Chapter 12. User Authentication

WHAT'S IN THIS CHAPTER?

  • Designing the MySQL database

  • Basic HTTP-based authentication

  • Digest HTTP-based authentication

  • Pure PHP authentication

  • Securing user information in cookies

  • Access Control Lists

PHP is particularly well suited for user authentication, and where PHP is used for authentication you will usually find a MySQL database behind it. It doesn't take long for an application to grow to the point where it needs an authentication system, which will most likely include:

  • User login and logout

  • User roles (administrator, guest, and so on)

  • User management

Similarly, it often isn't long before built-in Apache or IIS authentication becomes insufficient. In many cases, the authentication system is one of the first scripts that a PHP programmer attempts to write. Expert PHP programmers recognize that security — especially when it comes to sensitive user information — is paramount, and if the developer is not careful, it is easy to leave an application open to attacks such as session theft and replay attacks.

This chapter covers techniques and best practices for storing user account information, authenticating users, and maintaining sessions.

The chapter finishes off with a brief overview of Access Control List (ACL).

Note

Two topics that are not covered in this chapter are OpenID and OAuth. Both are methods for authenticating users with third-party login credentials. Each method warrants discussion and is appropriate to use in many if not most applications. However, ...

Get Expert PHP and MySQL® now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.