Hi guys,
In previous projects, I’ve always written my own PHP user login system to get access to the admin dashboard. This works really well, but I’m no security expert and it’s so easy to oversee something and create a security vulnerability.
What do you guys as professionals use to authenticate users? Do you write your own system or do you use some kind of PHP framework? And what PHP security framework has been proven to be reliable and secure?
As a principle, I always think there’s no point reinventing the wheel. There will be a good script out there that does this for you.
Whilst I have not tried a membership site myself recently, I thought of WordPress, and found this for you:
Rgds
When I have a choice I prefer to use a framework or cms. Writing boilerplate features like authentication systems is a waste of time with the richness of the php ecosystem. My framework of choice is Laravel and cms is Drupal. Both of those have very feature rich, flexible authentication models including multi-tiered authentication and authorization.
There is also Joomla to consider.
If you have no security background skills is merely because you haven’t jumped into learning it. As an enthusiast i would recommend that the best way to get stuff done is merely by doing it yourself. With that being said, you should learn it yourself that way you can implement specific things you prefer.
I agree that I should write it myself for eductional purposes, but this would be for a professional site. I do have some security knowledge (SQL Injection, XSS, CSRF …) but I feel kinda stubborn trying to use my own login system when there are better systems out there. I could never write an as stable and secure login system on myself than what a team of security experts already did.
@burble I’m not building a Wordpress site right now and using Wordpress only for authentication seems like overkill. But thanks for the link! 
@oddz Thanks, I’ll give Laravel a shot!
I have used both. From the ready made ones I’ve mainly used the Symfony security component for user authentication and it works fine. But to be honest I feel more confident in a login system that I’ve made myself from scratch because I know how it works and there are no surprises. Even if a library is tested by many people it is somewhat obscure what it does under the hood and it still requires some knowledge to set it up properly.
For example, I’ve found out that the Symfony authentication system allows the same user to be logged in at the same time at multiple locations - which is fine but when I change the password of such a user then I would expect all his sessions to be invalidated, otherwise I consider this a security hole - and it’s right there in the official authentication module. Of course, with some tinkering I would be able to add this feature with my code (good libraries are extensible) but in my opinion this should be built in, which is especially important for people who don’t know much about security and would like to use something that is tested and safe and be confident that all security details have been taken care of.
That said, building your own authentication system is not very complicated but can take some time to get all things right so if you cannot afford the time to do it on your own then certainly a framework’s component is the way to go.
The real fact of the matter is whether you are going to use a framework or cms. If you are than you will use the login system provided by that project.
Having worked on a variety of projects that have been in many peoples hands I’m pro-framework/cms. Projects built on well known open source solutions are increasingly more maintainable long-term than those built in isolation by one or a few developers. Projects that are completely custom tend to decay into a black hole of technical debt over time as those whom original built them leave. Custom projects never have good documentation nor do they provide beyond basic insight into acceptable applicants to maintain the project beyond basic language skills. On the other hand, well known open source solutions have good documentation and an ecosystem of resources that surpasses any one developer resulting in code that is easier to maintain long-term with or without the original project team.
For me professionally whenever I build something I build it understanding I won’t maintain the code forever and there will likely be other people whom have to maintain that code. I think the most considerate thing devs can do is use open source solutions to lessen the barrier of entry into a project for others. If you build something on Symfony or Laravel you know that all you need is another person who knows those things. If the project is completely custom all you really know is you need someone with php. Not to mention from day one newcomers are acclimated with the foundation of the project when it uses a well known cms or framework. With custom code newcomers will know absolutely nothing and will progress to hate most decisions made in that project.
The nice thing about the open source framework or cms is those platforms are constantly being vetted, improved, and their individual ecosystems grow. That results in longevity that surpasses any foundation that is custom. The custom foundation dies almost immediately after most of the original team members leave the project. No one ever wants to maintain another persons one off code. Also you will learn much more using a framework than you will building something custom. The framework has the structure in place to put you on a guided path to success were you will naturally be introduced to many architectural patterns along the way beyond syntax such as; dependency management, separation of concerns, active record pattern, caching, testing and the list goes on. All will happen in such a way where it is fluent as you build your project. With custom code all you really have is whether sh*t works or not unless you have already been fully acclimated with modern design patterns.
I think one of the reasons that contribute to node.js success is the fact that those devs get they can’t program in isolation. Something I wish more php devs would embrace.
This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.