All geek questions in one place

What should I use to authenticate users in PHP?

I was thinking of writing my own authentication script, but I don't know much about security.

From the articles I'm reading, it seems that this is usually related to hashing the password with salt and storing it in the database. Then, when the user requests login, the password is hashed and compared with the database. If it matches, then the user data is stored in $ _SESSION.

However, I do not know if it is safe or not. I read something about storing session keys in a database, but I'm not sure how this works or how to implement it.

Can someone explain how to implement secure authentication?

Also, are there any suggestions for PHP authentication libraries that I can enable that are easy to learn and not write my own?

+6
source share
3 answers

Mark this answer here .

Although the answer is 3 years, the recommended phpass library has been updated.

Also +1 for Aron Cederholm. Password security is an extensive subject, and you should first take a look at the related issues that have already been discussed here on StackOverflow so that you are more familiar with the subject and best practices for security.

Although I like frameworks ( Symfony , Zend , etc.), because they usually implement these good practices, just using them doesn't make you a good programmer. You must study his inner workings. I always welcome the programmer to code his own secure authentication mechanism (until they implement it on a live site that really needs reliable security), because this is the best way to find out and understand the participants in the topic. Always start with an existing implementation, and THEN use this as an example to create your own codebase.

+5
source

What you need to remember:

  • Authentication user verification is who they say.
  • Authorization providing the user with the ability to do what they try.
  • Accounting; recording and checking what they do.

For authentication, you will need to track "users" connected and (often) using the system. This requires knowledge of the identifier (username, email address or other unique token) and password. Keep the username and passphrase somewhere, but never store the passphrase without protecting it first : do not use the message digest algorithm (for example, MD5 or SHA1) with salt. Use bcrypt instead. Although it is not a bad idea to use the infrastructure here, do not always rely on the structure to do the right thing.

For authorization, you will need to keep track of what actions the user takes and perform permission checks to see if they are allowed to perform the actions they take. This can be achieved in several different ways, and all of them are domain-specific - you will not often find its clipped example, although you can find many frameworks that will help you.

For accounting, you need to record what actions the user performs. This is the most often ignored part of any application, but when bad things happen, it is extremely important knowledge that you need to have and recover from web server access logs is a nightmare. Again, this is domain-specific, but a good structure should facilitate its implementation.

Finally, the binding of all three of them is a user session. When you call "session_start ()" in PHP, it sends the session identifier as a cookie to the client and saves the file on the server’s hard drive containing the contents of $_SESSION for that user. You can also configure PHP to override the default functionality and save session data using session_set_save_handler . Then you can save this information in the database.

TL DR : use a framework such as CodeIgniter, Drupal, Yii or some other actively developed solution. The vast majority of frameworks there will do everything you need, and if they do not, they can be easily modified. Do not create your own framework for this; use one that is already available.

+5
source

I am using tank_auth (Codeigniter plugin) which is pretty good. The source code is a good reference for implementing secure login.

+1
source

Source: https://habr.com/ru/post/909804/

More articles:


All Articles