Ask HN: Which login method do you use?

I have always created my own. Although I've been doing PHP, I'm currently using RoR and it has a plugin that handles all of this. PHP with a database is very easy, especially if you use CodeIgniter, there are form validation helper classes.<p>On registration:<p>- Ask for username and password (do form validation, ie passwords match, xss clean, etc). toLowercase() the login.<p>- Create a hash of some type for the password. This becomes used in the database, and again on login. If you're not worried about security, md5 your password, store it in the db. Otherwise, look up a salt hash.<p>- I typically log the user out and then require them to log in and create a session after they registered.<p>On login<p>- Ask for username and password, toLowercase() the login when checking<p>- Run the same md5 or salt hash against the password, check if the # of rows in the database is &#62; 0, if it is, log the person in and give them a session with a value of "is_logged_in" to true or something similar. Also pull the database user_id or e-mail and use that to remember which user you're dealing with.<p>- If the # of rows found in database is == 0 (where the login and pass equal those from your post variables), the login failed

Since most people already talk about the backend of it, let me share how to securely send the password from the browser to the server encrypted, instead of simply in clear text. (when you can't use SSL for some reason)<p>+ Server has your passwords stored as sha1(password+salt(password)). salt function isn't secret (eg. reverse the text)<p>- Client visits login page<p>- Website generates random token. Then sends back HTML with the random token<p>- Client generates passresponse = sha1(token + sha1(password + salt(password)))<p>- Client sends the passresponse, token, and username back<p>- Website checks for existence of token, removes it, then computes it's own sha1(token + password_hash_from_db) and checks against the sent passresponse.<p>This way the password is never sent in clear text. Unlike HTTP authentication, this works nicely with html forms since you can do all the crypt in js. Then again, this might be a bit overkill... and using SSL is probably a better option.<p>Just sharing another solution.

Most every web application my team assesses just uses a database of hashes. This is fine; just try to make the hash function take a long time to run (speed is the enemy here). I highly recommend "bcrypt", a routine available in almost every dev environment --- and typically in the better plugins --- for generating safe auth hashes.

django.contrib.auth

I have my own code I use on my projects. It uses secure SHA 256 hashing for the passwords. The code handles registration, login, logout, and forgot password flows.

Just put the TwitterAuth gem into my rails app, and am using OAuth with twitter now. This is a niche though, meaning unless you already have twitter, or actually like it, it's a long process and could keep people from signing up. Logging in is easy though.<p><a href="http://kineticac.posterous.com/rails-and-twitter-signin" rel="nofollow">http://kineticac.posterous.com/rails-and-twitter-signin</a>

I am working rolling my own with Struts/JSP.<p>It seems pretty straightforward (hash pass, place on server, and check against), but I need an easy way to compute an SHA hash in-browser, so the server doesn't have to receive the pass in plaintext.<p>Anyone know of a way to do it with Struts/JSP, or even JS if its not too slow?

I use http auth<p>apache has modules to hook it up to just about any backend; it's supported by all browsers, and it's easy to automate against.<p>I would be interested in knowing why more people don't use it.

We're using Rails as the framework and restful_authentication plugin for logins. Moving forward we are also going to integrate OAuth for things like Twitter logins, Facebook Connect for facebook, etc.

HTTP Basic + https

<a href="http://www.openwall.com/phpass/" rel="nofollow">http://www.openwall.com/phpass/</a>

OpenID, if applicable.

ssl client certificates

facebook connect

We used a combination of Cake Auth