search by tags

for the user

adventures into the land of the command line

some things i’ve learnt about trying to ‘user management’

so… i wanted to try and make an app where i could log in and log out, i thought it would be simple… oooooh how wrong i was… there are so many things!!! for an average guy, whose never done it before, to learn how to do it from google… its just… uuuugggggghhhhhhh

here’s some of the things i can remember


authentication => i am who i say i am. authorisation => i am allowed to do such and such

there are different kinds of authentication

basic authentication => username and password combo. two factor authentication => after basic authing, also require a randomly generated, expiring, some number of digits token as well. oauth => another service that already manages that user’s deets, tells you on the user’s behalf that they are you they say they are, so you don’t have to save any of their deets yourself

probably others too…

user input

a user should be able to sign up through a webform, and have to input either the email or the password twice. i read an interesting post about advocating confirmation of the email over password here

the app should check the email address entered is in the form of an email address and doesnt already exist in the database. it should implement a password strength policy and also test that the fields being confirmed twice match one another. if there’s an error anywhere here, the form should focus on the field that has the error so the user can start typing immediately (it’s the little things)

storing passwords

when storing a user in a database, it’s important to save passwords as NOT PLAIN TEXT. the password should be hashed (encoded to a long random string of characters) and it should include a salt (a string of random characters) added to the password before hashing. it should also be ‘slow-hashed’ with something like bcrypt, which forces the app to take a few hundred milliseconds longer, not long enough for a user to notice, but long enough for a brute force to become infeasible

confirmation email

it might not be necessary but you can send a confirmation email to the email address the user signed up with, getting them the verify their email address is correct, and if its not been verified yet, to allow the user to resend the email to themselves or change their email (if they did a typo)

cookies or tokens

after a successful login, the user is given a cookie or a token which can be used to retrieve a user’s information in the database for all future communications of the current session. cookies are stored on the user’s device and makes remember me functionality easier to implement. tokens are stored in a database and sent on every request. as they are not stored on the user’s device, the session is stateless

tokens should be salted and serialised, much like the password, so they can be stored and sent somewhat safely. they should also expire. to enable a user to login from multiple devices with tokens, multiple tokens should be storable and retrievable. when a token that’s expired is used, the app should redirect the user to login

password reset

a user should be able to reset their password if they’ve forgotten it. this might involve granting a temporary token which expires in like 5-15 minutes, which can be used to send an email to the user, containing a link to a password reset page

logout and delete

a user logout should delete the current token from the database and clean up the session

a user should be able to delete their account and any data associated with their account. probably a good idea to confirm before deleting everything and send the user an email confirming they’ve been deleted