I’m trying to think out my user authentication system for a site in development and have read many of the posts on stack overflow and elsewhere to get my head around this. I found a couple of options I was wondering if this one looks like a decent starting point:
http://php.about.com/od/finishedphp1/ss/php_login_code_6.htm
It appears to encrypt the passwords and avoid some of the obvious pitfalls.
Also, perhaps a silly question, but I want to use the authentication for 2 reasons:
1. To provide the user with some extra functionality on an otherwise public page. (Think “Hello [username]” at the top of the page).
2. Provide user access to private pages also.
These 2 types of applications (login = added stuff on public page versus login=access to private page) are reliant on the same authentication, right?
In other words, whether I wanted to do one or the other or both shouldnt’ impact how I think about authentication, correct?
Please let me know if I’m asking for trouble by using an about.com tutorial for this….
Thanks in advance.
FOLLOW UP EDIT:
Ok, so the about.com tutorial has some holes. I found a more complete system below that appears to use SHA1 encryption instead. This also has an email verification for new users and some other nice functionality. At first glance, does this seem like a solid route to take?
http://www.unlimitedtree.com/topic/1503-tutadvanced-login-member-system-php-tutorial/
Yes, you are asking for trouble. There are several reasons why I would avoid the about.com approach:
Security is a complex topic. I recommend you to use well tested authentication and authorization solutions as provided by established frameworks. Also think about OpenID.
A few PHP frameworks and their auth components:
Concerning your question:
Yes. You have to differentiate between Authentication and Authorization. The former helps you to identify who the user is and the latter helps you to find out what the user is allowed to do. Read this short introduction to learn about the topic.