 |
| PHP Development - Laitkor |
Making a secure PHP login system
1. You must use sessions and not raw cookies, as they can be spoofed and messed with far easier.
2. When storing passwords, the current reasonably safe way to go is with a hash and a decent sized random salt. Don’t just hash it or just store it as a plain text.
3. Secure from SQL injections.
4. Detect and prevent brute force attacks. There are a couple ways to do this, or at least make it prohibitively expensive for people with CAPTCHA crackers so long as you have decent password requirements.
5. You can use a framework like Laravel, which has register / login functionality out of the box, so you basically don’t have to do anything. You must also use a well-tested project and not a random one.
6. If you want to create your own from scratch, here are the steps to be followed:
• Always sanitize. Never trust your users.
• Don’t use good-old*_mysql functions, use mysqli or PDO instead. When you feel comfortable, start using a mysql wrapper class, or better, an ORM.
• Don’t store user – password in plain text in database.
• Do not create a hashing algorithm to encrypt passwords. It is totally a bad idea so better use an existing one instead.
• Create an authentication throttling system, this will slow down script kiddies but it can’t be said the same thing for highly motivated people. Learn what CSRF stands for. This is seriously very important.
You can use scratch or out of the box system for making a secure Php login system. Raw cookies must be eliminated and you can use sessions instead. You are required to secure your server from SQL Injection. For password storing, try a complex one with a hash and not in just a plain text. You can rely on a well trusted project rather than going with a random one.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.