b/public/css/app.css
new file mode 100644
index 0000000..6bc964c
--- /dev/null
+++ b/public/css/app.css
@@ -0,0 +1,17 @@
+@import url("login.css");
+@import url("admin.css");
+@import url("user.css");
+
+
+body {
+  background-color: #fcfcfc !important;
+}
+
+main {
+  height: 100vh;
+  width: 100% !important;
+}
+
+input:-webkit-autofill {
+    -webkit-box-shadow: 0 0 0 1000px white inset !important;
+}
diff --git a/public/css/login.css b/public/css/login.css
new file mode 100644
index 0000000..193d8b4
--- /dev/null
+++ b/public/css/login.css
@@ -0,0 +1,13 @@
+.login-header {
+  padding: 20px;
+}
+
+.login-container {
+  height: 100%;
+  margin: 0 !important;
+}
+
+.error-message {
+  color: red;
+  margin: 15px 0 0;
+}
diff --git a/public/css/user.css b/public/css/user.css
new file mode 100644
index 0000000..b738705
--- /dev/null
+++ b/public/css/user.css
@@ -0,0 +1,9 @@
+.user-button {
+  position: absolute;
+  top: 5px !important;
+  right: 10px !important;
+}
+
+.user-container {
+  padding-top: 50px;
+}
diff --git a/public/delete.php b/public/delete.php
new file mode 100644
index 0000000..bf67e8c
--- /dev/null
+++ b/public/delete.php
@@ -0,0 +1,19 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+if (!$data || $data->access != 'admin') {
+    Http::redirect('index.php');
+}
+
+$username = Http::post_params()['username'];
+$user = User::get($username);
+
+if ($user) {
+    $user->delete();
+}
+
+Http::redirect('admin.php');
+?>
diff --git a/public/edit.php b/public/edit.php
new file mode 100644
index 0000000..bf30f96
--- /dev/null
+++ b/public/edit.php
@@ -0,0 +1,20 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+if (!$data || $data->access != 'admin') {
+    Http::redirect('index.php');
+}
+
+/* TODO: Validate input */
+$params = Http::post_params();
+$user = new User;
+$user->username = $params['username'];
+$user->password = password_hash($params['password'], PASSWORD_DEFAULT);
+$user->access = $params['access'];
+$user->save();
+
+Http::redirect('admin.php');
+?>
diff --git a/public/img/background.png b/public/img/background.png
new file mode 100644
index 0000000..bc382e0
Binary files /dev/null and b/public/img/background.png differ
diff --git a/public/index.php b/public/index.php
new file mode 100644
index 0000000..ca75a68
--- /dev/null
+++ b/public/index.php
@@ -0,0 +1,18 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+if ($data) {
+    if ($data->access == 'user') {
+        Http::redirect('user.php');
+    } else if ($data->access == 'admin') {
+        Http::redirect('admin.php');
+    }
+}
+
+include 'template/header.html';
+include(APP_DIR . 'forms/login.php');
+include 'template/footer.html';
+?>
diff --git a/public/js/app.js b/public/js/app.js
new file mode 100644
index 0000000..50f51c0
--- /dev/null
+++ b/public/js/app.js
@@ -0,0 +1,27 @@
+
+/* Scale login form on page load */
+$(() => $('#login-form').addClass('scale-in'));
+
+/* Scale user tiles on page load */
+$(() => $('.user-tile').addClass('scale-in'));
+
+$(document).ready(function(){
+  // the "href" attribute of .modal-trigger must specify the modal ID that wants to be triggered
+  $('.modal').modal();
+});
+
+$('.dropdown-button').dropdown({
+    inDuration: 300,
+    outDuration: 225,
+    constrainWidth: false, // Does not change width of dropdown to that of the activator
+    hover: true, // Activate on hover
+    gutter: 0, // Spacing from edge
+    belowOrigin: true, // Displays dropdown below the button
+    alignment: 'right', // Displays dropdown with edge aligned to the left of button
+    stopPropagation: false // Stops event propagation
+  }
+);
+
+$(document).ready(function(){
+   $('.collapsible').collapsible();
+ });
diff --git a/public/login.php b/public/login.php
new file mode 100644
index 0000000..d7e39f7
--- /dev/null
+++ b/public/login.php
@@ -0,0 +1,25 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'controller/UserController.php');
+include_once(APP_DIR . 'include/http.php');
+
+$attempts = User::get(Http::post_params()['username'])->login_attempts;
+
+if ($attempts >= 8) {
+    Http::redirect('index.php', ['error' => '2']);
+}
+
+$user = UserController::authenticate(Http::post_params());
+
+if (!$user) {
+    Http::redirect('index.php', ['error' => '1']);
+}
+
+setcookie(Config::cookie_name, $user->token());
+if ($user->access == 'user') {
+    Http::redirect('user.php');
+} else if ($user->access == 'admin') {
+    Http::redirect('admin.php');
+}
+
+?>
diff --git a/public/logout.php b/public/logout.php
new file mode 100644
index 0000000..35320c8
--- /dev/null
+++ b/public/logout.php
@@ -0,0 +1,8 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'include/http.php');
+include_once(APP_DIR . 'config/config.php');
+
+Http::remove_cookie(Config::cookie_name);
+Http::redirect('index.php');
+?>
