I know this question has been asked more then once and more then twice but most answeres i've found here haven't helped me at all.
Since i started to code i've used three selfmade different authentication implementations based on cookies. I've never took much stand against injection or hijacking but this time i am trying to incorporate that in both my user authentiaction and submitting forms.
Since there are thousands of user authentication scripts to choose from i want to ask what frameworks or scripts you would recommend i use? I've tried a few but no one has really done the job? I'm not useing any php framework like Zend, Codeigniter or similar.
I plan on using SSL as well but on some sites my cms will be used on will not have SSL.
Try this one: http://ulogin.sourceforge.net/
If you need an authentication library that ...
isn't tied to a single framework and
works with multiple database systems (e.g. MySQL, PostgreSQL, SQLite, etc.)
... then https://github.com/delight-im/PHP-Auth might be for you.
It's modern (PHP 5.6+), secure and convenient.
Symfony2 provides a security component that is available as a standalone PHP library.
Documentation: Symfony2 - Security
Download it from GitHub
Related
Is it possible to use Laravel alongside another php application not built with a framework just for the login/authentication system?
Looking at other posts, I realize that's not the point of php frameworks, but my thought was for maximum security, using a framework would be best.
It's entirely feasible, yes. Especially if said application was properly classed and namespaced.
If it's not classed / namespaced, that rules out simply including it in Laravel. That'd likely be way more headache than it's worth.
In terms of security, there are a lot of routes you can go. In fact, there are authentication websites that take user information completely off of your hands. It may be worth looking into them.
The easiest solution would be to either find a class or library that is dedicated to authentication, and simply include it in your application (example here: http://ulogin.sourceforge.net/ or simply search for PHP Authentication Library). They're framework agnostic, and will be very simple to integrate into your project.
The bottom line is, you probably want something that's agnostic to frameworks / coding architectures. That'll be the easiest to integrate into a custom project.
I am currently exploring Zend_Auth, part of Zend Framework, but am dissapointed with the lack of more advanced features such as nonces, authentication tokens, lock-out, etc. In one of my recent projects, I implemented an authentication and ACL (Access Control List) scheme that has the following features:
Salted hashes
Automatic IP address lockout
Nonces (several types)
Authentication tokens (which persist for the entire session)
It would be great if I could abstract this functionality and make a reusable authentication class, but I was curious about whether a feature-rich authentication module already existed, so I could save myself the work. If not, I will most definitely do that.
I suppose my questions is this: What (database-based) authentication module/scheme are you currently using, and are you happy with its features? Specifically, is anyone using one that supports the features I listed above?
I look forward to your responses.
Funny thing, I was going to answer "Zend Framework!" when I saw this question. I guess that you are already using that.
I've done a lot of what you are doing using ZF as well. True that it is not all made for you, but the parts are there. Honestly, if it was already put together, it would not be flexible and not apply to many use cases. I'd rather make it suit the app I'm building, rather than build my app around it. You can make your code into library and include that with your other ZF apps.
I'd be interested in other options as well though.
I've been banging my head against the wall trying to add openid to my PHP webapp, but none of the libraries provided seem to do it in a clean and simple way.
Is there any way to implement openid SSO without being forced into more design choices than is necessary?
The janrain library - being the most popular - is also the most unwieldy, although it seems to be the only one getting significant maintenance. Aside from lacking a clear and simple tutorial, it also imposes some strange filesystem requirements and code dependencies.
Any and all suggestions are welcome. I realize I'm interacting with other servers and that redirects and callbacks are required. Please bear in mind, this isn't my main complaint, I understand the nature of what I'm working with.
I just wish it was easier and more clearly laid out!
If you're using PHP5, I suggest trying LightOpenID.
I use the Zend openid library (best of a bad bunch), but it doesn't support all the latest openid features - not found a perfect implementation yet tbh..
Tutorial describes how to implement Google login( yahoo,etc only just change the URLs, source code is same) in PHP using LightOpenID.
I know this question has been asked before, but I haven't found any answers that seem ideal.
I have a php app that needs a login system. I'm no crypto expert by any means, and I am wary of reinventing the wheel, which has doubtless been invented many times already, and very well.
I'm wondering if anyone is aware of a good authentication component which can easily be integrated into an existing script, which adheres to all best practices and which, when combined with an ssl login, will satisfy all reasonable requirements for being secure.
I would prefer a stand-alone component, as opposed to having to setup an entire framework of some sort. (The rest of the app does not use a framework, and I dislike the idea of having to use one, just for auth.)
Thanks for your help,
Why not use LDAP ?, it's standard, secured and fairly easy.
https://web.archive.org/web/1/http://articles.techrepublic%2ecom%2ecom/5100-10878_11-5032010.html
Zend Framework is designed so you can use individual components without using the MVC part of the framework. You can use the authentication module (zend_auth) which has only one hard dependency (zend_exception). You might want to use zend_acl, zend_session (requires zend_loader) and/or zend_db (requires zend_config, zend_registry, zend_loader) too depending on your scenario.
Check out this article. The system works great and it's amazingly well thought out.
http://www.devarticles.com/c/a/JavaScript/Building-a-CHAP-Login-System-An-ObjectOriented-Approach/
I'm working on the login system for a php web app. I'm aware of the dangers of rolling your own system, so I'm hoping to use a pre-built library of some kind.
I have seen zend_auth recommended in several places. I have also heard that zend_auth can be used independent of the rest of the Zend framework. This would be preferable, as my app does not rely on any frameworks, and I am reluctant to install an entire framework purely for auth.
I have no previous experience with Zend and I am finding the documentation in the manual a bit confusing. I am wondering: Does anyone know of any resources that would be helpful in explaining how to set up a simple authentication system based on zend_auth but that does not rely on the rest of the Zend framework?
Thanks for your help,
I'm aware of the dangers of rolling your own system
...
I am finding the documentation in the manual a bit confusing
Then it's not the right solution for exactly the reasons you've stated. If you don't understand how to use it properly it will never be secure and you can't provide any warranty that it is fit for purpose.
You might consider paying Zend for a support contact and asking for help.
There are other issues with using off the shelf code. If there is a defect in it, its difficult to identify, difficult to resolve, then difficult to merge back the vendors fixes. Also, while really this is really an argument for security by obscurity (and therefore not a well grounded one) the code you write is not visible to any potential attacker until you publish it (if ever) whereas using an off-the shelf product supplied as source, if there is a vulnerability then any script kiddy can run an attack against your site.
C.
the most important thing for a secure authentication/autorization is the concept where the whole application has only a sinlge entry point like an index.php everything is rewrited to. otherwise you have to care for each file beeing called to properly include and check the authorization etc.
zend_auth itsself won't really give you an extra security. it's more like an interface wich can be connected to anything. so what it does is mostly that your application(s) always use the same code for authentication/authorization but can rely on different data.