Beruflich Dokumente
Kultur Dokumente
MISTAKES YOU
MUST AVOID
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID
If you have User Authentication in place, chances are you need it in many of your scripts.
For example, some pages of your web application are probably accessible to registered
users only and they need to authenticate the remote user right at the beginning.
That means that you need to replicate the authentication procedure in many different
places of your application.
A very common mistake is to duplicate all the authentication logic over and over again in
each script. Often, the whole authentication procedure is duplicated, including:
This is not good. In fact, code duplication is a well-known programming bad practice that
can lead to different kinds of issues.
The code becomes poorly readable. Code maintenance gets difficult, because you need
to change all the scripts where the code has been used.
The fact is: it doesn’t make sense to have the same piece of code repeated multiple times.
Instead, keep the authentication logic in one place like a class or a procedural “include”
file (usually, a class is the best choice).
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID
A PHP authentication procedure is, first of all, just PHP code. And as such, there are some
security best practices to be observed.
Unfortunately, sometimes we forget about that and we fail to be strict enough with the
input variables we use in our authentication procedure.
Yes: the input variables are used without any kind of validation.
A well written class should perform its own validation checks (like the one you can
download here), but you cannot always assume it’s safe to do so.
Error handling is like commenting: everybody knows it’s necessary, but nobody really
wants to do it.
A lot of things can go wrong when dealing with user authentication. A variable validation
could fail, or an SQL query error may occur.
When an unexpected condition arises, the result becomes unreliable. Can you trust the
authentication outcome in such a case?
If you don’t check and catch error conditions, you cannot trust the authentication system.
In fact, a malicious attacker could even try to exploit this weakness.
The best way to signal error conditions is by using Exceptions. An alternative is to use
function return values, but that is not always an option.
Of course, it’s important to carefully check for every possible error condition, including
query errors, variable validation failures, and so on.
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID
Don’t worry: I’m not saying you should not use Sessions! (I use them in my tutorial too)
For example, suppose you have a Session-based login, and that you want these sessions
to last 7 days.
You may be tempted to just set the Session cookie timeout to 7 days… but that would be
a mistake.
In fact, cookies can easily be forged, and a malicious user could stay connected even after
the 7 days just by keeping the cookie alive (yes, it’s doable).
Another example?
$_SESSION[‘authenticated’] = true;
$_SESSION[‘username’] = ‘John’;
You should avoid this. In fact, what if the user has disconnected from another device?
What if the username has been changed?
If the information is kept in the Session array itself, it cannot be updated easily unless that
specific Session is open.
Instead, just use the Session ID or any other cookie-related ID to authenticate the remote
user, and store all the information on the database linked to that ID (including the
timeout).
This way, the account information will always be up to date and under your control.
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID
If you are creating a PHP authentication system, chances are you also need to design the
database tables your system will use.
In that case, here are a few tips to avoid some database design mistakes:
3. Keep in mind that password hashes can be much longer than the password itself. I
suggest you use a varchar column for this purpose.
4. While it’s impossible to design the perfect database right from the start, try to think
about what you may need in the future. For example, information like the account
creation time, a flag for enabling/disabling the account, an expiry date or an “account
class” field…
5. Create a “log” table where to log account-related activities, like successful and failed
authentication attempts. One day that information will be very useful.
6. Use a “smart” naming technique for tables’ columns. My strategy is to use the table
name as a prefix for every column. So, for example, the accounts table’s column
could be: account_id, account_name, account_passwd_hash and so on.
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID
WHAT TO DO NEXT?
Join my Facebook group, Alex PHP café, to talk with me and other PHP developers
like you.
All the images in this PDF have been downloaded from Freepik.