diff --git a/public/template/footer.html b/public/template/footer.html
new file mode 100644
index 0000000..6924fd7
--- /dev/null
+++ b/public/template/footer.html
@@ -0,0 +1,9 @@
+  </main>
+  <script
+  src="https://code.jquery.com/jquery-3.1.1.min.js"
+  integrity="sha256-hVVnYaiADRTO2PzUGmuLJr8BLUSjGIZsDYGmIJLv2b8="
+  crossorigin="anonymous"></script>
+  <script src="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.98.0/js/materialize.min.js"></script>
+  <script src="js/app.js"></script>
+  </body>
+</html>
diff --git a/public/template/header.html b/public/template/header.html
new file mode 100644
index 0000000..3e4448c
--- /dev/null
+++ b/public/template/header.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+  <head>
+    <title>Compsec Project</title>
+    <link rel="stylesheet" href="css/app.css">
+    <link href="https://fonts.googleapis.com/icon?family=Material+Icons" rel="stylesheet">
+    <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/materialize/0.98.0/css/materialize.min.css">
+    <link rel="icon" href="https://cdn0.iconfinder.com/data/icons/web-development-2/512/security_lock_password_protection_secure_locking_system_safe_privacy_private_safety_encryption_flat_design_icon-512.png">
+  </head>
+  <body>
+    <main class="container">
diff --git a/public/template/user_menu_button.php b/public/template/user_menu_button.php
new file mode 100644
index 0000000..5ab5ea8
--- /dev/null
+++ b/public/template/user_menu_button.php
@@ -0,0 +1,25 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+?>
+
+<div class="user-button-container">
+    <!-- Dropdown Trigger -->
+    <a class='dropdown-button btn user-button' href='#' data-activates='dropdown1'>
+        <?php echo $data->username ?>
+    </a>
+
+    <!-- Dropdown Structure -->
+    <ul id='dropdown1' class='dropdown-content'>
+        <li><a href="account.php">Account</a></li>
+        <li><a href ="user.php">User</a></li>
+        <?php if ($data->access == 'admin') { ?>
+            <li><a href ="admin.php">Admin</a></li>
+        <?php } ?>
+        <li class="divider"></li>
+        <li><a href="logout.php">Sign out</a></li>
+    </ul>
+</div>
diff --git a/public/user.php b/public/user.php
new file mode 100644
index 0000000..313b763
--- /dev/null
+++ b/public/user.php
@@ -0,0 +1,65 @@
+<?php
+defined('APP_DIR') or define('APP_DIR', __DIR__ . '/../app/');
+include_once(APP_DIR . 'model/User.php');
+include_once(APP_DIR . 'include/http.php');
+
+$data = User::authenticated();
+if (!$data) {
+    Http::redirect('index.php');
+}
+
+include 'template/header.html';
+include 'template/user_menu_button.php';
+?>
+
+<div class="row user-container">
+    <div class="col s8 offset-s2">
+        <h1> Welcome, <?php echo $data->username ?>! </h1> <br />
+        <h5> Here's a bit of interesting information about this site... </h5> <br />
+        <ul class="collapsible" data-collapsible="accordion">
+            <li>
+                <div class="collapsible-header">
+                    <i class="material-icons">lock_outline</i>
+                    User authentication
+                </div>
+                <div class="collapsible-body">
+                    <span>
+                        Users are authenticated with this website using <a href="https://jwt.io/">JWT</a>
+                        tokens which are generated server-side. Upon signing in, a user is given a unique
+                        token containing non-sensitive user information which is stored client-side as a
+                        browser cookie.
+                    </span>
+                </div>
+            </li>
+            <li>
+                <div class="collapsible-header">
+                    <i class="material-icons">vpn_key</i>
+                    Password hashing
+                </div>
+                <div class="collapsible-body">
+                    <span>
+                        Passwords are salted and hashed server-side and stored in the
+                        user database. Passwords are hashed using PHP's bcrypt algorithm.
+                    </span>
+                </div>
+            </li>
+            <li>
+                <div class="collapsible-header">
+                    <i class="material-icons">https</i>
+                    HTTPS support
+                </div>
+                <div class="collapsible-body">
+                    <span>
+                        This website uses HTTPS (HTTP over SSL) to communicate between client
+                        and server. All HTTP requests and responses are securely encrypted before
+                        being sent. HTTPS makes use of public-key cryptography.
+                    </span>
+                </div>
+            </li>
+        </ul>
+    </div>
+</div>
+
+<?php
+include 'template/footer.html';
+?>