diff --git a/public/login.php b/public/login.php
new file mode 100644
index 0000000..48f9080
--- /dev/null
+++ b/public/login.php
@@ -0,0 +1,71 @@
+<?php
+require_once __DIR__ . '/../src/db.php';
+require_once __DIR__ . '/../src/functions.php';
+start_secure_session();
+$errors = [];
+$maxAttempts = 5;
+$blockMinutes = 10;
+$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+$attemptDb = __DIR__ . '/../admin/attempts.sqlite';
+$pdoAttempt = new PDO('sqlite:' . $attemptDb);
+$pdoAttempt->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
+$pdoAttempt->exec('CREATE TABLE IF NOT EXISTS attempts (ip TEXT PRIMARY KEY, count INTEGER, last INTEGER)');
+$st = $pdoAttempt->prepare('SELECT count, last FROM attempts WHERE ip = :ip');
+$st->execute(['ip' => $ip]);
+$row = $st->fetch(PDO::FETCH_ASSOC);
+$count = $row ? (int)$row['count'] : 0;
+$last = $row ? (int)$row['last'] : 0;
+$blocked = ($count >= $maxAttempts) && (time() - $last < $blockMinutes * 60);
+if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+    if ($blocked) {
+        $errors[] = 'Trop de tentatives. Réessayez plus tard.';
+    } else {
+        $login = $_POST['login'] ?? '';
+        $password = $_POST['password'] ?? '';
+        if (!$login || !$password) {
+            $errors[] = 'Veuillez renseigner le login et le mot de passe.';
+        } else {
+            $stmt = $pdo->prepare('SELECT id, password FROM utilisateur WHERE login = :login LIMIT 1');
+            $stmt->execute(['login' => $login]);
+            $user = $stmt->fetch();
+            if ($user && password_verify($password, $user['password'])) {
+                $pdoAttempt->prepare('DELETE FROM attempts WHERE ip = :ip')->execute(['ip'=>$ip]);
+                $_SESSION['user_id'] = $user['id'];
+                session_regenerate_id(true);
+                header('Location: /admin/dashboard.php');
+                exit;
+            } else {
+                $errors[] = 'Identifiants incorrects.';
+                if ($row) {
+                    $pdoAttempt->prepare('UPDATE attempts SET count = count + 1, last = :last WHERE ip = :ip')->execute(['ip'=>$ip, 'last'=>time()]);
+                } else {
+                    $pdoAttempt->prepare('INSERT INTO attempts (ip,count,last) VALUES (:ip,1,:last)')->execute(['ip'=>$ip, 'last'=>time()]);
+                }
+            }
+        }
+    }
+}
+?>
+<!doctype html>
+<html><head><meta charset="utf-8"><title>Connexion Admin</title>
+<link rel="stylesheet" href="/public/assets/style.css"></head>
+<body>
+<h1>Connexion administrateur</h1>
+<?php if ($errors): ?>
+    <ul class="message error">
+        <?php foreach ($errors as $e): ?><li><?php echo esc($e); ?></li><?php endforeach; ?>
+    </ul>
+<?php endif; ?>
+<form method="post" id="loginForm">
+    <div class="form-field"><label>Login<br><input type="text" name="login" required></label></div>
+    <div class="form-field"><label>Mot de passe<br><input type="password" name="password" required></label></div>
+    <button type="submit">Se connecter</button>
+</form>
+<script>
+document.getElementById('loginForm').addEventListener('submit', function(e){
+    const l = this.login.value.trim();
+    const p = this.password.value.trim();
+    if(!l || !p){ alert('Remplis tous les champs'); e.preventDefault(); }
+});
+</script>
+</body></html>