How should I choose an authentication library for CodeIgniter

Question

I see there are a few  Which ones are maintained and easy to use  What are their pros and cons

User · Answer

I use a customized version of DX Auth  I found it simple to use  extremely easy to modify and it has a user guide  with great examples  that is very similar to Code Igniter s

User · Answer

I ve come across Flexi Auth  http   haseydesign com flexi-auth    It looks very promising  and I ve started using it  It has wonderfful features  Fully integrates with CI  and comes with two different library files  in which one is very heavy loaded with all the functions and the other one contains only the validations    One of the best is that the newly registered member gets temporary access for a given amount of time on the site  until they click on the link from their email and activate

User · Answer

Also take a look at BackendPro  Ultimately you will probably end up writing something custom  but there s nothing wrong with borrowing concepts from DX Auth  Freak Auth  BackendPro  etc   My experiences with the packaged apps is they are specific to certain structures and I have had problems integrating them into my own applications without requiring hacks  then if the pre-package has an update  I have to migrate them in   I also use Smarty and ADOdb in my CI code  so no matter what I would always end up making major code changes

User · Answer

Maybe you d find Redux suiting your needs  It s no overkill and comes packed solely with bare features most of us would require  The dev and contributors were very strict on what code was contributed   This is the official page

User · Answer

I m trying Ion Auth and appreciate it  btw     SimpleLoginSecure Makes authentication simple and secure

User · Answer

Ion Auth beats tank auth mainly for two reasons  user roles and documentation  these two are missing from tank auth

User · Answer

Note that the  comprehensive listing  by Jens Roland doesn t include user roles   If you re interested in assigning different user roles  like admin user or admin editor user   these libraries allow it    Ion Auth  rewrite of Redux  Redux Backend Pro   Tank Auth   1 above in Jens s list  doesn t have user roles   I realize it s not exactly part of authentication  but since    authentication and role management are both handled upon page load Both involve security The same table model can be used for both  Both can be set up to load in the controller constructor  or even autoload    It makes a LOT of sense to have one library to handle both  if you need it   I m switching to Ion Auth from Tank Auth because of this

User · Answer

Note that the  comprehensive listing  by Jens Roland doesn t include user roles   If you re interested in assigning different user roles  like admin user or admin editor user   these libraries allow it    Ion Auth  rewrite of Redux  Redux Backend Pro   Tank Auth   1 above in Jens s list  doesn t have user roles   I realize it s not exactly part of authentication  but since    authentication and role management are both handled upon page load Both involve security The same table model can be used for both  Both can be set up to load in the controller constructor  or even autoload    It makes a LOT of sense to have one library to handle both  if you need it   I m switching to Ion Auth from Tank Auth because of this

User · Answer

Tank Auth looks good but the documentation is just a one-page explanation of how to install  plus a quick run-down of each PHP file  At least that s all I found after lots of Googling  Maybe what people mean above when they say that Tank Auth is well-documented is that the code is well-commented  That s a good thing  but different than documentation  It would have been nice to have some documentation about how to integrate Tank Auth s features with your existing code

User · Answer

I m the developer of Redux Auth and some of the issues you mentioned have been fixed in the version 2 beta  You can download this off the offcial website with a sample application too         Requires autoloading  impeding performance    Uses the inherently unsafe concept of  security questions   Dealbreaker       Security questions are now not used and a simpler forgotten password system has been put in place         Return types are a bit of a hodgepodge of true  false  error and success codes      This was fixed in version 2 and returns boolean values  I hated the hodgepodge as much as you         Doesn t hook into CI s validation system      The sample application uses the CI s validation system         Doesn t allow a user to resend a  lost password  code      Work in progress  I also implemented some other features such as email views  this gives you the choice of being able to use the CodeIgniter helpers in your emails   It s still a work in progress so if have any more suggestions please keep them coming   -Popcorn  Ps   Thanks for recommending Redux

User · Answer

I use a customized version of DX Auth  I found it simple to use  extremely easy to modify and it has a user guide  with great examples  that is very similar to Code Igniter s

