Enrico Zimuel, Zend consultant in Italy, wrote an interesting article on how to create a secure login with Zend Framework. The sample application uses Zend_Form, Zend_Auth_Adapter_DbTable, Zend_Session, Zend_Config and Zend_Db_Table. The securiy aspect of this application are:
- MD5 of the passwords stored into the database;
- pseudo-random token generated into the form to prevent CSRF attacks;
- timeout of the token validity to improve the security of the login system;
- regeneration of the session ID to mitigate the possibility of session fixation attacks;
- redirect to a 403 Forbidden page in presence of a CSRF attack;
- filter of the user input with the Zend_Form to prevent SQL Injection attacks;
One of the unsecure point of this application is that the username and the password are submitted in plain text. Any attacker that is able to sniff the HTTP communication between client and server can capture these information. In order to build a real secure system i suggest to use the Secure Sockets Layer protocol (SSL), this is the only way to encrypt the communication between client and server.
Read Build a secure login with Zend Framework‘s article, source code available for download.
