Thursday, 22 December 2011

Secure PHP login Introduction


Hello again all!

Firstly I'm very happy to see a few people have read my blog already!  I wasn't expecting anyone to see this yet, but I'm very grateful people have done.  I know I only just made my first blog post today but as you may have noticed in there I've already started one of my projects and I've almost reached the first milestone :).  So in this post I'm going to write about what this project is, what I'm hoping it will accomplish and some of the features it will have.

What I'm trying to build is a generic class for a secure PHP login system which will be easily integrated into most sites and used as an authentication system.  I've started building this a few weeks ago between my other work but today I've create a Google code project for it and committed what I've done so far, currently it's not at a stage where it is usable but it's very close but I'd say there's around 20% left to go including testing before it's at a stage where it could be implemented.  My main motivation for creating this is so when I'm building CMS system (I have a few sites I want to make for my self which could use this), I don't have to keep recreated all or even just part of the authentication system.

Currently the Google code project for this doesn't have much on it but I will be adding to the Wiki soon which will technical information about how the code actually works and why things have been done the way they have.  I would like to point out that although I have been coding for some time I am by no means a self-proclaimed expert so if you see any flaws, either in the code itself or even in some of my general concepts please do leave comments or send me a message about it.

I've covered what I basically want this project to achieve here is a list of features I'd eventually want to have built in:

  • Secure login page that knows what page you were originally requesting and forwards you onto it after successful authentication.
  • Authenticating the user with each server request 'behind the scenes' so they are not re-entering their password each time.
  • Protect against hacking attempts such as session hijacking, session fixation, sql injections and others (leave a comment about any you can think of).
  • Sanitise any inputs that come from outside the class, including the database it is pulling data from.
  • Have configuration options to customise aspects of the class, such as what the salt & pepper (will be explained in another post soon) is, the table storing user credentials and more.
  • Two factor authentication compatible with various methods such as YubiKey, one time codes generated on the server, Google authenticate one time code generator (like the one that can be enabled for any Google account).
  • Login using other authentication services such as Google, Facebook, OpenID and others.
This post has gotten quite long now so I'll leave it there, if there are any other features you think would be good or security concerns I should look out for please leave a comment.

No comments:

Post a Comment