I've been developing a PHP-based CMS for use on my robotics team's website. Sure, there's plenty of other platforms out there, but what's the fun in that?
In all seriousness, though, we do receive extra points for being able to say that we did more than make a template for Drupal or WP. This is a bit unrelated, but I'd like to be able to release 开发者_Go百科the CMS as FOSS one day, but it will definitely have to mature and be more secure. But I digress.
I've reached the point in developing this system where I need a login system. This has caused more frustration than I expected. I can be meticulous when it comes to security, and this isn't much of an exception. The problem is, I know how to take care of database security (trust no user input, store passwords as a hash with a random salt, etc), but I lack the knowledge to make a good client-server system. A few questions in this regard: How secure would it be to use session variables? How would one implement session variables correctly in this regard? Should the session cookie be regenerated at every pageview? You give up much security when using cookies to keep the user logged in for any amount of time, but what are the best practices for implementing this kind of system?
A good tutorial on this subject would greatly help, also.
Thanks for your time.
If you're wanting to actually learn more about the problem/solution, rather than copy/pasting somebody elses code, check out this article.
http://jaspan.com/improved_persistent_login_cookie_best_practice
Excellent resource for persistant cookie management, although doesn't give you the code, it gives you a good grounding/concept to create a more secure login system.
Of course the most secure PHP login system is one that doesn't have persistant login functionality, as user credentials are never stored anywhere apart from the server.
erm, explaining all the issues would fill a good sized book - nevermind solutions to them.
The Readers Digest version of the abridged executive summary of the idiot's guide is:
- use SSL
- make sure the secure and httponly flags are set for session cookies (go read up on session hijacking, MITM attacks)
- regenerate the session id at login (go read up on session fixation) and logout
- implement an abstraction layer over the authentication and authorization system
- implement a sperate layer of abstraction over each of these two components
- do implement a per-page authorization check
- work out in advance if you need to partition your data in terms of visiblity/access
Use some already existing libraries like http://freakauth.4webby.com/
Why reinvent the wheel !
Well, a lot of information can be found here:
The definitive guide to form-based website authentication
Clicking through on some of the links on that page, will improve your knowledge on safety and login questions/issues/problems/solutions/...
精彩评论