0

Does anyone know any good Login methods? Preferably PHP, JAVSCRIPT, (MYSQL on my server or some other server like OpenID servers)

My CMS currently accepts my custom commands: ./?type=* and Allows anyone to manage my sites pages, users, and everything. I need to implement the users into a login.

I was thinking about a Challange and reponce login, but I am not sure how to implement it. I know about OpenID, but I have not found any lightweight versions, my CMS has a goal to be only 2 main files where nether are over 3K each, 2K Currently, plugins extend it a heap..

JamesM-SiteGen
  • 802
  • 2
  • 11
  • 26
  • passwords sent to the server in plain text is not secure. – JamesM-SiteGen Jan 15 '11 at 06:53
  • 4
    @James: Well that has nothing to do with PHP... if you need a secure request/response use https. – prodigitalson Jan 15 '11 at 06:55
  • SSL is the only way to do that. You can also hash the password via Javascript (I don't recommend this at all), then compare it serverside using PHP, but only if you cannot use SSL. –  Jan 15 '11 at 06:57
  • https = one site per server, post 443 is already in use. And therefore I don't want to open another port 444 for another site, and etc. – JamesM-SiteGen Jan 15 '11 at 06:57
  • Have you tried using VirtualHosts on port 443 in Apache? –  Jan 15 '11 at 06:58
  • What I have thought about is having pgp keys, but is that a bad idea for many users, that could be anyone, like my. mum – JamesM-SiteGen Jan 15 '11 at 06:59
  • I have already got port 443 in use so no more sites can use 443 and I have a self signed ssl cert for that domain, so ssl is not always the perfect way to go, I'll need all users to install a certificate to every computer they want to use.. – JamesM-SiteGen Jan 15 '11 at 07:01
  • if I only had one domain I would buy a https ssl key for me to use as it would be for port 443 my domain and available to all users. – JamesM-SiteGen Jan 15 '11 at 07:02
  • 1
    You should be able to self sign multiple certs for every host that you are using in Apache. You can assign multiple domains on the same server using VirtualHosts even if they share the same port. –  Jan 15 '11 at 07:04
  • Yes i can but only one domain can use port 443, and i do not wish to use extra ports for ssl.. – JamesM-SiteGen Jan 15 '11 at 07:06
  • humm, how do you get 2 domains on the same port in apache? – JamesM-SiteGen Jan 15 '11 at 07:07
  • Add another VirtualHost for port 443. –  Jan 15 '11 at 07:09
  • You may want to revisit the name based vhost docs: http://httpd.apache.org/docs/2.0/vhosts/name-based.html – prodigitalson Jan 15 '11 at 07:17
  • voting to close as not a real question. this is definitely too broad, it covers the whole (well documented) topic of authentication. – markus Jan 15 '11 at 08:58
  • Well there is an answer so I'm renaming the question, so please unvote to close. @tharkun – JamesM-SiteGen Jan 15 '11 at 09:54
  • also considering challenge-response. If not sure HOW..try google - there are sample implementations in PHP – Andreas Jan 15 '11 at 10:49

1 Answers1

1

You should not implement a login system yourself but use safe providers like just to name a few:

They all also have the advantage that users do not have to create yet another account.

I think the lightopenid implementation is going to be the easiest to implement(the snippets in my example just work). Although implementing google friend connect is also easy and has the added bonus that users can sign it will all the above providers at once.

Community
  • 1
  • 1
Alfred
  • 60,935
  • 33
  • 147
  • 186
  • humm, lightopenid cleaned to my standard is 21K Do you know any lighter versions of openid? – JamesM-SiteGen Jan 15 '11 at 10:06
  • JamesM I don't see any problem with 21K? the sloc is only 744 included with a lot of documentation. If you remove documentation I bet the filesize is going to be a lot smaller. But then again I really don't see any problem with this. This is the most lightweight version of openid implementation I know. The most I used/saw are a lot harder to use. – Alfred Jan 15 '11 at 10:13
  • I removed all documentations and cleaned it to my standard for programing – JamesM-SiteGen Jan 15 '11 at 10:15
  • all of my main CMS files (2 files) are only 2-3K, now that is also very fast, I want it to be as slim as i can get it.. :) – JamesM-SiteGen Jan 15 '11 at 10:16
  • First of premature optimization is the root of all evil. The openid class is only going to be loaded when the user is trying to login(after that session is set). You could make a callgraph(http://preview.tinyurl.com/6bnxccw) to see which methods are being called and remove the rest of the not used methods. Because the openid spec is very big and a lot of the parts you aren't going to be using for simple authentication. – Alfred Jan 15 '11 at 10:28