This component aids the developer in common security tasks such as password hashing and Cross-Site Request Forgery protection (CSRF).
Storing passwords in plain text is a bad security practice. Anyone with access to the database will immediately have access to all user accounts thus being able to engage in unauthorized activities. To combat that, many applications use the familiar one way hashing methods md5) and sha1). However, hardware evolves each day, and becomes faster, these algorithms are becoming vulnerable to brute force attacks. These attacks are also known as [rainbow tables][rainbow].
The security component uses bcrypt) as the hashing algorithm. Thanks to the Eksblowfish) key setup algorithm, we can make the password encryption as slow as we want. Slow algorithms minimize the impact of bruce force attacks.
Bcrypt, is an adaptive hash function based on the Blowfish symmetric block cipher cryptographic algorithm. It also introduces a security or work factor, which determines how slow the hash function will be to generate the hash. This effectively negates the use of FPGA or GPU hashing techniques.
Should hardware becomes faster in the future, we can increase the work factor to mitigate this.
This component offers a simple interface to use the algorithm:
The salt is generated using pseudo-random bytes with the PHP’s function openssl_random_pseudo_bytes) so is required to have the [openssl][openssl] extension loaded.
Cross-Site Request Forgery (CSRF) protection
This is another common attack against web sites and applications. Forms designed to perform tasks such as user registration or adding comments are vulnerable to this attack.
The idea is to prevent the form values from being sent outside our application. To fix this, we generate a random nonce)[random_nonce] (token) in each form, add the token in the session and then validate the token once the form posts data back to our application by comparing the stored token in the session to the one submitted by the form: