simple authorisation / login capability in php

Question

I'm looking to implement user login onto my site for the first time. I'm happy to either build my own solution, or implement something open source, however no package has been an obvious choice in my search so far. Equally, I'm fully aware that as an intermediate php programmer at best, I am highly likely to miss something obvious if I roll my own solution, and leave the doors well and truly open.

Any suggestions? We're not talking super sensitive or payment data here, but equally, I'm keen not to have people mess up my site!

requirements are - php based - simple as possible, not need for fancy bells and whistles - not Zend framework, since i've now rolled my own very basic frameworkthanks to this post

Thanks for your input.

Answer 1

A few good security gotcha's are

• never store the an un-encrypted users password in the database
• never store the users password or even a hash of the password in session or cookie data.
• If you need to have ensure that the login is secure you have to use https.

I found these article very helpful in building login systems with cookies:

• blog post on the fishbowl.
• Improved Persistent Login Cookie Best Practice

Answer 2

"You'll put your eye out kid."

Security is hard. I hate to say this, but the odds of you making a simple authorization scheme that is secure are quite slim. There is no easy mode here. So you might want to start by reading through a bunch of authentication code in the various frameworks/cmses, and other places where you can see how others have done it, and begin researching.

Here are some links: http://www.topmost.se/personal/articles/casual-cryptography-for-web-developers.htm http://pear.php.net/packages.php?catpid=1