Creating user account system, best practices—registration, login, etc.

Thanks for the reply! So is PHP + MySQL a decent way to go about things? Eventually I'll probably go through the Ruby on Rails course, but I want to get as much out of PHP + MySQL as I can (within reason) before moving on. Do you have any recommended resources on doing this with PHP + MySQL? (I think I can probably piece it together from the Treehouse deep dives, but it would be nice to see a full implementation somewhere.)

Yes it is :) With php it is best to learn (and use) a good framework; I am working with Laravel - it has allowed me to focus on the stuff that matters instead of writing the same boring thing all over again (eg communicating with db, tempting).

Even authentication is boring in the end: so they made it easy :) but still powerful in the way that you can use it to do your own things. I mean if I compare it to what .NET does with his membership; well they dumbed it down so much, added a lot of sugar to it and made it so that it is powerful but very hard to extend. if you use that you have to write all sorts of wrappers and extensions - really ugly as hell

So my advice is choose a framework and explore whats in it; maybe dive into the source of wordpress/drupal to see how they handle things but word of caution: these opensource projects are old, which means that they will probably contain some "old school things" and you know they are big and can be overwhelming. I think if you give Laravel a try you will find things are very easy; there also a bunch of documentation and tutorials on the subject. I always just Google, github, stackoverlfow, and documentation of opensource projects (mainly for database models and such) to see how they do things and take those ideas that I find interesting

My experience is that you need a framework to support you, but one that does not over complicate things. In the end all authentication is, is this: Form >> post >> check credentials stored >> correct profile? >> ok or deny. it only gets a bit harder if you want to dynamically set the access level on certain pages, support different roles and really complicated when you want to log in with one account on several websites (like sign in once). In those cases it is the nature of the web and how the browser handles things that stands in your way; the basic stuff stays the same.

things I learned on the way:

• always check username and password agains the stored values (seems obvious but ..)
• never log login attempts, just build in a blocking meganism if necessary
• encrypt passwords with salt, store the salt with the user record in the database (unique per user)
• encrypt the whole thing with another salt, one that is fixed in code. so you need to have both salts to even attempt to decrypt the password.
• getting hacked is inevitable, just make it so hard that they move to other, easier targets
• to check a password you just encrypt it again like you would store it - then check it agains a saved value
• you will make mistakes;
• don't wait until the end to implement authentication, but also don't do it to early during development. eg its hard to test pages constantly if you have to log in or change profile all the time

seems like I am not allowed to edit my post AGAIN but I meant "templating" in the first line, autocorrect got in the way! maybe it did so on other things as well: I'm sorry for not double checking but I have to go to work now :(