autentication system in php using fsockopen curl

Question

I has a server and many clients. authentication must be done at server. when user submits id and password it send by post method and server authenticate it and send the statues message(valid/notvalid). doing it not safe. first i though, i should use some token system like how facebook does.so, for help i posted some question here. I have been suggested to use openId if i want follow token system . i have gone through it, but it is very complicated. I don't require that complex.

Then i though of fsockopen. once form submitted, it come to one of the function in client system. FROM that function i am sending and receiving data.

    $url = 'http://www.server.net/auth_system/test'.'/'.$email_id.'/'.$password.'/'.$site_id; 

     $fp = fsockopen($url_parsed['host'],"80",$err_num,$err_str,30); 
     fputs($fp, "POST $url_parsed[path] HTTP/1.1\r\n"); 
     fputs($fp, "Host: $url_parsed[host]\r\n"); 
     fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n"); 
     fputs($fp, "Content-length: ".strlen($post_string)."\r\n"); 
     fputs($fp, "Connection: close\r\n\r\n"); 
     fputs($fp, $post_string . "\r\n\r\n"); 

at server:

    $status =   Database...($email_id, $password, $site_id);            
                    echo "<br>split-delimiter".$email_id."split-delimiter<br>";
                    echo "split-delimiter".$status."split-delimiter";

** pls tell me what i am i doing is correct?. is any better way? what about using curl?

Answer 1

Lately I have a really different opinion with good friend of mine. He also thinks openID is to complex and he likes to do authentication himself.

Complexity

But my question to you(and him) is:

• what do you find complex about OpenID. I really can't see it. When you use a friendly OpenID interface I think it is easy/friendly. Have a look at stackoverflow's login. Did you find it complex to authenticate? I am not seeing any complexity at all.

Why you should not do authentication

Why I think you should not do authentication:

• storing your passwords safely is hard and to be honest I have been looking a lot into this lately and I think cryptography is extremely complicated(Some parts I just can't completely wrap my mind about). P.S: I think you should also read this very interesting article explaining how Lifehacker got hacked by Jeff Atwood(Stackoverflow author).

Library

I much rather like to code node.js(JavaScript) lately then PHP, but I created a little library which uses the extremely simple LightOpenID library in conjunction with openid-selector to make it friendly. You just clone the repository and you are ready to go. Simple as hell in my opinion. I like to do a couple more commits(I don't think many more commits are coming) to also make it very easy to create an OpenID account using myopenid.com(just like stackoverflow.com).

You can view a working example(it is just a simple git clone which stays up to date with github) on my little PHP webhosting provider at http://westerveld.name/php-openid/. It looks something like the screenshot below:

P.S: I still think when I do a couple more commits the library is going to be in a pretty good state. It is already pretty good in my opinion.