Welcome to the Treehouse Community
Want to collaborate on code errors? Have bugs you need feedback on? Looking for an extra set of eyes on your latest project? Get support with fellow developers, designers, and programmers of all backgrounds and skill levels here with the Treehouse Community!
Looking to learn something new?
Treehouse offers a seven day free trial for new students. Get access to thousands of hours of content and join thousands of Treehouse students and alumni in the community today.Start your free trial
Jenny Swift21,999 Points
secure PHP login system and is Laravel worth learning
Hi, so I want to make a secure login system for my PHP web application. I have already written my code for the login system, but after googling, it seems agreed upon that it's not a good idea to write your own login system-that it's better to use code developed by someone who knows what they are doing, for security reasons.
So I've started looking into libraries and frameworks in the hope of finding something that will give me a secure login system. I started the Laravel course here at Treehouse, and so far it feels like way more than I need and a secure login system hasn't been addressed.
On the other hand, Laravel seems very popular so I wonder if it is worth the effort.
Can you advise me please if learning Laravel is a sensible approach to achieving what I want, or if it is overkill and if there is a better approach?
Want I want is this:
good password hashing and salting (I hear bcrypt is good)
failed login throttling to prevent brute force attacks
and there are probably other things I'm not aware of that are needed for security
Basically, I want to protect my user's data, but security seems an incredibly overwhelming/complex topic and I've been struggling to find a good course on how to keep my user's data safe.
If you're interested in learning more and struggling for a place to start, you could always dive into the authentication objects that ship with laravel.
sentry is another well(ish) known authentication system. I have had a play with it and it's pretty full on but loads of places to copy and paste from on the internet. I personally took a dislike to it because the support is pretty poor and I've got a feeling it's not actively supported anymore!
I imagine Treehouse don't offer authentication/heavy security courses on purpose to avoid being culpable for hacks on student sites / their client sites.
Laravel ships with all the auth stuff out of the box, so if it were me, I would head over there. Laravel 5 has just been released, so if you're following the Treehouse courses to get started make sure you grab laravel 4.2. However Laravel authentication has been improved upon since 4.2, so you might want to upgrade ;)
I learnt a lot of the basics reading this guide from the Ruby on Rails Guide.
Hope this helps!
I'm not an expert, and I have not used laravel, but I would definetly go with bcrypt which also requires the use of salt. sha-1 and other hashing algorithms are definetly outdated and should be avoided. You can also add pepper (another salt value) if you feel you need additional security.
You also make a good point about brute force attacks in which you may consider CAPTCHA or login throttling like you say.
If maximum security is something you want, you may want to consider using an Authenticator - either a custom built one or by using Googles open source solution.
Other things you may want to look into might be:
- SQL Injections.
- XSS attacks.
- Session Hijacking (if you use sessions).
As far as I know, there isn't any security courses on treehouse. Since your topic is quite advanced, you're probably better off asking on stackoverflow or some other forum.