1

This has been asked many times, but none of the answers are satisfying, I looked online for secure tutorials but I have not found something good enough you would want to use in an important website. It just seems like there are so many ways to get around security.

Does anyone know of a GOOD one? What do you guys do when you build a website that needs something like this?

Mankind1023
  • 5,123
  • 13
  • 51
  • 67
  • There are a lot of (many open source) good ones out there. You are saying you haven't found one "good enough". It would help if you defined your requirements prior to asking the question of what's the better one. So, what are your requirements for the system? Remember, no language or system will ever free you from the burden of clarifying your ideas (from http://www.xkcd.com/568/)... – ircmaxell Jun 17 '10 at 15:56
  • Basically something you would use in a site storing important info, like credit cards and such where you can't really afford to have a break in. – Mankind1023 Jun 17 '10 at 16:13
  • That's still not a set of requirements. You need to go figure out what you need the authentication to do and then look for auth systems that will do it. I'm assuming that the site will be under SSL the entire time (since as you say, it's for "important info")... If that's the case, one example of a requirement would be to use both the HTTP_ONLY and SSL cookie flags for any cookie set... – ircmaxell Jun 17 '10 at 16:26

4 Answers4

3

With security, the best plan is to not do it yourself; leave it to the experts... and I'm someone with a severe case of "Not Built Here" syndrome.

If you want to learn security, write it yourself, but don't use it in a prod environment.

If you need to learn security, I suggest at least reading You're Probably Storing Passwords Incorrectly on Coding Horror and reading Essential PHP Security.

If you need security in a prod environment, get a library from a trustworthy professional source, and use it. I suggest OpenID.

Richard JP Le Guen
  • 26,771
  • 7
  • 80
  • 113
  • Yes I need to learn security, I've been looking around at tutorials, different attack types, how to prevent them, etc. but not sure where to go from here. – Mankind1023 Jun 17 '10 at 15:57
1

You can get general but useful info here - The Definitive Guide To Website Authentication (beta).

Community
  • 1
  • 1
Bakhtiyor
  • 6,580
  • 14
  • 51
  • 76
0

Download open source frameworks or CMSs, dive in the code and see how it is done :) Example: Drupal !

redben
  • 5,232
  • 5
  • 41
  • 62
  • 2
    Not many open source frameworks or CMSs are written with security as a primary focus. – Jacco Jun 17 '10 at 16:02
  • Plus they are open source, anyone can look in there to see how things work! They are good for very basic sites that a logged user can't really do too much damage though. – Mankind1023 Jun 17 '10 at 16:24
  • No sir. Drupal for instance has a whole team that's only concerned by security in the project http://drupal.org/security On the other hand, because it is open source and anyone can look at the source (not only black hats) vulnerabilities are easier to spot and correct :) – redben Jun 17 '10 at 16:52
  • 1
    @Murtez - obscurity is the poorest form of security: http://en.wikipedia.org/wiki/Kerckhoffs%27_principle – Richard JP Le Guen Jun 17 '10 at 17:37
0

I use a permission based system where every user belongs to a group and every group has a set of permissions, in every form I use a nonce field to prevent 'accidental' submiting, if it's really important I check user passwords with crypt and not allow weak ones.

EDIT. you could also use Email verification for really important commands.

Javier Parra
  • 1,822
  • 2
  • 16
  • 30