ErkanaAuth is as safe as you make it. Authentication comes down to nothing more than: “is there a row in the database with this information?” ErkanaAuth just makes it a tad-bit easier to do that. It is still up to you to make it secure.
For authentication, I do something like this:
1. User registers with email/password
2. Encrypt the user’s password
3. Generate a 7 character salt
4. SHA1 the concatenation of the user’s encrypted password and their salt
For form validation (to prevent cross-site forgeries):
1. Generate a 7 character random string, encrypt and store in a session for that user
2. Place a hidden field on the form with that 7-digit random string
3. Upon submission, ensure the POST matches the session
For hijacking the data and changing how much they should be charged - I can’t think of a situation where this “should” be possible. The form the user submits should only tell the backend which item they want - nothing to do with the price.
There would then be a table to store active carts, with item and price information. The only way this can be changed is by the user submitting a form that alters the quantity of an item (or maybe a coupon code, or something). When the user clicks checkout, the back-end pulls all of the pricing information from the active cart record and proceeds with payment.
Doing it this way will also keep administrators from accidently altering prices on an active cart. If I have 3 items at $5.99 in my cart and I am still browsing around the site when an admin lowers/raises the price, my cart will still remain at the same price (and not change to the currently active price on the site).