Improved secure login form |
Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification.
I tried with password_hash and then password_verify, but I missed something in the code. You could help me improve my login, I'm not going to make it super safe, but also the least. At this time, this is the files in the controller and the model: PHP Code: public function index() { admin_model.php PHP Code: public function login($username, $password) { Thanks for your help
(08-15-2017, 11:25 PM)Marcolino92 Wrote: Hi guys, I created a very simple login form for a small administrative area. Unfortunately, it is currently very basic, in fact the password is not encrypted and there is no verification. https://community-auth.com/ https://github.com/benedmunds/CodeIgniter-Ion-Auth Back to the problem: - save the hash in the database. - select the user by the username/email and not by the password - check the password with password_verify
First you should always store a (salted) hash of the password, not the password itself. You then compare the hash of the posted password to the stored hash. That way if your site goes get hacked the attacker cannot use the login credentials of your users on other sites for example.
Second, you should validate your users input before using it. But seriously, I doubt your skill level is at the level it should be in order to create a secured login feature. I would advise you to implement an existing auth library. I use Ion auth in all my projects.
I've already tried with "ion auth" but I need to create a personalized and slimmed class, so I'd like to avoid book it already ready because I only need the login system and the method to see if the user is logged in.
This?
PHP Code: public function login($username, $password) {
You could use your own controller and only use the login function of the ion auth library.
Your controller could be: PHP Code: <?php
password_hash adds it's own salt in the hash.
What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
Here is a good read on Secure logins
Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with "Remember Me" Cookies) What did you Try? What did you Get? What did you Expect?
Joined CodeIgniter Community 2009. ( Skype: insitfx )
|
Welcome Guest, Not a member yet? Register Sign In |