Welcome to the Treehouse Community

The Treehouse Community is a meeting place for developers, designers, and programmers of all backgrounds and skill levels to get support. Collaborate here on code errors or bugs that you need feedback on, or asking for an extra set of eyes on your latest project. Join thousands of Treehouse students and alumni in the community today. (Note: Only Treehouse students can comment or ask questions, but non-students are welcome to browse our conversations.)

Looking to learn something new?

Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and a supportive community. Start your free trial today.

PHP

Jenny Swift
Jenny Swift
21,999 Points

secure PHP login system and is Laravel worth learning

Hi, so I want to make a secure login system for my PHP web application. I have already written my code for the login system, but after googling, it seems agreed upon that it's not a good idea to write your own login system-that it's better to use code developed by someone who knows what they are doing, for security reasons.

So I've started looking into libraries and frameworks in the hope of finding something that will give me a secure login system. I started the Laravel course here at Treehouse, and so far it feels like way more than I need and a secure login system hasn't been addressed.

On the other hand, Laravel seems very popular so I wonder if it is worth the effort.

Can you advise me please if learning Laravel is a sensible approach to achieving what I want, or if it is overkill and if there is a better approach?

Want I want is this:

good password hashing and salting (I hear bcrypt is good)
failed login throttling to prevent brute force attacks
and there are probably other things I'm not aware of that are needed for security

Basically, I want to protect my user's data, but security seems an incredibly overwhelming/complex topic and I've been struggling to find a good course on how to keep my user's data safe.

2 Answers

If you're interested in learning more and struggling for a place to start, you could always dive into the authentication objects that ship with laravel.

sentry is another well(ish) known authentication system. I have had a play with it and it's pretty full on but loads of places to copy and paste from on the internet. I personally took a dislike to it because the support is pretty poor and I've got a feeling it's not actively supported anymore!

I imagine Treehouse don't offer authentication/heavy security courses on purpose to avoid being culpable for hacks on student sites / their client sites.

Laravel ships with all the auth stuff out of the box, so if it were me, I would head over there. Laravel 5 has just been released, so if you're following the Treehouse courses to get started make sure you grab laravel 4.2. However Laravel authentication has been improved upon since 4.2, so you might want to upgrade ;)

I learnt a lot of the basics reading this guide from the Ruby on Rails Guide.

Hope this helps!

Jenny Swift
Jenny Swift
21,999 Points

Thanks, Tom! So to clarify, you don't see a problem in using Laravel for my project even if the only thing I really need it for is the authentication?

Hmm, I'm afraid I can't really answer your question without knowing more, but Laravel sounds like one solution to your current problem.

Maybe have a think about the live hosting - Laravel will be more expensive and more work than pushing to a simple shared hosting provider. I think you can play with the framework to make it work on shared hosting, but more often than not you need access to the directory above 'public', because this is where you applications sits. If your hosting is flexible, probably easiest to go for a framework like Laravel.

You could try using the Symfony Authentication component (I can't remember if Laravel pulls this in or not). All the symfony components are built to be 100% detachable (stand alone), so this might be the solution you're looking for - it's just the authentication piece of the framework jigsaw and you could add any of the extra features you mentioned previously. It would require a bit more groundwork, but a lot of the itchy bits will be coded already.

Jenny Swift
Jenny Swift
21,999 Points

OK, I think you've convinced me to keep learning Laravel. Thank you very much! :)

Jenny Swift
Jenny Swift
21,999 Points

Hi Tom, I just wanted to report back and say thanks again for encouraging me to pursue Laravel a year ago. I love it and for way, way more than the authentication I was looking for! I had lots of private lessons to help me learn it and it gave me my first coding job (through LaraJobs). So yeah, thanks again. :)

Hey Jenny Swift !

No problem, I'm sure you would've stumbled across it by some other means if not here :-)

Congratulations and best of luck for your new job!!

Tom

I'm not an expert, and I have not used laravel, but I would definetly go with bcrypt which also requires the use of salt. sha-1 and other hashing algorithms are definetly outdated and should be avoided. You can also add pepper (another salt value) if you feel you need additional security.

You also make a good point about brute force attacks in which you may consider CAPTCHA or login throttling like you say.

If maximum security is something you want, you may want to consider using an Authenticator - either a custom built one or by using Googles open source solution.

Other things you may want to look into might be:

  • SQL Injections.
  • XSS attacks.
  • Session Hijacking (if you use sessions).

As far as I know, there isn't any security courses on treehouse. Since your topic is quite advanced, you're probably better off asking on stackoverflow or some other forum.

Jenny Swift
Jenny Swift
21,999 Points

Hi Christian, thanks so much for the reply. Do you think I'm being overly paranoid about the security? I thought security would be a common basic need for web developers and the fact that Treehouse doesn't have a course on it (and I imagine they would if it was an important and common need like I thought) makes me wonder if I'm being more concerned about it than I need to be. I'm creating an app for users to track their income and expenses. It's not like I'm storing their credit card details, however I still don't want people to be able to do some hack to access someone else's data which should be confidential.

Hi Jenny,

I wasn't suggesting that you were being paranoid at all. The level of security totally depends on what kind of application your are developing and what you are storing (which I didn't know until now).

I definetly think you should encrypt passwords as good as possible, in case of a database intrusion. Login throttling is also good, though other methods exist to prevent brute-force logins. In my last app, I had a log in the database which would register every failed attempt from a given user and/or ip. After 5 failed attempts they were banned for 15 mins, after which it would reset. CAPTCHA is also a good solution, and probably sufficient for what you're developing.

Bots seem in most cases to be the biggest threat really. They'll hack or break any website they find, whereas a hacker would first question if it's worth his/her time to do so. So beware of bot-related weaknesses.

It's a good practise to develop with security in mind, but don't spend more time on it than necessary. Always ask yourself "who" (bots, script kiddies, hackers) would try and compromise your system and "why" (what will they get in they succeed? Is it worth their time?).

Jenny Swift
Jenny Swift
21,999 Points

ok, thanks Christian, I really appreciate you taking the time to respond!