cryptapus

Generally, I agree with your statement. I guess I had a couple of goals for this project in order of importance: 1) Education, learning about php and how to apply it. 2) Simplicity, I didn't want anything like a registration scheme, etc., limiting attack surface area. 3) I didn't want to have to track another php project for security. I felt like if I coded it I would have more control in how/what was vulnerable (of course I recognize the can of worms that opens). If something simple is available in debian stable (to get security support) I would be interested, but I didn't want something super big like zend. I didn't see anything obvious... Suggestions are welcome. Thanks for the advice, I think it's very good and will do some thinking on what I can apply that's out there...

Excellent tips. Thank you very much.

Thanks for the feedback, I will do some more reading on the topics you suggest. I think I understand your concerns, except for your statement of the database class should not be responsible for creating database tables. Is it that you mean that the database class should strictly be meant as a connection to the database? If one were interested in abstracting the database calls in the interest of making it database independent, wouldn't it be best for the database class to handle all SQLite/MySQL/PostgreSQL translations? One more item, I've done some reading on different implementations of a "Remember Me" cookie and I think I'm safe, but here's the process: 1) User logs into the site with "Rember Me" checkbox checked. 2) Site does a Username/Password validation, then sets a cookie for 30 days that contains a Username and a SHA256 hash of rand(), (Cookietok) which is stored in the database. 3) User leaves, then comes back and presents the Username and Cookietok cookies. If a match, a new Cookietok is calculated and set as the Cookietok cookie and database is updated rewriting the old value with the new. (User is allowed to have multiple Cookietoks for different devices but are treated the same way). 4) On logout, all Cookietok's are removed for the user. Thanks for your review. Kind Regards,

Greetings! I am by no means a php expert, but I've attempted to make a simple php/sqlite user framework and would appreciate some critical feedback. Especially on the authentication technique. My goal with this project was to make it simple and light-weight for light-duty/personal use. The project can be found here: https://github.com/cryptapus/phpsqliteuser I currently have two different login mechanisms in lib/class.user.php. A user->login() that uses POST username and password, and a user->login_cookie() that uses a "Remember Me" cookie from the client. Thank you in advance for any constructive feedback. Pull requests are also welcome. Kind Regards,