{"id":1489,"date":"2018-01-19T19:22:54","date_gmt":"2018-01-19T19:22:54","guid":{"rendered":"http:\/\/goofy-trucks.flywheelsites.com\/complete-secure-user-auth-library\/"},"modified":"2018-01-19T19:24:49","modified_gmt":"2018-01-19T19:24:49","slug":"complete-secure-user-auth-library","status":"publish","type":"post","link":"https:\/\/phpbuilder.com\/complete-secure-user-auth-library\/","title":{"rendered":"Complete, Secure User Auth Library"},"content":{"rendered":"<div class=\"phpbuilder-content\">\n<div class=\"phpbuilder-meta\">\n<div class=\"\">By Tim Perdue<\/div>\n<div class=\"\">on July 30, 2000<\/div>\n<\/p><\/div>\n<div id=\"overflow-content\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/phpbuilder.com\/wp-content\/uploads\/2018\/01\/tim2.jpg\" class=\"articleAuthorImg\" alt=\"picture of Tim Perdue\" height=\"90\" width=\"100\" align=\"left\"\/><\/p>\n<div class=\"articlePara\">\nWhen I started seeing spam messages posted to the new column annotation system, I knew<br \/>\nI would have to create some sort of user authentication system that helps weed out the losers.<br \/>\nI&#8217;m the type that would rather write an entire library myself than try to learn something like PHPLib<br \/>\nor other similar libraries.<\/div>\n<div class=\"articlePara\">\nThe library needed to handle registration, confirmation emails, account updates (passwords, emails)<br \/>\namong other things. It also needed to be secure while not creating a burden on my overloaded database.<\/div>\n<div class=\"articlePara\">\nSo the new system needed to rely on cookies while not being totally exploitable. It was an interesting<br \/>\ndilemma. I knew I couldn&#8217;t simply set a user_name cookie when they logged in (the user name cookie is<br \/>\neasy to spoof). I also knew I didn&#8217;t want to set a simple hash and have to confirm that hash against my<br \/>\ndatabase.<\/div>\n<div class=\"articlePara\">\nThe solution was to set both. A user_name cookie is set, along with a hash. The hash is an md5() hash<br \/>\nof the user_name as well as a super-secret variable that only PHPBuilder knows. Since md5() is a one-way<br \/>\nhash and is, for all intents and purposes, going to secure practically any website, <strong>but should not<br \/>\nbe taken to be &#8220;uncrackable&#8221;*<\/strong>. I could safely create a hash of the email, which is<br \/>\na known variable, plus the secret variable. It&#8217;s kind of a public-key\/private-key kind of system.<\/div>\n<div class=\"articlePara\">\nThe interesting thing about this system is that it could scale up almost infinitely. Since the hard work<br \/>\nof this system is done by md5() on the web server, additional servers can be dropped in incrementally to<br \/>\nhandle the load. The same is not true of an auth system that hammers a database &#8211; the database itself<br \/>\neventually becomes the bottleneck.<\/div>\n<div class=\"articlePara\">\n<small>* This is a correction requested by the author. Please see comments below for clarification.<\/small><\/div>\n<\/div>\n<p><\/p>\n<div style=\"float: left; padding:15px; color:#17AAF3\">\n<div style=\"background-color:#B6E5FC; font-size:16px; margin-top:1px; padding:1px 4px 1px 4px; color:#000; font-style:bold; float:left;\">1<\/div>\n<div style=\"float:left; font-size:16px; color:#FF7A22; padding:2px 2px 2px 2px; \">| <\/div>\n<div style=\"float:left; padding:2px 4px 2px 4px;\"><a class=\"pageNumber\" href=\"tim200005054658.html?page=2\">2<\/a> <\/div>\n<div style=\"float:left; padding:2px;\"><a class=\"paginationPageLink\" href=\"tim200005054658.html?page=2\">Next Page \u00bb<\/a><\/div>\n<\/div>\n<p> Download: <a href=\"..\/imagesvr_ce\/phpbuilder\/tim20000505.html\">tim20000505.php3<\/a>\n    <\/div>\n","protected":false},"excerpt":{"rendered":"<p>By Tim Perdue on July 30, 2000 When I started seeing spam messages posted to the new column annotation system, I knew I would have to create some sort of user authentication system that helps weed out the losers. I&#8217;m the type that would rather write an entire library myself&#8230; <a href=\"https:\/\/phpbuilder.com\/complete-secure-user-auth-library\/\" class=\"readmore\"><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1489","post","type-post","status-publish","format-standard","hentry","category-tutorials"],"_links":{"self":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1489","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/comments?post=1489"}],"version-history":[{"count":1,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1489\/revisions"}],"predecessor-version":[{"id":2252,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/posts\/1489\/revisions\/2252"}],"wp:attachment":[{"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/media?parent=1489"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/categories?post=1489"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/phpbuilder.com\/wp-json\/wp\/v2\/tags?post=1489"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}