Secure authentication in PHP

2019-05-18 21:57发布

问题:

Let me rephrase my last question, what PHP library or framework can I use for professional and secure authentication? Extra points if your idea helps implement account Control Panel features (change password, edit profile).

How do you pros do it? Have you ever done trustworthy authentication using PHP?

回答1:

I personally really like the symfony framework and its sfGuard plugin. It provides very easy to configure authentication. It hashes and salts all the passwords and provides a backend interface to manage users, groups and permissions.

Symfonys routing and configuration makes it very simple to set a secure flag on every page or even "area" of your web site. I have had no need to look elsewhere when building a secure web site.

  • Symfony
  • sfGuard


回答2:

An advanced authentication library I have developed is ulogin.sourceforge.net. It has support for remember-me, various brute force prevention methods and also secures your sessions against hijacking/fixation/replay. It also supports multiple user databases like sql/ldap etc. If you are not using a PHP framework like Cake/CI, I honestly recommend it.



回答3:

Have you checked out Drupal? It provides authentication over ssl and it doesn't store passwords as plaintext in the database. And a it's "Control Panel" features are pretty good.



回答4:

ESAPI has a general framework that you can use, it will take a little bit of rewiring but it is solid for what you are looking for. And of course, authenticate over SSL, don't store auth information on the client, etc