Chapter 7
Bring Authentication to Your Application

You’ve securely set up your server and database, and you now have an application with valuable information people want to see. But how do you know a user is who he or she claims to be, and how do you avoid malicious impersonators? You don’t want to hand out personal information to just anyone, so you need to think about authentication.

The level of security you need when dealing with user accounts and how to validate them depends on the application and how much personal information you’re storing. Consider how much damage an attacker can do to the customer if the account is breached. If the application stores credit card information, then it must have extra levels of validation to protect users and their data. This chapter focuses on the common username/password authentication system because you’re already familiar with it and because it’s easy to understand.

Don’t Forget About PCI DSS if You Store Credit Cards
	When dealing with credit card information, you have to follow the Payment Card Industry Data Security Standard (PCI DSS).[43]

A user sets up an account by providing a secret (a password), and later you verify that the user knows the secret before allowing access. Controlling this knowledge lets you assume that you’re dealing with a trusted party. But because everyone uses this form of authentication, there are many attack vectors that specifically attempt to break it.

We’ll look at various parts of this system and how to harden your setup so it will be more robust and not easily fooled.