I'm building a site that requires user authentication and authorization. My initial idea was to write the application using the Flask framework. However, I learned that Flask doesn't have a built in authentication system. It does have an extension flask-login, but I haven't gotten any confirmation as to whether this extension is well-written. I've read that it's very easy to get authentication wrong.

1. Might it be a good idea to switch to something like Django or web2py, which do have built in authentication systems?

2. Do good web programmers typically choose to use tried and true authentication systems as opposed to trying to roll out their own?

3. Is there a good guide that demonstrates best practices with respect building an authentication/authorization system?

Thanks guys!

If you want to add user login capability to your website (that is, authentication and authorization) use an existing framework. Unless you're an expert in security, the probability of writing secure a system is close to 0. This applies regardless of the language you program in and regardless of the framework you are using.

Unfortunately, I have seen people answer this question as follows: "This is not that hard, and fun to code, as a beginner. You need a place to store your data (let's say a mysql database). You should store ENCRYPTED versions of the passwords, etc. etc." This answer is COMPLETELY INCORRECT.

There are free authentication frameworks available, USE THEM. For example, Django and web2py have built-in authentication systems. Many frameworks do not come with built-in authentication (e.g. Flask, webpy); this does not mean you should roll out your own framework. It just means you should find 3rd party authentication software. For Flask, there is Flask-login.

So, the answer to my original questions are:

1.) Yes, or integrate a verified 3rd-party software system.

2.) Yes, the best practices says DO NOT WRITE YOUR OWN AUTHENTICATION SYSTEM. Use one that's already been built.

3.) You shouldn't need a guide to building an authentication system, because you shouldn't be building one. However, OWASP is a great security resource.

Here's a brief summary: Do not write your own authentication system. Use a pre-built authentication system that is trusted. If anyone has any recommendations for authentication systems that can be used with Python, feel free to post them.

There are a lot of ways here to secure your code from SQL injection attack. But what I require is How to log sql injection attack so that we can add him(the attacker-user) in the blacklist-users database.

What I need here, is a kind of function which will return true if there's a sql injection.

<?php
if(isset($_POST['username'])){
// need a function here which will return true if there's
// a sql injection else false
}
?>

You can use PHP-IDS to detect security attacks (not just SQL injection) and add custom behavior. In my case I run PHP-IDS at the start of every request. If an issue is detected, I log to the database, return a generic error message to the user and die().

Be warned though that PHP-IDS will not detect all SQL injection issues. It's not possible to do that automatically. You still need to properly handle your queries.

I am developing a custom server application that will access a database. I need to decide where I will store the credentials (and to address) to that server.

A common solution is to put the credential in a config file. However, I do not want a compromised server to mean that the hacker has access to the DB (which is hosted on a separate server).

I could store the credentials in the environment, but that is just security through obscurity. Mr. Evil can just look in the environment to find it.

Someone suggested encryption. However, if I store the key in the executable, a quick de-compile (we are using Java) and I am still doomed.

I also want to avoid having to enter a paraphrase every time I start the server.

Any suggestions? I feel like I'm missing something simple.

Thanks

I don't think you're missing something simple. Either the server in question can connect to the database without your help, in which case it has to have the credentials; or it cannot connect without your supplying them. You can take various steps like the ones you've listed to make it harder for a compromised server to reveal the credentials to the database, but at the end of the day, if it has to have those credentials and supply them to the DB server to connect, they'll have to be stored on it somewhere — or at least, it will have to have some means of getting them, and so will be hackable in that sense.

Your best bet is to focus on finding out about intrusions (compromised servers) as quickly as possible, keeping good off-site, off-line backups for the worst case, putting up lots of barriers to intrusion in the first place, etc.