15

I'm building a site that requires user authentication and authorization. My initial idea was to write the application using the Flask framework. However, I learned that Flask doesn't have a built in authentication system. It does have an extension flask-login, but I haven't gotten any confirmation as to whether this extension is well-written. I've read that it's very easy to get authentication wrong.

  1. Might it be a good idea to switch to something like Django or web2py, which do have built in authentication systems?

  2. Do good web programmers typically choose to use tried and true authentication systems as opposed to trying to roll out their own?

  3. Is there a good guide that demonstrates best practices with respect building an authentication/authorization system?

Thanks guys!

Community
  • 1
  • 1
Michael
  • 2,031
  • 6
  • 21
  • 27
  • 5
    Never, never, never try to roll your own authentication scheme. +1 for asking the question. – Adam Liss Apr 10 '12 at 20:36
  • Do you have any special requirements (such as single sign-on) or do you just want a basic username/password authentication over an HTTPS page? – André Caron Apr 10 '12 at 20:37
  • 2
    @AdamLiss Unless you know you have to, and you understand how to make it really robust and someone else is paying you. – Marcin Apr 10 '12 at 20:38
  • Would you be willing to live with a separate auth management system, or do you want it to be part of the app? – Ignacio Vazquez-Abrams Apr 10 '12 at 20:41
  • @Marcin: If you haven't spent your career working with cryptography (and possibly even if you have), you don't know how to make it really robust. There's _no_ excuse for rolling your own web auth scheme. – Adam Liss Apr 10 '12 at 20:45
  • 1
    It looks like I'll be using a pre-built authentication system. Thanks for the great answers so far. André and Ignacio, thanks for your concern, but no need to pursue these options further. – Michael Apr 10 '12 at 20:45
  • 1
    Thing is, I know a *great* pre-built auth system... – Ignacio Vazquez-Abrams Apr 10 '12 at 20:47
  • What is it? I'll definitely check it out at the very least – Michael Apr 10 '12 at 20:48
  • 1
    @AdamLiss I think you're both under-and-over estimating the challenge. You probably shouldn't be using anything that requires a whole career of crypto experience for all but the most specialised usages; but there are a whole bunch of security issues that aren't crypto related at all (buffer overrruns, for example, or injection issues). – Marcin Apr 10 '12 at 20:54
  • @IgnacioVazquez-Abrams It's not obvious what you're referring to. – Marcin Apr 10 '12 at 20:55
  • 2
    @Mike: [FAS](https://fedorahosted.org/fas/) does everything you need, most things you could ever want, and a few you didn't know you wanted in the first place. [python-fedora](https://fedorahosted.org/python-fedora/) is the client for it. – Ignacio Vazquez-Abrams Apr 10 '12 at 21:02

1 Answers1

6

If you want to add user login capability to your website (that is, authentication and authorization) use an existing framework. Unless you're an expert in security, the probability of writing secure a system is close to 0. This applies regardless of the language you program in and regardless of the framework you are using.

Unfortunately, I have seen people answer this question as follows: "This is not that hard, and fun to code, as a beginner. You need a place to store your data (let's say a mysql database). You should store ENCRYPTED versions of the passwords, etc. etc." This answer is COMPLETELY INCORRECT.

There are free authentication frameworks available, USE THEM. For example, Django and web2py have built-in authentication systems. Many frameworks do not come with built-in authentication (e.g. Flask, webpy); this does not mean you should roll out your own framework. It just means you should find 3rd party authentication software. For Flask, there is Flask-login.

So, the answer to my original questions are:

1.) Yes, or integrate a verified 3rd-party software system.

2.) Yes, the best practices says DO NOT WRITE YOUR OWN AUTHENTICATION SYSTEM. Use one that's already been built.

3.) You shouldn't need a guide to building an authentication system, because you shouldn't be building one. However, OWASP is a great security resource.

Here's a brief summary: Do not write your own authentication system. Use a pre-built authentication system that is trusted. If anyone has any recommendations for authentication systems that can be used with Python, feel free to post them.

Michael
  • 2,031
  • 6
  • 21
  • 27