发表新帖
发表新帖

Please Critique my PHP authentication efforts

后端 未结
关注
6 501
你的背包
你的背包 2021-02-01 09:42

After posting this a while back, I decided to create my own Registration / Authentication capability in PHP. I\'d love anyone to point out the flaws / opportunities for improve

6条回答
  • 后悔当初
    后悔当初 (楼主)
    2021-02-01 10:08

    Short answer: looks good!

    Long answer:

    1. Yes, you should allow stronger/longer passwords, but otherwise this is ok. Just make sure you accept only valid url-part characters (I'd stick with the PCRE word characters) for the site name. However, a "validate this email" system would be appropriate, to make sure the registrant actually controls the provided email address.
    2. Looks good. I like sha1 better than md5, though.
    3. As long as your sessions are safe, you can store more than just the username (which would be a fairly expensive lookup to SQL for every page request - go ahead and store their PK).
    4. Looks good, but should be adjusted per my comments in #3

    To make sure you are handling your session security properly, check the guide on PHPSec.

    0 讨论(0)
 看不清?
提交回复
热议问题