Secure authentication in PHP
https://stackoverflow.com/questions/1367065
-
21-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
Let me rephrase my last question, what PHP library or framework can I use for professional and secure authentication? Extra points if your idea helps implement account Control Panel features (change password, edit profile).
How do you pros do it? Have you ever done trustworthy authentication using PHP?
Solution
I personally really like the symfony framework and its sfGuard plugin. It provides very easy to configure authentication. It hashes and salts all the passwords and provides a backend interface to manage users, groups and permissions.
Symfonys routing and configuration makes it very simple to set a secure flag on every page or even "area" of your web site. I have had no need to look elsewhere when building a secure web site.
OTHER TIPS
An advanced authentication library I have developed is ulogin.sourceforge.net. It has support for remember-me, various brute force prevention methods and also secures your sessions against hijacking/fixation/replay. It also supports multiple user databases like sql/ldap etc. If you are not using a PHP framework like Cake/CI, I honestly recommend it.
Have you checked out Drupal? It provides authentication over ssl and it doesn't store passwords as plaintext in the database. And a it's "Control Panel" features are pretty good.
ESAPI has a general framework that you can use, it will take a little bit of rewiring but it is solid for what you are looking for. And of course, authenticate over SSL, don't store auth information on the client, etc
