Association of PHP Professionals and Director of PHP Conference Brasil. Works for 20 years developing web interfaced systems and applications, being 15 of those with PHP and 7 with Zend Framework. Have worked with several companies, both local and off-shore. Talks at events, teaches both on-site and on-line courses and is the founder and leader of the PHPBR UG, a national User Group that counts with more than 1.200 registered users. Site: http://www.galvao.eti.br/ Twitter: @galvao Slides and Documents: http://slideshare.net/ergalvao https://speakerdeck.com/galvao Github: http://github.com/galvao Who?! CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 2 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br
example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 4 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br * Not the framework (Hilarious!) Before we begin
example, I'm required to tell you this: CC Attribution-ShareAlike 3.0 Unported License by Er Galvão Abbott - 11/8/14 - 5 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Disclaimer (or the “Not my fault” part) $this is... !Fool proof !Perfect|Complete !The only|right way * Not the framework (Hilarious!) Found out an example why? Let me know! Before we begin
11/8/14 - 9 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser Authentication
11/8/14 - 10 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Let's talk about wheels... If you don't [want to]know much about security... http://modules.zendframework.com/ZF-Commons/ZfcUser if you do... Authentication Crypt Filter Form Authentication
11/8/14 - 11 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Now that we've put that aside... Authentication → Service* Cryptography → (Can also be a) Service* Authentication attempts → Event Authentication * Yes, yes, it could be done as a Module, Plugin, etc... -.-”
11/8/14 - 18 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Checklist 1. User doesn't “need to change pwd” already; 2. User is “active”; 3. Randomize a temporary pwd; 4. Randomize a temporary, short-life, token; 5. Send a tokenized link for the user to change his pwd; 6. He must correctly enter the temp pwd; 7. Until he does, don't allow him to login; 8. If the new pwd and/or token expires, inactivate, make him contact support; 9. Else, change the pwd, mark the user as “OK”. 10. If any step fails, see step 8! Password Recovery For your randomization needs: https://github.com/galvao/PHPToolkit* * Shameless advertising detected!
11/8/14 - 19 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Password Recovery Key points Know what to do and what to avoid Lazyness and “user-comfortcentrism” are your enemies
11/8/14 - 21 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br It's all about TIME 1. Generate a timestamp; 2. Log the attempt; 3. Get previous attempt timestamp; 4. Interval = current - previous 5. If the interval is suspicious, lock the user out; 6. If x unsucessful attempts, lock the user out; Brute Force
11/8/14 - 25 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br It's all about CAN & CAN'T 1. Everyone has a role; 2. Static storage > Dynamic storage; 3. Ideally, role of the current user should be fetched dynamically... 4. … and a user's role should be “immutable”. Authorization The relation between roles and resources. Roles can inherit from other roles. Resources may be available to multiple roles. A few not-so-obvious-things to consider:
11/8/14 - 28 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. Filter / Validation A few not-so-obvious-things to consider:
11/8/14 - 29 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...) Filter / Validation A few not-so-obvious-things to consider:
11/8/14 - 30 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br 1. Filter first, then Validate; 2. Filtering changes data, backup raw data; 3. White List whenever possible (Ideally? ALWAYS) 4. K.I.S.S. (Keep It Simple, Stupid...ly beautiful people!) Filter / Validation A few not-so-obvious-things to consider:
11/8/14 - 31 / 34 Implementing Security Routines with Zend Framework 2 www.galvao.eti.br Filter & Validation In the model In the form Separated Filter / Validation Flexibility in ZF2
galvao
ch1aki
colopl
rainerhahnekamp
kyohmizu
ma3tk
soudai
kaonavi
recruitengineers
bengo4com
bicstone
kkato1
maroon1st
thekraken
vanstee
marcduiker
bkeepers
eileencodes
jnunemaker
nonsquared
thoeni
tmm1
mojombo
chrisshort
