PHP-Security - PHP and session/security management

Hello all,

I am new in this forum.
I am developing a web portal and I need to develop a login/user management system.
Could someone tell me which is the best method to manage a login/user management system in my web portal?
Using MySQLi, password encryption, session or something else.
I would like also to know if you could post me some reference, tutorial, example or other materials on web where I could retrieve some examples or ideas.

Thank you at all in advance

Bye bye

Zipgem

Hi,

there are many things to consider, so this isn't really something you could explain in a few sentences.

I think the most important things are:

• Always escape data before inserting it into an "executable" context. For databases, use prepared statements with the MySQLi library or the PDO interfaces. For HTML, use htmlentities() and make sure the user cannot inject JavaScript code
• Use phpass for the password hashes. Do not use plain hashes (like MD5), encrypted passwords or even plaintext passwords. And don't store the hashes anywhere outside of the particular database field (not in the session, a cookie etc.)

Some attacks like CSRF and things like resetting the password require special security measurements.

And there's common sense, of course. For example, storing the user ID in a cookie obviously isn't a good idea.

A good reference is the OWASP, especially the OWASP Top 10.

Hi Jacques1,

thank you for the useful informations that you provide: I will take a look both phpass and OWASP.
I don't want to use cookie but only session.
Do you know some books that explain security and user management?

Thanks again.

br

zipgem

There's a login system tutorial in the FAQ subforum

Well, there's nothing wrong with cookies. You just shouldn't use them for critical data.

In fact, the session ID is usually stored in a cookie.





I don't know a book about that, but there are plenty of resources on the Internet.