Challenge your understanding of PHP authentication and authorization concepts, including password handling, session management, user roles, and best security practices. This quiz is designed for beginners seeking to strengthen their knowledge in building secure PHP applications.
Which function is recommended for securely hashing passwords in PHP for user authentication?
Explanation: The password_hash() function is designed specifically for hashing passwords securely, using strong algorithms and built-in salting. The md5() function is outdated and insecure, as it produces weak hashes vulnerable to attacks. base64_encode() is not a hashing function and can easily be reversed. Although crypt() can hash passwords, it requires manual intervention to select suitable algorithms and is less recommended compared to password_hash().
When a user logs in successfully, which PHP superglobal is typically used to store their authentication status?
Explanation: $_SESSION is a superglobal used to store session data, making it ideal for maintaining a user's authentication status across pages. $_GET is used for HTTP GET variables and is not secure for authentication. $_COOKIE can store values but is sent to the client, making it less secure. $_FILES handles file uploads and is unrelated to user authentication.
If you want only users with the role 'admin' to access a specific page, which approach is most appropriate in PHP?
Explanation: Verifying the user's role stored in the session on the server side ensures only authorized users can access sensitive pages. Hiding links in HTML offers no real protection since users can still access the URL directly. Storing roles in $_GET variables is insecure as the data can easily be manipulated. Password complexity relates to authentication, not authorization.
What is the main difference between authentication and authorization in a PHP application?
Explanation: Authentication is about confirming who the user is, while authorization determines what the user is allowed to do. Both can use cookies or sessions depending on implementation, so option two is incorrect. Databases may be used for both, making option three inaccurate. Typically, authentication comes before authorization, so option four is also incorrect.
Which practice can help prevent session hijacking after user authentication in PHP?
Explanation: Regenerating the session ID immediately after login makes it harder for attackers to reuse an old session ID, improving security. Sending login data via GET requests is insecure as sensitive information appears in URLs. Storing passwords in plain text is unsafe, increasing the risk of data leaks. Allowing all users to upload files is unrelated and can create security vulnerabilities.
Which PHP function is commonly used to clear all session data for a user logging out?
Explanation: session_destroy() removes all session data, effectively logging the user out. setcookie() manages cookies but does not clear session data by itself. header() is used for changing HTTP headers and does not handle session destruction. mysqli_close() is related to database connections, not session management.
In a PHP REST API, which feature is commonly used to ensure that only authenticated clients can access protected endpoints?
Explanation: Access tokens sent in HTTP headers allow APIs to verify requests are made by authenticated users, ensuring secure access to protected resources. HTML forms are not suited for API authentication as they do not provide proof of identity for each request. JavaScript alerts or CSS classes play no role in securing API endpoints.
After several failed login attempts, what is a recommended action to enhance security in a PHP authentication system?
Explanation: Locking the account or delaying responses prevents rapid brute-force attempts and protects against automated attacks. Showing detailed error messages with user data is risky, as it could disclose sensitive information. Random redirections confuse users without adding security. Deleting all user records is excessive and not a realistic solution to failed logins.
Why is it important to use output escaping when displaying usernames on authenticated pages in PHP?
Explanation: Escaping output helps prevent XSS, where attackers might inject malicious scripts via input fields such as usernames. Output escaping has no impact on performance (so it doesn't speed up code), nor does it help bypass password checks. While escaping may allow certain characters, its main purpose is preventing attacks, not enabling unusual usernames.
Which is the safest way to compare a user's submitted password with a stored hash in PHP?
Explanation: password_verify() is designed to securely check if a password matches a stored hash, handling nuances of different hashing algorithms. Using strcmp() or double equals does not account for hashing techniques and may introduce timing attacks. Simply comparing string lengths is insufficient and can produce false positives.