Re: [PHP] User Account Management
Thanks so much for all the feedback! Ben's comment was something that prompted this discussion to begin with internally, in that we didn't want to reinvent the wheel, nor make a mistake in the security implenetation of our solution. I've forwarded this thread back internally, and we'll take this as a jumping off point for how to build our system. Waynn
[PHP] User Account Management
Hello all, We're building out a system that allows for user account creation/password management, and we're hoping to use existing open source software so we don't have to reinvent the wheel. I know of Drupal, and Zend Framework (and maybe CodeIgniter?), but do people have specific preferences for either, and recommendations for other products that I haven't heard of? It should just support basic account creation, being able to login/authenticate, change your password, storing user information like names and email addresses, etc. I tried searching for account management php but ended up getting a lot of CMS suites. Thanks, Waynn
Re: [PHP] User Account Management
On Fri, Sep 11, 2009 at 02:43:15PM -0700, Waynn Lue wrote: Hello all, We're building out a system that allows for user account creation/password management, and we're hoping to use existing open source software so we don't have to reinvent the wheel. I know of Drupal, and Zend Framework (and maybe CodeIgniter?), but do people have specific preferences for either, and recommendations for other products that I haven't heard of? It should just support basic account creation, being able to login/authenticate, change your password, storing user information like names and email addresses, etc. I tried searching for account management php but ended up getting a lot of CMS suites. It depends on how you want your security to be built. At phpclasses.org, there are a bunch of classes which handle user verification and such. (Of course, you have to build your own screens; these are just classes, after all.) My problem with these classes is that they typically assign users a number to indicate the user level, and then you decide what level is necessary to access a given page. Now, most of what I do is programming for internal use. And my philosophy is that a user has no business accessing *any* page they haven't been trained on. So my access scheme is based on a system where there is a record in a table which has the user ID and the page they're allowed to access. With a couple of hundred pages, that's potentially a couple of hundred records per user. It could be a pain to maintain, but provides the finest grained authorization I can come up with. If you don't need something that complex or solid, then some of the classes at phpclasses.org may suffice. CodeIgniter (as mentioned earlier this week) has no provision for user login or security. The others probably do, but they're a bit like using a steamroller to pound in a nail. Moreover, any framework like these (even the very simple CodeIgniter) requires significant investment in learning how to do things under that framework. Honestly, whipping up a security scheme the way I have done it is a couple of days' work (including login and management screens). I'm not sure why people seem to be averse to it. You just work up your screens, create your tables, populate the tables, and you're away. The user's ID and whatever other pertinent information rides along with them in the session variables. Each page checks to see if the user ID in the session variable is allowed to access this page, etc. Paul -- Paul M. Foster -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Account Management
Honestly, whipping up a security scheme the way I have done it is a couple of days' work (including login and management screens). I'm not sure why people seem to be averse to it. You just work up your screens, I suppose it does depend on the use case. If you're building a system for internal use, and you know your users, and the data is potentially exposed by other avenues (as is the case with all the internal-use systems I've built), that's one thing. But if the site is public, indexed by Google, and gets even a small amount of traffic -- or even if it's an unpublicized site but it's on a dedicated IP that belongs to a prominent hosting company -- it's going to be hammered daily by script-kiddies and PC-based malware. If it gets a lot of traffic it's probably going to be targeted by sophisticated attackers. At that point I'd personally be much more at ease knowing that session-management, authentication, password-storage, etc. were handled by a system that several more-experienced programmers have worked on, which has gotten a good deal of production use in diverse contexts, not to mention possible analysis by professional security experts. Security is complicated and it's very easy to get wrong. What hashing algorithm do you use (in the general sense of you) to store your passwords? Do you salt your passwords; if so, do you salt them correctly? How do you handle password-resets? What's your PRNG, and is it random enough, and how do you know? I just reviewed the code for a scratch-built system that seemed to have reasonably-intelligent authentication and password management -- but /completely left out/ access-control! All I had to do was enter a different uid in the URL of the my account page and I could get to anyone's account, even the admin's, as long as I was authenticated. Dumb mistake? Sure. Easy to make? Probably more so than one would like to think. Ben -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
Re: [PHP] User Account Management
Waynn Lue wrote: Hello all, We're building out a system that allows for user account creation/password management, and we're hoping to use existing open source software so we don't have to reinvent the wheel. I know of Drupal, and Zend Framework (and maybe CodeIgniter?), but do people have specific preferences for either, and recommendations for other products that I haven't heard of? It should just support basic account creation, being able to login/authenticate, change your password, storing user information like names and email addresses, etc. I tried searching for account management php but ended up getting a lot of CMS suites. That is because this is a - how long is a piece of string type question ;) PEAR has the AUTH package which is supposed to provide authentication, but still needs a certain amount of 'wrapping' to make it usable. The question has to be 'What are you wanting to secure?' Personally I'm using bitweaver - which is a CMS system, but I have my own modules added to it to provide the functions I want, while bitweaver itself provides user management, content editing with full history in various wiki or html formats, mime handling and all the other generic bits. You just add the bits you want, or pinch a module and adjust it to your own purposes - without needing to worry about the core functions :) -- Lester Caine - G8HFL - Contact - http://lsces.co.uk/wiki/?page=contact L.S.Caine Electronic Services - http://lsces.co.uk EnquirySolve - http://enquirysolve.com/ Model Engineers Digital Workshop - http://medw.co.uk// Firebird - http://www.firebirdsql.org/index.php -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php