0

I'm trying to think out my user authentication system for a site in development and have read many of the posts on stack overflow and elsewhere to get my head around this. I found a couple of options I was wondering if this one looks like a decent starting point:

http://php.about.com/od/finishedphp1/ss/php_login_code_6.htm

It appears to encrypt the passwords and avoid some of the obvious pitfalls.

Also, perhaps a silly question, but I want to use the authentication for 2 reasons: 1. To provide the user with some extra functionality on an otherwise public page. (Think "Hello [username]" at the top of the page).
2. Provide user access to private pages also.

These 2 types of applications (login = added stuff on public page versus login=access to private page) are reliant on the same authentication, right?

In other words, whether I wanted to do one or the other or both shouldnt' impact how I think about authentication, correct?

Please let me know if I'm asking for trouble by using an about.com tutorial for this....

Thanks in advance.

FOLLOW UP EDIT: Ok, so the about.com tutorial has some holes. I found a more complete system below that appears to use SHA1 encryption instead. This also has an email verification for new users and some other nice functionality. At first glance, does this seem like a solid route to take?

http://www.unlimitedtree.com/topic/1503-tutadvanced-login-member-system-php-tutorial/

Kevin
  • 1,685
  • 7
  • 28
  • 55

1 Answers1

5

Yes, you are asking for trouble. There are several reasons why I would avoid the about.com approach:

  • User name and password are stored on the client side. You'll never want to do that. First: if a malicious attacker gets access to the cookie, he can use the id and password hash to take over the account. Second: there are huge data sets out in the wild called rainbow tables which allow malicious attackers to find out which string (= password) results in the given hash. This means that if you don't have a long/complicated password, someone may use the rainbow tables to get you clear text password and try it on this and other websites you are registered to.
  • The variable $username is used unchecked and unfiltered. Hello SQL Injection.
  • The password is encrypted using a simple md5() function. MD5 puts you at the risk of hash collisions. Nowadays you should use better hash functions like SHA-1 and use salt.

Security is a complex topic. I recommend you to use well tested authentication and authorization solutions as provided by established frameworks. Also think about OpenID.

A few PHP frameworks and their auth components:

Concerning your question:

In other words, whether I wanted to do one or the other or both shouldnt' impact how I think about authentication, correct?

Yes. You have to differentiate between Authentication and Authorization. The former helps you to identify who the user is and the latter helps you to find out what the user is allowed to do. Read this short introduction to learn about the topic.

Community
  • 1
  • 1
Matthias Zeis
  • 1,734
  • 18
  • 25
  • Matthias, thanks Is there a solid template out there that you could recommend? – Kevin Dec 30 '11 at 06:33
  • 1
    Follow up question - how does this tutorial look? http://www.unlimitedtree.com/topic/1503-tutadvanced-login-member-system-php-tutorial/ – Kevin Dec 30 '11 at 07:23
  • This tutorial looks better. You may by vulnerable to [Session hijacking](http://en.wikipedia.org/wiki/Session_hijacking) though. If you want to work without a framework, this may be "good enough". Unfortunately I can't provide you a link to a good stand-alone tutorial since I work exclusively with frameworks in the last years. The advantages simply outweigh the time and effort in building own solutions with the same quality. I will list a few links to frameworks in my answer. – Matthias Zeis Dec 30 '11 at 10:01