Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

General Discussion

Mike Baxter
Mike Baxter
4,442 Points

Creating user account system, best practices—registration, login, etc.

Hey folks,

I'm trying to figure out what the standard approaches and best practices are for creating user accounts. As far as Team Treehouse goes, it looks like there are two different approaches taught to creating a user account system. In the Database section there's a video on creating user accounts, which with some PHP could presumably allow you to make a page where users can create an account with a password, etc. (Obviously you'd want to find some sort of encryption method, right?) The other approach as far as I can tell is in the Ruby course under a section on Authentication (and very specifically designed for this purpose).

What I'm wondering is, if I want to build a site that has user accounts with a registration, login, profile pictures, etc., do I need to learn Ruby, or can I make this with PHP, MySQL, and jQuery? Perhaps a better question to ask is, if it's possible to do it both ways, is it advisable to go one route or the other? (And why?) Do developers typical have third-party solutions for security and encryption, or are these features built into the systems?

Thanks!

2 Answers

Veerle Deschepper
Veerle Deschepper
2,623 Points

You can create such a system with every program language that allows you to store and retrieve user credentials safely (eg database). Depending on language/framework you have several methods to encrypt passwords built in.

building a basic authentication system is not that hard; al you need is some basic understanding how to save and retrieve data from the central storage system and to do so safely. When you need some advanced stuff like SSO, oAUTH, openID etc it gets a bit tricky but I guess your question stays on a more basic level.

I have build several authentication systems, with .NET and php, so feel free to ask! (hint: as far as .NET goes the worst you can do is using the build in membership. trust me it's ... just ... #@$ )

Mike Baxter
Mike Baxter
4,442 Points

Thanks for the reply! So is PHP + MySQL a decent way to go about things? Eventually I'll probably go through the Ruby on Rails course, but I want to get as much out of PHP + MySQL as I can (within reason) before moving on. Do you have any recommended resources on doing this with PHP + MySQL? (I think I can probably piece it together from the Treehouse deep dives, but it would be nice to see a full implementation somewhere.)

Veerle Deschepper
Veerle Deschepper
2,623 Points

Yes it is :) With php it is best to learn (and use) a good framework; I am working with Laravel - it has allowed me to focus on the stuff that matters instead of writing the same boring thing all over again (eg communicating with db, tempting).

Even authentication is boring in the end: so they made it easy :) but still powerful in the way that you can use it to do your own things. I mean if I compare it to what .NET does with his membership; well they dumbed it down so much, added a lot of sugar to it and made it so that it is powerful but very hard to extend. if you use that you have to write all sorts of wrappers and extensions - really ugly as hell

So my advice is choose a framework and explore whats in it; maybe dive into the source of wordpress/drupal to see how they handle things but word of caution: these opensource projects are old, which means that they will probably contain some "old school things" and you know they are big and can be overwhelming. I think if you give Laravel a try you will find things are very easy; there also a bunch of documentation and tutorials on the subject. I always just Google, github, stackoverlfow, and documentation of opensource projects (mainly for database models and such) to see how they do things and take those ideas that I find interesting

My experience is that you need a framework to support you, but one that does not over complicate things. In the end all authentication is, is this: Form >> post >> check credentials stored >> correct profile? >> ok or deny. it only gets a bit harder if you want to dynamically set the access level on certain pages, support different roles and really complicated when you want to log in with one account on several websites (like sign in once). In those cases it is the nature of the web and how the browser handles things that stands in your way; the basic stuff stays the same.

things I learned on the way:

  • always check username and password agains the stored values (seems obvious but ..)
  • never log login attempts, just build in a blocking meganism if necessary
  • encrypt passwords with salt, store the salt with the user record in the database (unique per user)
  • encrypt the whole thing with another salt, one that is fixed in code. so you need to have both salts to even attempt to decrypt the password.
  • getting hacked is inevitable, just make it so hard that they move to other, easier targets
  • to check a password you just encrypt it again like you would store it - then check it agains a saved value
  • you will make mistakes;
  • don't wait until the end to implement authentication, but also don't do it to early during development. eg its hard to test pages constantly if you have to log in or change profile all the time
Veerle Deschepper
Veerle Deschepper
2,623 Points

seems like I am not allowed to edit my post AGAIN but I meant "templating" in the first line, autocorrect got in the way! maybe it did so on other things as well: I'm sorry for not double checking but I have to go to work now :(

Mike Baxter
Mike Baxter
4,442 Points

Thanks so much for the advice, Veerle Deschepper ! That's super helpful!