WHAT'S IN THIS CHAPTER?
Designing the MySQL database
Basic HTTP-based authentication
Digest HTTP-based authentication
Pure PHP authentication
Securing user information in cookies
Access Control Lists
PHP is particularly well suited for user authentication, and where PHP is used for authentication you will usually find a MySQL database behind it. It doesn't take long for an application to grow to the point where it needs an authentication system, which will most likely include:
User login and logout
User roles (administrator, guest, and so on)
Similarly, it often isn't long before built-in Apache or IIS authentication becomes insufficient. In many cases, the authentication system is one of the first scripts that a PHP programmer attempts to write. Expert PHP programmers recognize that security — especially when it comes to sensitive user information — is paramount, and if the developer is not careful, it is easy to leave an application open to attacks such as session theft and replay attacks.
This chapter covers techniques and best practices for storing user account information, authenticating users, and maintaining sessions.
The chapter finishes off with a brief overview of Access Control List (ACL).
Two topics that are not covered in this chapter are OpenID and OAuth. Both are methods for authenticating users with third-party login credentials. Each method warrants discussion and is appropriate to use in many if not most applications. However, ...