Geek Answers Handbook

Secure PHP login system?

I am developing a PHP-based CMS for use on my robotics team site. Of course, there are many other platforms, but what fun is it?

Despite all the seriousness, we get extra points for saying that we did more than create a template for Drupal or WP. It's a bit unrelated, but I would like to be able to release CMS as FOSS one day, but it definitely needs to mature and be safer. But I'm distracted.

I came to the conclusion of the development of this system, where I need a login system. This caused more frustration than I expected. I can be meticulous when it comes to security, and this is no exception. The problem is that I know how to take care of database security (trust without user input, store passwords as a hash with a random salt, etc.), but I do not have enough knowledge to create a good client-server system. A few questions in this regard: how safe is it to use session variables? How to properly implement session variables in this regard? Should a session cookie be restored every time a page is viewed? You give up more security when using cookies so that the user logs in for a while, but what are the best methods for implementing such a system?

A good tutorial on this will also help a lot.

Thank you for your time.

+7
database php login session
source share
4 answers

If you want to know more about the problem / solution, rather than copying / pasting any elses code, check out this article.

http://jaspan.com/improved_persistent_login_cookie_best_practice

A great resource for constantly managing cookies, although it does not give you code, it gives you a good rationale / concept for creating a more secure login system.

Of course, the safest PHP login system is one that does not have permanent login functions, since user credentials are never stored anywhere separately from the server.

+3
source share

erm, explaining that all questions will fill a good-sized book are futile solutions for them.

A recitative version of an abridged summary of the manual for idiots:

  • use SSL
  • make sure security flags and httponly are set for session cookies (go read on session capture, MITM attacks).
  • restore the session identifier at login (go to session fixation) and exit
  • implement the level of abstraction over the authentication and authorization system
  • Implement a deferred abstraction layer over each of these two components.
  • perform authorization check on the page
  • in advance if you need to break your data in terms of visiblity / access
+1
source share

Use some existing libraries, such as http://freakauth.4webby.com/
Why reinvent the wheel!

0
source share

Well, a lot of information can be found here:

Ultimate Forms-Based Authentication Guide

By clicking on some links on this page, you will improve your knowledge of security and login issues / problems / problems / solutions / ...

0
source share

More articles:


All Articles