5 PHP AUTHENTICATION

MISTAKES YOU
MUST AVOID
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID

#1 – THE “DUPLICATE CODE HORROR”

If you have User Authentication in place, chances are you need it in many of your scripts.

For example, some pages of your web application are probably accessible to registered
users only and they need to authenticate the remote user right at the beginning.

That means that you need to replicate the authentication procedure in many different
places of your application.

WARNING: Code Duplication risk!

A very common mistake is to duplicate all the authentication logic over and over again in
each script. Often, the whole authentication procedure is duplicated, including:

• Reading the request string

• Executing the SQL query
• Checking the user credentials
• Setting up the user variables

This is not good. In fact, code duplication is a well-known programming bad practice that
can lead to different kinds of issues.

The code becomes poorly readable. Code maintenance gets difficult, because you need
to change all the scripts where the code has been used.

The fact is: it doesn’t make sense to have the same piece of code repeated multiple times.

Instead, keep the authentication logic in one place like a class or a procedural “include”
file (usually, a class is the best choice).
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID

#2 – FORGETTING ABOUT INPUT VALIDATION

Let’s get this clear right away:

A PHP authentication procedure is, first of all, just PHP code. And as such, there are some
security best practices to be observed.

Unfortunately, sometimes we forget about that and we fail to be strict enough with the
input variables we use in our authentication procedure.

A concrete example? Here it is:

$account = new Account();

$auth = $account->login($_POST[‘username’], $_POST[‘password’]);

Do you see the problem?

Yes: the input variables are used without any kind of validation.

A well written class should perform its own validation checks (like the one you can
download here), but you cannot always assume it’s safe to do so.

What if $_POST[‘username’] is empty? What if it contains weird characters? What if

it’s too long?

Take home message:

Never assume that your authentication system can validate its input variables for you.
Validate every input variable as soon as it is read from the request string, before using it
in a function or a class method.
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID

#3 – NOT HANDLING ERRORS

Error handling is like commenting: everybody knows it’s necessary, but nobody really
wants to do it.

A lot of things can go wrong when dealing with user authentication. A variable validation
could fail, or an SQL query error may occur.

What happens then?

When an unexpected condition arises, the result becomes unreliable. Can you trust the
authentication outcome in such a case?

If you don’t check and catch error conditions, you cannot trust the authentication system.
In fact, a malicious attacker could even try to exploit this weakness.

When an error or an unexpected event happens, the authentication procedure should

stop and a proper action should be taken (for example, display a “maintenance” message
to the client).

The best way to signal error conditions is by using Exceptions. An alternative is to use
function return values, but that is not always an option.

Of course, it’s important to carefully check for every possible error condition, including
query errors, variable validation failures, and so on.
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID

#4 – RELYING TOO MUCH ON SESSIONS

Don’t worry: I’m not saying you should not use Sessions! (I use them in my tutorial too)

However, it’s important not to rely too much on it.

For example, suppose you have a Session-based login, and that you want these sessions
to last 7 days.

You may be tempted to just set the Session cookie timeout to 7 days… but that would be
a mistake.

In fact, cookies can easily be forged, and a malicious user could stay connected even after
the 7 days just by keeping the cookie alive (yes, it’s doable).

Another example?

A common practice is to keep authentication-related information in the Session array,

like this:

$_SESSION[‘authenticated’] = true;
$_SESSION[‘username’] = ‘John’;

You should avoid this. In fact, what if the user has disconnected from another device?
What if the username has been changed?

If the information is kept in the Session array itself, it cannot be updated easily unless that
specific Session is open.

Instead, just use the Session ID or any other cookie-related ID to authenticate the remote
user, and store all the information on the database linked to that ID (including the
timeout).

This way, the account information will always be up to date and under your control.
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID

#5 – USING A POOR DATABASE DESIGN

If you are creating a PHP authentication system, chances are you also need to design the
database tables your system will use.

In that case, here are a few tips to avoid some database design mistakes:

1. Set a dedicated ID column as primary key for every

table, even if there are other unique keys. For example,
even if account names are unique, do not use the
name column as the primary key. Use an “account_id”
column instead.

2. Do not store optional account data in the same table

as the mandatory data. Use one table for the account
name, password hash etc., and a separate table for
other information that may or may not be added
(birth date, address…).

3. Keep in mind that password hashes can be much longer than the password itself. I
suggest you use a varchar column for this purpose.

4. While it’s impossible to design the perfect database right from the start, try to think
about what you may need in the future. For example, information like the account
creation time, a flag for enabling/disabling the account, an expiry date or an “account
class” field…

5. Create a “log” table where to log account-related activities, like successful and failed
authentication attempts. One day that information will be very useful.

6. Use a “smart” naming technique for tables’ columns. My strategy is to use the table
name as a prefix for every column. So, for example, the accounts table’s column
could be: account_id, account_name, account_passwd_hash and so on.
alexwebdevelop.com 5 PHP AUTHENTICATION MISTAKES YOU MUST AVOID

WHAT TO DO NEXT?

Send me an email at alex@alexwebdevelop.com and tell me what you think about

this checklist.

Join my Facebook group, Alex PHP café, to talk with me and other PHP developers
like you.

Go back to my PHP Login and Authentication tutorial on my blog.

All the images in this PDF have been downloaded from Freepik.