You must log in or register to comment.


DissidentRage wrote (edited )

I don't know of any tutorials off-hand but I can offer some points to take into consideration. I don't write these systems by hand much these days since frameworks tend to be able to take care of it, so perhaps take my advice with a grain of salt:

  • PHP as of 5.5 does have a password hashing library, and as of 7.2 supports the Sodium library with Argon password hashing. A StackOverflow thread seems to have good advice.

  • Take login throttling into account. Use caching (rather than sessions which can be initiated with different clients) to keep track of the number of times a user at a given IP address has attempted to log in. If they make more attempts than you permit in a given amount of time, report to the user that you aren't allowing more attempts from their location.

  • Don't give any indication that the user exists if they get their password wrong or request a reset for an account. For the former just say that the credentials don't exist, for the latter state that an e-mail is sent if the account exists. Indicating positively that an account exists invites more attempts to get into that account.

  • Captchas are good for verifying human users, but another way that's not dependent on Javascript is using the honeypot technique. This means putting in a fake field that is hidden from real users but detected by bot scripts as legitimate fields. Bot scripts will attempt to fill them in with "realistic" data. You will check them for alterations. If it has been altered, it's not a legitimate request.

  • Using MariaDB should be similar to MySQL. The best way to do database operations in PHP would be via PDO if you don't already use that. You can use prepared statements to intelligently and securely insert data into a query.


alqm wrote

Thanks, that will help get me started. Nice trick, the honeypot technique :D