This upgrade happened almost a year ago now, so I may miss some of the specific coding details, but I will try to remember what I can. Also, this was my first major project at Marine Travelift.
History
Marine Travelift, the company I interned at and currently work for, has a site which our vendors can log in to and order parts from. The login used to be a simple username/password process, and it didn't really matter that this wasn't secure since the site was protected by an IP whitelist. Well, my boss and some of our vendors got annoyed by this list because of dynamic IP problems, so 6 months after joining the company, I was tasked with remaking the login.
In order to keep it as secure as possible, two features needed to be added: password-less login and multi-factor authentication. We were still going to have problems with getting emails and phone numbers from vendors, especially initially, but it would work out better in the long run. Thankfully, I didn't have to write everything from scratch since GitHub repositories exist for both password-less login and Duo security, but there were still plenty of problems. Some of them happened because I was completely new to PHP, and I also needed to upgrade PHP at the same time so that the repos could actually be implemented.
Experience
PHP
Regarding the PHP upgrade, some code in the site became deprecated as you might expect, but none of this was particularly hard to fix. The main problem came from php.ini changes. Since various features are always being added and removed, I couldn't just copy over the contents of the old .ini into the new one, which means I had to scour them manually. Of course I didn't catch everything, but not necessarily because I didn't see differences. For example, an error ended up being thrown because the site used the .ini's timezone, and the new file was set to UTC. However, I didn't know at the time that the site needed Chicago time, so I left the .ini as UTC since I thought standardized time would be more beneficial.
Besides this, we did expect errors to occur during release due to the sheer amount of things being changed. However, taking a snapshot of the server didn't occur to me until I had made a couple of changes which, existing on their own, would break either version of the site, so reverting to the snapshot didn't work, and they had to wait until I got in to fix those changes. I'm not going to lie to you and say that, besides some errors, everything went great because I definitely did screw up a bit, but you can't learn without experiences.
Site
Setting up the password-less login repository wasn't much of a problem; it basically just needed email server information. There were some reference problems in some of the files I shouldn't have had to modify, so I manually set require statements. Like I said though, this was my first time dealing with PHP, so I didn't know much about the vendor autoload file yet.
For Duo, we decided to use the more secure method that displays a code in the browser that you need to enter into the app. This required "Universal Prompt," which we had trouble setting up in Duo itself because there wasn't really any documentation about what to do. I don't remember what the solution was, though.
The main struggle I remember about the code I wrote was how to pass around all of the different codes needed for the process. Originally, I used GET for everything, but my boss mentioned how that isn't too secure, so instead I utilized the SESSION. However, I had to rewrite a bit of code and split out the session creation into a separate file because some of the code written by the site's creator started new sessions in random places which would've wiped my values.