PHP What information need to be store/maintained to ensure website quality and keep it safe?

MY PLATFORM: PHP & mySQL

MY SITUATION:

I am building an app. where users can sign up for an account for the services that I provide. I want to restrict a user from signing up for multiple accounts and users from all over the world can create an account of their own. That being said:

1. What can I do to prevent multiple accounts and ensure that I can track a user in case they resort to some mischief concerning the security of my website?

2. What details do I need to log about the user for administration purposes? IP? Browser info? What else? (Bonus: If you can list out why, that would be helpful too)

3. How many past logins of the user should be recorded and maintained? How would so many (your recommended number of past logins) help?

4. Please list out what you think should not be missed at any cost and others that can be helpful.

Thank y开发者_如何转开发ou in advance.

Well, first off:

IP Address are not unique ways of identifying a user, as multiple computers can be located on a single IP address, as seen in work enviorments, schools, and other institutional access points.

Furthermore

There is no absolute way to be sure about someone's identity. You can simply go off what the person tells you. You can limit accounts 1 account per email address, but there are easy ways to work around that. Same with about any other method you try.

So, we can conclude that:

There really isn't a way to ensure that a user only makes 1 account. You really shouldn't bother attempting to implement a system that does, as there will always be ways to work around the blocker you have installed.

The only real thing you can do is ensure 1 account per email address, and that is a stretch as gmail allows me to use all of these email addresses:

myemail@gmail.com
myemail+1@gmail.com
// I can put anything after the '+' sign. Gmail ignores it.

m.yemail@gmail.com
m.y.email@gmail.com
// Gmail doesn't care about dots in email addresses, they all go to me.

As you can see, I can make a LOT of email addresses that are all unique, but they all go directly to my email inbox.

And that isn't counting my personal email @chacha102.com. With a catch-all email, I can put anything infront of @chacha102.com and it will go directly to me. I could even make a script to create a random hash and append the @chacha102.com to it. I would have almost an infinite amount of email addresses.

So, my advice? Worry about something else.

To answer the rest of your questions:

You should probably keep an administrative log of important events. Such as StackOverflow has a log of all the rep I earn, when I got a badge, and most likely when I logged in. Find the 'checkpoints' in your site and log them.

You should probably keep these logs for 30 days or longer if required by law, or forever if required by your system. (StackOverflow probably has ALL my reputation ups and downs as it ensures that a rep recalc can go from the beginning on).

You should probably check out this StackOverflow question:
https://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site

First and foremost, there is no way your website can be 100% safe.

(evil piano music)

As long as you know that, we can move on.

What can I do to prevent multiple accounts and ensure that I can track a user in case they resort to some mischief concerning the security of my website?

There really is no definitive way to prevent multiple accounts, users can get around that. It would be difficult to track if a user is performing acts of mischief, you are better off focusing on validating and escaping user's input to avoid any harmful activities.

What details do I need to log about the user for administration purposes? IP? Browser info? What else? (Bonus: If you can list out why, that would be helpful too)

I cannot tell what you would get out of logging the user's IP address, but in a website like StackOverflow, it is used to inform the user who's been on their account, which is something useful to display to the user. Browser information is not necessarily needed for administrative purposes.

Please list out what you think should not be missed at any cost and others that can be helpful

I am no security-guru, but all I can emphasize is focus on escaping and validating input, especially when working with databases you do not want your website to have any injections. Look into using parameterized queries.

Good luck.