Wed Mar 13 2019
How to keep your php authentication secure?
Today, security authentication is the most important for online activities. A common problem in web development is to implement user authentication and access controls typically accomplished through signup and login forms. It’s important because it enables organizations to keep their networks secure by permitting only authenticated users (or processes) to access its protected resources, which may include computer systems, networks, databases, websites, and other network-based applications or services.
Authentication is the process of determining whether someone or something is, in fact, who or what it declares itself to be. Authentication technology provides access control for systems by checking to see if a user's credentials match the credentials in a database of authorized users or in a data authentication server.
Usually, authentication by a server entails the use of a username and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.
Authentication should be used whenever you want to know exactly who is using or viewing your site. Web login is Boston University’s primary method of authentication. Other commercial websites such as Amazon.com require people to log in before buying products so they know exactly who their purchasers are.
Secure authentication in PHP
uLogin
uLogin is a PHP library for adding secure login and authentication capability to web applications. uLogin provides tools for secured user sessions, password storage, logins. It uses various measures to counter different kinds of online and offline attacks, as well as limit damage in case of a breach. Advanced capabilities like remember-me, two-factor authentication support, recognizing brute force attempts, and support for multiple user databases in addition to a load of security features make it a feature-rich, secure and flexible authentication system. Tools to easily integrate XSS/CSRF/replay prevention into any other part of your website is provided in the form of a compact but a versatile nonce library.
OpenID
OpenID is a method to authenticate users based on their existing accounts on common web services such as Yahoo, Google, and Flickr. Logins to your site are based on successful login to the remote site. You do not need to store sensitive user information or use SSL to secure user logins. You don't need to be a security expert. Users trust the big sites with their info. You can request things like (nickname etc) but the user has to opt in.
PHPass
PHPass is a lightweight, variable cost password hashing library using bcrypt. Variable cost means that you can later turn up the 'cost' of hashing passwords to seamlessly increase security without having to invalidate your previously hashed user passwords. The field size used for hash storage is constant even when increasing 'cost' due to increasing not the size of the hash, but the number of iterations required to produce it.
PHPAuth
PHPAuth is a secure user authentication class for PHP websites, using a powerful password hashing system and attack blocking to keep your website and users secure. PHPAuth is work in progress, and not meant for people that don’t know how to program, its meant for people that know what they are doing
How to secure authentication in PHP?
- Create a Database Table
- Creating HTML User Login Form
- Adding styles to Login Form
- Connect to Database
- PHP Logic for User Login
- Then Logout.php
How does it work?
- Authentication is used by a server when the server needs to know exactly who is accessing their information or site.
- It's used by a client when the client needs to know that the server is the system it claims to be.
- In authentication, the user or computer has to prove its identity to the server or client.
- Authentication by a client usually involves the server giving a certificate to the client in which a trusted third party such as Verisign or Thawte states that the server belongs to the entity (such as a bank) that the client expects it to.
- Authentication does not determine what tasks the individual can do or what files the individual can see. Authentication merely identifies and verifies who the person or system is.
Stock photo from Wright Studio