I was thinking of writing my own authentication script but I don’t know much about security.
From the articles I’ve reading, it looks like it usually involves hashing the password with a salt and storing it in the database. Then when user requests to log in, password is hashed and compared with the database. If it matches, then the user’s data is stored in $_SESSION.
However, I don’t know if this is secure or not. I read something about storing session keys in the database but I’m not sure about how that works, or how to implement that.
Can someone explain how to implement secure authentication?
Also, are there any suggestions for PHP authentication libraries I can incorporate that are easy to learn instead of writing my own?
Check this answer here.
Although the answer is 3 years old, the suggested phpass library is up to date.
Also, +1 to Aron Cederholm. Password security is an extensive subject and you should look first at the related questions already discussed here on StackOverflow so you will be more familiar with the subject and best practices in security.
Although I like frameworks (Symfony, Zend, etc) as they generally implement these good practices, just using them don’t make you a good programmer. You have to learn its inner workings. I always salute a programmer dwelving into coding his own secure authentication mechanism (as long as they don’t implement it in a live site that really needs strong security), because that’s the best way to learn and understand the inners of the subject. Always start from an existing implementation, and THEN use that as an example for creating your own codebase.