Search code examples
securityforms-authenticationdata-protection

php user management systems

I'm on my last steps to open my website, but the only thing that drove me crazy is the php user management. I found a lot of resources about building these systems and I believe that I can write them in my own way. The thing is that when it comes to security I get so freaking out what to go with. For example, when it comes to sending sensitive information over SSL, some people suggest to make sure that the info is encrypted in the registration form so that attacker can't hack it. And some other suggest to make sure that the debugging messages don't show when an error happen so that the attacker can't retrace the links .etc.

now as I read from here and there that md5 is not safe anymore so I'm wondering how would hash new user password and etc... I found a link to some programmers who already offer some user management, but not sure if they are good enough since I'm concerned about security as a priority CodeCanyon

so now what are the security measures that I have to be focusing on? are there any resources related to that?

Thanks,

Solution

  • You don't have to (you shouldn't) choose between the different things people tell you to implement. Good security is always layered, meaning that you implement as many protections as you can. This approach has multiple purposes. Each layer can prevent different attacks. Each layer can prevent attackers with different experience. Each layer can increase the time needed for an attacker.

    Here are some tipps useful for authentication systems.

    • Don't show debugging outputs
    • Don't use MD5 hashes. SHA2 or even better, bcrypt are much better
    • Use salts when storing passwords
    • Use nonces on your forms (one time tokens)
    • Always require SSL encryption between server and client
    • When accessing your database on the server, make sure that information leakage or its client-side manipulation not possible (eg. avoid injection attacks, with database drivers use prepared statements, etc.)
    • Make sure all failed logins (no matter what the reason) take the same amount of time to prevent timing attacks
    • When a logged-in user starts a risky operation (changing pwd, payment etc.), re-authgenticate him
    • Never store passwords cleartext, not ever, not anywhere
    • Require a minimum complexity for the password
    • !!! Secure your php sessions (another large topic, worth its own discussion) -

    As you can see, there a lot you can do (and more people will probably tell you even more stuff), what you really should do depends on the risks you are willing to accept. But never rely on a single security measure, always have a layered approach.