logoalt Hacker News

superasntoday at 1:27 AM5 repliesview on HN

Everytime I read one of these it always boils down to the same thing..Don't solve solved problems. And the best code in this case is code you didn't write as PHP's session handler is battle-tested but every line you write to roll your own is a line you have to secure, maintain, and eventually patch at 2am when someone finds the bug.

Session handling, auth, crypto, password hashing etc - all these are the exact areas where you should be the most allergic to rolling your own. Not because you're not smart enough, but because a simple bug like sanitizing in the wrong place and the failure is catastrophic like in this instance.

Use boring, proven, widely-audited solutions. Save your creativity for the actual problem you're solving.

Replies

bananamogultoday at 1:37 AM

“And the best code in this case is code you didn't write as PHP's session handler is battle-tested”

cPanel is written in perl.

show 1 reply
shawnztoday at 1:58 AM

cPanel is 30 years old, are you saying it's not battle tested, boring, proven, and widely audited?

In fact PHP is only a few months older than it.

ryandraketoday at 1:36 AM

I don't even know why you'd want to re-implement this stuff, too. It's not exciting or sexy work. It's like time parsing, time zone handling, leap years... Why would you want to inflict that on yourself? You will 100% not handle every edge case, and you will 100% get time and time zone handling bugs.

TZubiritoday at 8:45 AM

But it's not the same thing every time, for example if you had written 'your own' http request you wouldn't habe been hit by the axios vuln.

If you rolled your own crypto and didn't install AF_ALG, you would have avoided copy fail.

Even in this case if you had implemented your own control panel, you wouldn't be hit.

Actually roll your own, don't add dependencies

londons_exploretoday at 6:46 AM

I doubt the mantra of "don't roll your own Auth/crypto" - especially if it lives on a server where the code can't be inspected.

Sure, there will be more bugs in my code, but the attackers will be putting far more scrutiny into a widely used library.

Some deliberately hilariously weak auth I built decades ago is only just now starting to get broken into by AI bots, whereas any vulnerable wordpress was broken into within days.

show 1 reply