tags:

views:

970

answers:

6
+11  Q: 

PHP best practices for user authentication and password security.

What are the best current libraries/methods to authenticate users without the use of a CMS or heavy framework?

Responses should include suggestions for anything you think should be considered the standard for new PHP development involving user authentication.

+4  A: 

PHPass is a lightweight, variable cost password hashing library using bcrypt.

Variable cost means that you can later turn up the 'cost' of hashing passwords to seamlessly increase security without having to invalidate your previously hashed user passwords.

The field size used for hash storage is constant even when increasing 'cost' due to increasing not the size of the hash, but the number of iterations required to produce it.

Daren Schwenke  2009-10-26 13:46:18
I hope that's supposed to be pronounced PHP *pass*. :)
Doug T.  2009-10-26 13:49:56
+22  A: 

OpenID is a method to authenticate users based on their existing accounts on common web services such as Yahoo, Google and Flickr.

Logins to your site are based on a successful login to the remote site.

You do not need to store sensitive user information or use SSL to secure user logins.

A current PHP version of the library can be found here.

Daren Schwenke  2009-10-26 13:49:30
definately the way to go, completely nixes the need to store any password, so you won't ever be responsible for losing it either.
Kris  2009-11-09 14:38:35
**OpenID** is *definitely* gaining traction as individuals are realizing the difficulty of maintaining a plethora of user accounts across many domains. It is up to us as developers to *herd the sheep* (typical web users) and provide them easier means for connecting to our websites and improve user productivity. Gone will be the days of forgotten passwords.
cballou  2009-11-09 18:41:49
As downfalls of open ID is that not many people know what is OpenID, and might have doubts on entering their mailbox account details as they might asume that your website is tupical fishing website.So as solution I would advise to use OpenID together with internal registration system.
Nazariy  2009-11-09 21:25:23
+4  A: 

Login using HTTP AUTH

  1. Using Apache: http://httpd.apache.org/docs/2.2/howto/auth.html
  2. It is also possible with IIS and other web servers.

Once authenticated, for PHP, you just have to use $_SERVER['PHP_AUTH_USER'] to retrieve the username used during authentication.

This can be a faster and, sometimes, more flexible solution than handling the solution at scripting level provided that limited information is needed regarding the user as all that is made available to you is the username used to login.

However, forget about integrating your authentication in an HTML form unless you implement a full HTTP AUTH scheme from within your scripting language (as described below).

Rolling your own HTTP AUTH within your scripting language

You can actually extend HTTP Basic Auth by emulating it in your scripting language. The only requirement for this is that your scripting language must be able to send HTTP headers to the HTTP client. A detailed explaination on how to accomplish this using PHP can be found here: (see more on PHP and HTTP AUTH).

You can expand on the article above using a typical authentication schema, file store, even PHP sessions or cookies (if information isn't needed to be persistent), giving you much more flexibility when using HTTP AUTH, yet still maintaining some simplicity.

Downsides to HTTP AUTH

  1. The main downside to HTTP auth is the complications that logging out can have. The main way to clear the user's session is to close the browser, or pass off a header with 403 Authentication Required. Unfortunately, this means the HTTP AUTH popup comes back on the page and then requires users to either log back in or hit cancel. This may not work well when taking usability into consideration, but can be worked around with some interesting results (ie. using a combination of cookies and HTTP AUTH to store state).

  2. HTTP AUTH popups, session, and HTTP header handling is determined by browser implementation of the standard. This means that you will be stuck with that implementation (including any bugs) without the possibility of workaround (unlike other alternatives).

  3. Basic auth also means auth_user and password show up in server logs, and then you have to use https for everything because otherwise username and password also go over the network on every query in plain text.

Patrick Allaert  2009-11-03 15:40:57
Can you explain when this would be more flexible than a php'n'database auth method?
DaNieL  2009-11-03 16:31:37
Basic auth also means auth_user and password show up in server logs, and then you have to use https for everything because otherwise username and password also go over the network on every query in plain text.
Daren Schwenke  2009-11-04 00:18:18
@Daniel: I don't know if I would say it is more flexible, but I would argue that its one less interface that needs to be developed, meaning faster implementation.
Kevin Peno  2009-11-04 07:02:28
Sure, but in many web-app the login (and users management) aren't just a 'interface that needs to be developed', used just to login in the app.Often the login and everything is user-relates is the core of the web-app, by it depends users permissions and roles (what he can or cant do), so, if the web-app is php-based, (imho) the more flexible auth method is a php-based one ;)
DaNieL  2009-11-04 08:52:49
@Daniel: Not if using option 2 (rolling your own) specified above. You can handle permbits, etc just like you do, and use the built in HTTP AUTH modal for handling login requests.
Kevin Peno  2009-11-04 20:30:11
I'd add that while it's totally ok to use http-auth for internal stuff, it feels very "cheesy"/cheap for the end user if your nice-cool-awesome website uses it.That kind of "perception" problem is hard to solve.
Carlos Lima  2009-11-09 04:41:39
Don't do this. This is a bad, no-longer-standard way of doing things that does NOT gel with current best practices. In particular, the lack of logout control and the plaintext passwords are a serious problem. It's far too clever for it's own good.
Paul McMillan  2009-11-10 01:49:18
Your passwords are transfered in plain text using any other type of form. What's the difference? If you have issues with plaintext passwords and think THIS is the only one that is a risk, you have other things to worry about. I would agree that it is cheesy and cheap for front facing stuff and also wouldn't advise it in that case.
Kevin Peno  2009-11-10 05:08:28
+8  A: 

I use OpenID .

But like stackoverflow I use the Google project openid-selector to do the heavy lifting.
Demo Page here.

The obvious advantages (of OpenID) are.

  • You don't need to be a security expert.
  • Users trust the big sites with their info.
  • You can request things like (nickname etc) but user has to opt in.
  • You don't need to worry about:
    • registration processes
    • lost/forgotten password
Martin York  2009-11-04 06:42:27
I like this selector project and have used it before as well. I would suggest that you merge this information with the highly voted answer regarding openid.
Kevin Peno  2009-11-04 07:04:19
+4  A: 

A lot of great answers here, but I feel like it's worth saying this--do NOT try to re-invent the wheel in this case! It is extremely easy to screw up user authentication in a wide variety of ways. Unless you really need a custom solution, and have a firm knowledge of security schemes and best practices, you will almost certainly have security flaws.

OpenID is great, or if you're going to roll your own, at least use an established library and follow the documentation!

DougW  2009-11-09 19:11:57
A: 

It's important to separate the security layer of your application from the rest of it. If there's no distance between your application logic and your communication system, you are free to communicate insecurely in one place and securely somewhere else. Maybe you'll make a mistake and send a password in an unencrypted cookie, or maybe you'll forget to verify the user's credentials for one step. Without a 'right way' to communicate with the user, you're sure to make a mistake.

For example, let's say this is how you verify users now:

user_cookie = getSecureCookie()
if (user_cookie.password == session_user.password) {
    do_secure_thing()
    ...
}

If a vulnerability is discovered in getSecureCookie(), and you use this code to verify users throughout your application, you might not find all the instances of getSecureCookie() that need to be fixed. If, however, you separate your logic from your security:

if (userVerified()) {
    do_secure_thing()
    ...
}

... you will be able to quickly and easily re-secure your application. Give yourself a 'right way' to do security, and you will be far less likely to make a major security blunder.

Evan Kroske  2009-11-09 21:43:44

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases