What should I use for user authentication in PHP?

Question

I was thinking of writing my own authentication script but I don't know much about security.

From the articles I've reading, it looks like it usually involves hashing the password with a salt and storing it in the database. Then when user requests to log in, password is hashed and compared with the database. If it matches, then the user's data is stored in $_SESSION.

However, I don't know if this is secure or not. I read something about storing session keys in the database but I'm not sure about how that works, or how to implement that.

Can someone explain how to implement secure authentication?

Also, are there any suggestions for PHP authentication libraries I can incorporate that are easy to learn instead of writing my own?

Answer 1

Check this answer here.

Although the answer is 3 years old, the suggested phpass library is up to date.

Also, +1 to Aron Cederholm. Password security is an extensive subject and you should look first at the related questions already discussed here on StackOverflow so you will be more familiar with the subject and best practices in security.

Although I like frameworks (Symfony, Zend, etc) as they generally implement these good practices, just using them don't make you a good programmer. You have to learn its inner workings. I always salute a programmer dwelving into coding his own secure authentication mechanism (as long as they don't implement it in a live site that really needs strong security), because that's the best way to learn and understand the inners of the subject. Always start from an existing implementation, and THEN use that as an example for creating your own codebase.

Answer 2

Things to keep in mind:

1. Authentication; verifying the user is who they say they are.
2. Authorization; ensuring the user is allowed to do what they are trying to.
3. Accounting; recording and auditing what they do.

For authentication, you'll need to track "users" connected to and (often) authenticated with the system. This requires knowing an identifier (a username, email, or some other unique token) and a pass-phrase. Store the username and pass-phrase somewhere, but never store the pass-phrase without securing it first: don't use a message digest algorithm (like MD5 or SHA1) with a salt. Use bcrypt instead. Although it's not a bad idea to use a framework here, do not always rely on a framework to do the right thing.

For authorization, you'll need to track what actions the user is taking and perform permission checks to see if they are allowed to do the action they are attempting. This can be accomplished in a number of different ways and all of them are domain specific -- you won't often find a cut-n-dried example of it, though you can find lots of frameworks to help you.

For accounting, you need to record what actions the user does. This is the most often neglected part of any application, but when bad things happen, it's utterly crucial knowledge to have and reconstructing it from web server access logs is a nightmare. Again, this is domain specific but a good framework should ease the implementation of it.

Lastly, tying all three of these together is your user's session. When you call 'session_start()' in PHP, it sends a session identifier as a cookie to the client and stores a file to the server's hard drive containing the contents of $_SESSION for that user. You can also configure PHP to override the default functionality and save session data using session_set_save_handler. You can then store that information to the database.

TL;DR: Use a framework like CodeIgniter, Drupal, Yii or some other actively developed solution. The vast majority of frameworks out there will do just about anything you need them to, and if they don't, they can be modified very easily. Don't create your own framework for this; use one that is already available.