I've been inspired by a question over on Code Review, which boils down to: What is the proper way to authenticate a user without a database?
Would it be the exact same process if you stored credentials in an array, or an XML file, or even just a plain ol' text file?
For example, let's examine the following PHP code:
$credentials = array(
'UserA' => '$2y$10$PassForA',
'UserB' => '$2y$10$PassForB'
);
$username = $_POST['username'];
$password = $_POST['password'];
if (isset($credentials[$username]) && password_verify($password, $credentials[$username])) {
// Successfully authenticated
} else {
// Permission denied
}
Is this a perfectly acceptable way to store credentials? If we were to grab the username and hashed password from an external file (XML/txt), would things need to be treated any differently?