Secure PHP authentication system [closed]
This has been asked many times, but none of the answers are satisfying, I looked online for secure tutorials but I have not found something good enough you would want to use in an important website. It just seems like there are so many ways to get around security.
Does anyone know of a GOOD one? What do you guys do when you build a website that needs something like this?
With security, the best plan is to not do it yourself; leave it to the experts... and I'm someone with a severe case of "Not Built Here" syndrome.
If you want to learn security, write it yourself, but don't use it in a prod environment.
If you need to learn security, I suggest at least reading You're Probably Storing Passwords Incorrectly on Coding Horror and reading Essential PHP Security.
If you need security in a prod environment, get a library from a trustworthy professional source, and use it. I suggest OpenID.
You can get general but useful info here - The Definitive Guide To Website Authentication (beta).
Download open source frameworks or CMSs, dive in the code and see how it is done :) Example: Drupal !
I use a permission based system where every user belongs to a group and every group has a set of permissions, in every form I use a nonce field to prevent 'accidental' submiting, if it's really important I check user passwords with crypt and not allow weak ones.
EDIT. you could also use Email verification for really important commands.
精彩评论