Home » How - To / Tutorial » Programming » Integrating User Authentication Using PHP

Integrating User Authentication Using PHP

Authentication is any process to verify that someone is who they claim they are. PHP is well suited programming language for User Authentication. Integrating User Authentication using PHP in website application you will usually find a MySQL database behind it. Authentication system most likely include :

  1. User login and logout
  2. User Roles (Admin, Anonymous, and etc)
  3. User management

User-Authentication Integrating User Authentication Using PHPMany PHP programmers recognize that security, especially when it comes to sensitive user information is paramount, and if the developer is not careful, It will leave a wide open vulnerabilities to attack such as information theft and another kind of attack.

There are many methods of integrating user authentication out there, such as OpenID and OAuth. Both methods using third party login credentials for authenticating users. But both of them will not be discussed here. We will show you how to Integrating User Authentication using PHP in this article.

To make a good secure authentication system, Strong database is a must. A good database must not only be secure, but also sufficiently optimized. Let’s build database named userlist.sql.

The userid field is used to store a unique id key for the user. Username is also unique field, however it is desirable to use the auto-increment field for primary key. One of the main reason for doing this, is to identify the real user from the key. So users can change their username without having to worry about maintaining the referential integrity of data. It also effected on a less storage and processor intensive system.

The password field need to be hashed before stored, at a bare minimum, as a salted MD5 hash. You can use another one-way hash method like SHA-1 too. However, several methods currently exist to decrypt a MD5 hash. Most popular method to decrypt MD5 is using rainbow tables. Rainbow tables allow someone to easily find value that is not likely the same password but evaluates the same hash. That new string can be used to login instead of using real password.

HTTP-Based User Authentication Using PHP

HTTP provides two methods of authentication, they are basic and digest. Both methods have similiarity regarding both behavior and implementation. Both methods of HTTP-based user authentications (basic and digest) are natively supported by Apache and Microsoft IIS (You don’t need to use PHP). However, using non-PHP methods have many disadvantanges, like compatibility, session management, and application level features.

Basic Authentication

Basic Authentication  has been invented since early days of HTTP. Typically username and password are only passed via URL like example below

So it’s not secure, because

  1. Username and password show up clearly in web server logs (in plain text format)
  2. Url with username and password will saved in client browser history

The url-based method should be avoided, for those reasons. Another alternative is using base64-encoded string, but still it can be easily encoded.

An alternative authentication method that is safer because does not send the password in plain text is Digest Authentication.

Digest Authentication

Unlike Basic authentication, digest authentication relies on creating single direction hash of various data using a shared secret key. The secret key is the user’s password. Digest method makes it possible to authenticate user without sending the password across the network.

The hash involves creating a long string based on data that only client and server knows. Then using that string to create MD5 hash along with the password. These are several pieces of data to create the hash :

  • Realm, it’s a string to display to the user and a way for the client to differentiate between multiple authentication areas. This also a part of the hash in digest authentication.
  • Domain, It’s a separated list of domain that acts as a hint to the client.
  • Number Used Once (nonce), this directive is used to prevent replay attacks. it’s preventing an attack which using user recorded authentication to replay login.
  • Opaque, A string that should be passed unaltered back to the server.
  • Stale, This directive needed to indicate that the nonce is valid or not valid anymore.
  • Algorithm, It’s MD5 hash by default.
  • qop, Stand for Quality of Protection (it’s optional)

Leave a Reply

Your email address will not be published. Required fields are marked *

Name *
Email *