Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What should I use for user authentication in PHP?

I was thinking of writing my own authentication script but I don't know much about security.

From the articles I've reading, it looks like it usually involves hashing the password with a salt and storing it in the database. Then when user requests to log in, password is hashed and compared with the database. If it matches, then the user's data is stored in $_SESSION.

However, I don't know if this is secure or not. I read something about storing session keys in the database but I'm not sure about how that works, or how to implement that.

Can someone explain how to implement secure authentication?

Also, are there any suggestions for PHP authentication libraries I can incorporate that are easy to learn instead of writing my own?

like image 900
Rain Avatar asked Mar 02 '12 07:03

Rain


People also ask

Which method is used for user authentication in PHP?

PHP login with sessionPhp login script is used to provide the authentication for our web pages. the Script executes after submitting the user login button.

What uses to authenticate the user?

In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.

Which of the following steps are used to create a user authentication system in PHP?

Steps to create a user login authentication system in PHPCreate a MySQL database with users table. Create a user login panel to submit login details to PHP. Generate query to compare user login details with the MySQL user database.


2 Answers

Check this answer here.

Although the answer is 3 years old, the suggested phpass library is up to date.

Also, +1 to Aron Cederholm. Password security is an extensive subject and you should look first at the related questions already discussed here on StackOverflow so you will be more familiar with the subject and best practices in security.

Although I like frameworks (Symfony, Zend, etc) as they generally implement these good practices, just using them don't make you a good programmer. You have to learn its inner workings. I always salute a programmer dwelving into coding his own secure authentication mechanism (as long as they don't implement it in a live site that really needs strong security), because that's the best way to learn and understand the inners of the subject. Always start from an existing implementation, and THEN use that as an example for creating your own codebase.

like image 158
binar Avatar answered Oct 21 '22 09:10

binar


Things to keep in mind:

  1. Authentication; verifying the user is who they say they are.
  2. Authorization; ensuring the user is allowed to do what they are trying to.
  3. Accounting; recording and auditing what they do.

For authentication, you'll need to track "users" connected to and (often) authenticated with the system. This requires knowing an identifier (a username, email, or some other unique token) and a pass-phrase. Store the username and pass-phrase somewhere, but never store the pass-phrase without securing it first: don't use a message digest algorithm (like MD5 or SHA1) with a salt. Use bcrypt instead. Although it's not a bad idea to use a framework here, do not always rely on a framework to do the right thing.

For authorization, you'll need to track what actions the user is taking and perform permission checks to see if they are allowed to do the action they are attempting. This can be accomplished in a number of different ways and all of them are domain specific -- you won't often find a cut-n-dried example of it, though you can find lots of frameworks to help you.

For accounting, you need to record what actions the user does. This is the most often neglected part of any application, but when bad things happen, it's utterly crucial knowledge to have and reconstructing it from web server access logs is a nightmare. Again, this is domain specific but a good framework should ease the implementation of it.

Lastly, tying all three of these together is your user's session. When you call 'session_start()' in PHP, it sends a session identifier as a cookie to the client and stores a file to the server's hard drive containing the contents of $_SESSION for that user. You can also configure PHP to override the default functionality and save session data using session_set_save_handler. You can then store that information to the database.

TL;DR: Use a framework like CodeIgniter, Drupal, Yii or some other actively developed solution. The vast majority of frameworks out there will do just about anything you need them to, and if they don't, they can be modified very easily. Don't create your own framework for this; use one that is already available.

like image 42
jmkeyes Avatar answered Oct 21 '22 08:10

jmkeyes