August 11th, 2013, 06:15 AM
Secure Login Authentication
I've created a website where people register/login and have a profile which people can search and there's different levels of security etc. However, the login process is very basic because I dont know enough about secure authentication etc.
Therefore, I've decided it would be best to use an authentication library that's designed by expets and will get updates when holes and found etc.
I've looked at uLogin but it seams a little bloated with 43 files totaling 141Kb. I've looked at other libraries but they're no longer being maintained.
What do you guys use for authentication? Or do you create your own?
August 11th, 2013, 08:30 AM
probably one of the best security libraries out there is the Symfony Security Component. However, it's pretty advanced and big. If you find uLogin already too bloated, this is not for you.
Unfortunately, those seem to pretty much the only good libraries out there. I've looked for alternatives myself, but all I've found was garbage. The PHP community seems to be mostly ignorant about security.
So I guess you'll have to do it yourself. For a start, check out the concept for a secure user authentication system I wrote down. It covers a lot of critical aspects and typical pitfalls. Note that PHP 5.5 has a new password API for highly secure password hashes. If you don't have PHP 5.5 yet, there's an "emulation" library for PHP >= 5.3.7. Also check the The 6 worst sins of security to avoid major f*ckups.
If you're interested, I can help you with your code and do a security review. Simply post your thoughts and code in this forum.
Last edited by Jacques1; August 11th, 2013 at 08:41 AM.
August 17th, 2013, 04:09 PM
Hi Jacques1 thanks for the reply. I was surprised that my initial googling didn't find anything useful, given the popularity of PHP.
Iím not sure whether to use uLogin or create my own at the moment. I checked out your authentication concept a few weeks ago actually and I found it very interesting. Iíve just started reading your 6 worst sins itís a very good post. Thanks for all the advice.
August 17th, 2013, 11:21 PM
Well, I had created my own login.
Used jQuery(to make it difficult for bots, and more userfriendly), quite a lot of $_SESSION variables and a slow hashing algorithm(used PHPass)... And also, captcha protection after 2-3 unsuccessful attempts(to make it impossible for bots)...
And ofcourse, use PDO prepared statements or mysqli_* functions...