I really am against any small scale web project implementing their own user-password authentication feature , and I ensure I don't implement this feature in any project I am involved in ( I mean, not any more ).
First of all, your implementation can never be secure enough, no matter how many developers eye balled your shitty codes, they just won't be enough.
Secondly it is a big hassle for end users to memorize and store so many passwords from so many shitty sites that offers no significant value, not that your site provides no value but it may at some point.
Therefore, I propose for all of you still using this messed up outdated authentication system to switch to OAuth2, you might have heard of it or not, OAuth is an access delegation protocol that can be used as the basis for an authorization and authentication protocol. It is secure enough to be used for authorization and also it doesn't task the user's poor memory each time he want to sign up or login to your shitty site. It works in this simplified way:
1) Redirect the user to the authorization server when he tries to access a website protected resource that is opened to only authorized users.
2) The user authenticates with the authorization server because he trusts the server and she has an account with them.
3) Then, the user delegates access to the browser's own copy of the website to acts as his personal assistant.
4) After that, the user is redirected back to the original website , which then gets a token ( this signifies your passkey to access protected resources on the website server) from the authorization server .
5) The token is added alongside any request that is sent to the website server to access it's resource. The website server accepts any token that can be identified as coming from that authorization server and allowes the request for any protected resource by the user to be accepted and resource delivered to the user .
6) Voila , you now have access to the protected resource.
Easy right ?, I don't think so. In the next part, I am going to explain what an authorization server is and make it all clear to you. The major take away from this post is that from now on , OAuth2 is your friend and username-password feature is your enemy.
For further actions, you may consider blocking this person and/or reporting abuse
Top comments (0)