tags:

views:

208

answers:

4
+1  Q: 

What is the best authentication script?

Hi, I'm planning on making some dynamic PHP websites and I need a free Authentication system that allows me to create control panel for these sites' admins. It should contain :

  • Remember password
  • Lost password
  • Maximum login attempts per specific interval
  • users Management

Thanks.

A: 

As a beginner, I suggest googling for tutorials, and considering using a PHP framework like Zend Framework.

Authentication is one of those things that seemingly 90% of beginner developers want to use a prepackaged solution for, yet none of them are sufficient.

Writing your own will improve you as a developer and teach you about a lot of core web development terms and technologies, such as:

  • XSS
  • Cryptographically secure hashing
  • HTTPS/SSL
  • CSRF
hobodave  2010-02-22 23:24:43
It looks like you just suggested that "beginner developers" should be entrusted with properly implementing secure crypto and protecting against XSS and CSRF for admin accounts.I'd *much* rather that the code protecting the admin account on any service I used was written by someone experienced and, more importantly, had some review and field-testing.
keturn  2010-02-22 23:30:37
@keturn: You should never rely on something prepackaged just because you're lazy. You should _learn_ the technology first to the point that it becomes _annoying_ to have to rewrite it every time. Only then should you seek a library, or preferably, write your own.
hobodave  2010-02-22 23:36:58
I have a lot more respect for a developer that presents a question of the form: "Do you see any problems with my authentication scheme?" as opposed to "How do I do teh best logins??!"
hobodave  2010-02-22 23:38:56
I don't see a reason to reinvent the wheel each time you want to do something. I don't suggest using the first authentication package you run across - do some research first to make sure you are using a good one.
Zachary  2010-02-22 23:40:22
Unsolicited career advice: If you're ever asked in an interview: "How would you develop a user authentication scheme in the language of your choice?" and you answer "I'd download and install superLoginPlus.php", don't expect a job.
hobodave  2010-02-22 23:42:26
@Zachary, @keturn: http://www.joelonsoftware.com/articles/LeakyAbstractions.html
hobodave  2010-02-22 23:50:13
I agree that it's important to learn about the tools you use. If you don't know anything about the hazards of web security, it's all too likely you'll install superLoginPlus and go off happy with your shiny secure front door, only to have someone point out that you've left the key in the lock.On the other hand, if you write your myOwnLogin, you're probably going to make some of the same mistakes the authors of superLoginPlus made years ago that have already been caught and fixed. http://chargen.matasano.com/chargen/2009/7/22/if-youre-typing-the-letters-a-e-s-into-your-code-youre-doing.html
keturn  2010-02-23 01:13:52
+1  A: 

There are plenty of scripts out there that do this, if you're serious about PHP you should be able to write your own authentication script.

There are plenty of resources available to help you start, check out or simply google 'php authentication' (or something along those lines).

http://net.tutsplus.com/videos/screencasts/how-to-build-a-login-system-for-a-simple-website/ http://www.devarticles.com/c/a/MySQL/PHP-MySQL-and-Authentication-101/

However you should always take online resources with a grain of salt, many won't touch on the security aspects of user management such as XSS etc

You may also want to check out some PHP frameworks which have authentication libraries built in, such as CakePHP or Zend Framework.

Stoosh  2010-02-22 23:33:55
+1  A: 

There are no best one, and there is no serious solution that can be a script. Authentication is a global policy and therefor must be integrated with the entire Web site. Either code your own or use a framework that implements it.

If you start to code you own implementation, remember that the your first attempts can be used only for non-sensitive data, as they will be weak (but sufficient for a casual web site).

Stoosh has some good leads you may want follow.

Just remember this is not as trivial as it seems, and obvious solutions are likely the less secure. But again, you probably doesn't need CIA style security, so don't stress and enjoy learning programming.

e-satis  2010-02-22 23:41:07
+1  A: 

Some security notes: In order to avoid many of the problems that fall into the authentication and authorisation groups of the OWASP webapp attack classification list, use the user authentication subsystems already implemented in your web framework of choice. They are likely to have already written secure code that covers a lot of the problems related to authentication and sessions and will likely be far more secure than anything you roll yourself.

If you absolutely, positively, must roll your own auth, or if you wish to assess another one; then you/they must follow these rules.

  • Implement a suitably random and unguessable session id for use in the session cookie.
  • Do not allow the session id to be forced.
  • When permissions or credentials are changed (e.g. the user been upgraded to a higher security, the user has changed their password) then immediately invalidate the session and start a fresh one.
  • Provide a logout feature, and invalidate the session upon logout.
  • Set the cookie to HttpOnly
  • Always expire sessions after non-use and do not implement "keep me logged in" by reconnecting the user to their old http session.
  • Ensure 2 sessions can't have the same session id at the same time
  • Ensure that all session data is destroyed when a session is invalidated. A new user coming along, may just happen to get assigned a session id that has been used previously. This new session must not have any access to session data that has been set previously against that session id.
Cheekysoft  2010-02-23 12:57:27

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases