tags:

views:

232

answers:

4
+2  Q: 

Secure PHP authentication system

This has been asked many times, but none of the answers are satisfying, I looked online for secure tutorials but I have not found something good enough you would want to use in an important website. It just seems like there are so many ways to get around security.

Does anyone know of a GOOD one? What do you guys do when you build a website that needs something like this?

A: 

Download open source frameworks or CMSs, dive in the code and see how it is done :) Example: Drupal !

redben  2010-06-17 15:55:08
Not many open source frameworks or CMSs are written with security as a primary focus.
Jacco  2010-06-17 16:02:21
Plus they are open source, anyone can look in there to see how things work! They are good for very basic sites that a logged user can't really do too much damage though.
Murtez  2010-06-17 16:24:42
No sir. Drupal for instance has a whole team that's only concerned by security in the project http://drupal.org/securityOn the other hand, because it is open source and anyone can look at the source (not only black hats) vulnerabilities are easier to spot and correct :)
redben  2010-06-17 16:52:03
@Murtez - obscurity is the poorest form of security: http://en.wikipedia.org/wiki/Kerckhoffs%27_principle
LeguRi  2010-06-17 17:37:55
A: 

I use a permission based system where every user belongs to a group and every group has a set of permissions, in every form I use a nonce field to prevent 'accidental' submiting, if it's really important I check user passwords with crypt and not allow weak ones.

EDIT. you could also use Email verification for really important commands.

Javier Parra  2010-06-17 15:55:41
+1  A: 

With security, the best plan is to not do it yourself; leave it to the experts... and I'm someone with a severe case of "Not Built Here" syndrome.

If you want to learn security, write it yourself, but don't use it in a prod environment.

If you need to learn security, I suggest at least reading You're Probably Storing Passwords Incorrectly on Coding Horror and reading Essential PHP Security.

If you need security in a prod environment, get a library from a trustworthy professional source, and use it. I suggest OpenID.

LeguRi  2010-06-17 15:55:48
Yes I need to learn security, I've been looking around at tutorials, different attack types, how to prevent them, etc. but not sure where to go from here.
Murtez  2010-06-17 15:57:41
+1  A: 

You can get general but useful info here - The Definitive Guide To Website Authentication (beta).

Bakhtiyor  2010-06-17 15:56:38

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases