#1
  1. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    4
    Rep Power
    0

    Secure Login Authentication


    I've created a website where people register/login and have a profile which people can search and there's different levels of security etc. However, the login process is very basic because I dont know enough about secure authentication etc.

    Therefore, I've decided it would be best to use an authentication library that's designed by expets and will get updates when holes and found etc.

    I've looked at uLogin but it seams a little bloated with 43 files totaling 141Kb. I've looked at other libraries but they're no longer being maintained.

    What do you guys use for authentication? Or do you create your own?
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Hi,

    probably one of the best security libraries out there is the Symfony Security Component. However, it's pretty advanced and big. If you find uLogin already too bloated, this is not for you.

    Unfortunately, those seem to pretty much the only good libraries out there. I've looked for alternatives myself, but all I've found was garbage. The PHP community seems to be mostly ignorant about security.

    So I guess you'll have to do it yourself. For a start, check out the concept for a secure user authentication system I wrote down. It covers a lot of critical aspects and typical pitfalls. Note that PHP 5.5 has a new password API for highly secure password hashes. If you don't have PHP 5.5 yet, there's an "emulation" library for PHP >= 5.3.7. Also check the The 6 worst sins of security to avoid major f*ckups.

    If you're interested, I can help you with your code and do a security review. Simply post your thoughts and code in this forum.
    Last edited by Jacques1; August 11th, 2013 at 08:41 AM.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Sep 2009
    Posts
    4
    Rep Power
    0
    Hi Jacques1 thanks for the reply. I was surprised that my initial googling didn't find anything useful, given the popularity of PHP.

    Iím not sure whether to use uLogin or create my own at the moment. I checked out your authentication concept a few weeks ago actually and I found it very interesting. Iíve just started reading your 6 worst sins itís a very good post. Thanks for all the advice.
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    Posts
    37
    Rep Power
    2
    Well, I had created my own login.
    Used jQuery(to make it difficult for bots, and more userfriendly), quite a lot of $_SESSION variables and a slow hashing algorithm(used PHPass)... And also, captcha protection after 2-3 unsuccessful attempts(to make it impossible for bots)...
    And ofcourse, use PDO prepared statements or mysqli_* functions...

IMN logo majestic logo threadwatch logo seochat tools logo