User · Answer

Update  May 14  2010   It turns out  the russian developer Ilya Konyukhov picked up the gauntlet after reading this and created a new auth library for CI based on DX Auth  following the recommendations and requirements below  And the resulting Tank Auth is looking like the answer to the OP s question  I m going to go out on a limb here and call Tank Auth the best authentication library for CodeIgniter available today  It s a rock-solid library that has all the features you need and none of the bloat you don t  Tank Auth  Pros  Full featured Lean footprint  20 files  considering the feature set Very good documentation Simple and elegant database design  just 4 DB tables  Most features are optional and easily configured Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Login with email  username or both  configurable  Unactivated accounts auto-expire Simple yet effective error handling Uses phpass for hashing  and also hashes autologin codes in the DB  Does not use security questions Separation of user and profile data is very nice Very reasonable security model around failed login attempts  good protection against bots and DoS attacks    Minor  Cons  Lost password codes are not hashed in DB Includes a native  poor  CAPTCHA  which is nice for those who don t want to depend on the  Google-owned  reCAPTCHA service  but it really isn t secure enough Very sparse online documentation  minor issue here  since the code is nicely documented and intuitive    Download Tank Auth here  Original answer  I ve implemented my own as well  currently about 80  done after a few weeks of work   I tried all of the others first  FreakAuth Light  DX Auth  Redux  SimpleLogin  SimpleLoginSecure  pc user  Fresh Powered  and a few more  None of them were up to par  IMO  either they were lacking basic features  inherently INsecure  or too bloated for my taste  Actually  I did a detailed roundup of all the authentication libraries for CodeIgniter when I was testing them out  just after New Year s   FWIW  I ll share it with you  DX Auth  Pros  Very full featured Medium footprint  25  files   but manages to feel quite slim Excellent documentation  although some is in slightly broken English Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Unactivated accounts auto-expire Suggests grc com for salts  not bad for a PRNG  Banning with stored  reason  strings Simple yet effective error handling  Cons  Only lets users  reset  a lost password  rather than letting them pick a new one upon reactivation  Homebrew pseudo-event model - good intention  but misses the mark Two password fields in the user table  bad style Uses two separate user tables  one for  temp  users - ambiguous and redundant  Uses potentially unsafe md5 hashing Failed login attempts only stored by IP  not by username - unsafe  Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext  Role system is a complete mess  is admin function with hard-coded role names  is role a complete mess  check uri permissions is a mess  the whole permissions table is a bad idea  a URI can change and render pages unprotected  permissions should always be stored exactly where the sensitive logic is   Dealbreaker  Includes a native  poor  CAPTCHA reCAPTCHA function interface is messy   FreakAuth Light  Pros  Very full featured Mostly quite well documented code Separation of user and profile data is a nice touch Hooks into CI s validation system Activation emails Language file support Actively developed  Cons  Feels a bit bloated  50  files  And yet it lacks automatic cookie login     Doesn t support logins with both username and email Seems to have issues with UTF-8 characters Requires a lot of autoloading  impeding performance  Badly micromanaged config file Terrible View-Controller separation  with lots of program logic in views and output hard-coded into controllers  Dealbreaker  Poor HTML code in the included views Includes substandard CAPTCHA Commented debug echoes everywhere Forces a specific folder structure Forces a specific Ajax library  can be switched  but shouldn t be there in the first place  No max limit on login attempts - VERY unsafe  Dealbreaker  Hijacks form validation Uses potentially unsafe md5 hashing   pc user  Pros  Good feature set for its tiny footprint Lightweight  no bloat  3 files  Elegant automatic cookie login Comes with optional test implementation  nice touch   Cons  Uses the old CI database syntax  less safe  Doesn t hook into CI s validation system Kinda unintuitive status  role  system  indexes upside down - impractical  Uses potentially unsafe sha1 hashing   Fresh Powered  Pros  Small footprint  6 files   Cons  Lacks a lot of essential features  Dealbreaker  Everything is hard-coded  Dealbreaker    Redux   Ion Auth According to the CodeIgniter wiki  Redux has been discontinued  but the Ion Auth fork is going strong  https   github com benedmunds CodeIgniter-Ion-Auth Ion Auth is a well featured library without it being overly heavy or under advanced  In most cases its feature set will more than cater for a project s requirements   Pros  Lightweight and simple to integrate with CodeIgniter Supports sending emails directly from the library Well documented online and good active dev user community Simple to implement into a project  Cons  More complex DB schema than some others Documentation lacks detail in some areas   SimpleLoginSecure  Pros  Tiny footprint  4 files  Minimalistic  absolutely no bloat Uses phpass for hashing  excellent   Cons  Only login  logout  create and delete Lacks a lot of essential features  Dealbreaker  More of a starting point than a library    Don t get me wrong  I don t mean to disrespect any of the above libraries  I am very impressed with what their developers have accomplished and how far each of them have come  and I m not above reusing some of their code to build my own  What I m saying is  sometimes in these projects  the focus shifts from the essential  need-to-haves   such as hard security practices  over to softer  nice-to-haves   and that s what I hope to remedy  Therefore  back to basics  Authentication for CodeIgniter done right Here s my MINIMAL required list of features from an authentication library  It also happens to be a subset of my own library s feature list      Tiny footprint with optional test implementation Full documentation No autoloading required  Just-in-time loading of libraries for performance Language file support  no hard-coded strings reCAPTCHA supported but optional Recommended TRUE random salt generation  e g  using random org or random irb hr  Optional add-ons to support 3rd party login  OpenID  Facebook Connect  Google Account  etc   Login using either username or email Separation of user and profile data Emails for activation and lost passwords Automatic cookie login feature Configurable phpass for hashing  properly salted of course   Hashing of passwords Hashing of autologin codes Hashing of lost password codes Hooks into CI s validation system NO security questions  Enforced strong password policy server-side  with optional client-side  Javascript  validator Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks  All database access done through prepared  bound  statements    Note  those last few points are not super-high-security overkill that you don t need for your web application  If an authentication library doesn t meet these security standards 100   DO NOT USE IT  Recent high-profile examples of irresponsible coders who left them out of their software   17 is how Sarah Palin s AOL email was hacked during the Presidential campaign  a nasty combination of  18 and  19 were the culprit recently when the Twitter accounts of Britney Spears  Barack Obama  Fox News and others were hacked  and  20 alone is how Chinese hackers managed to steal 9 million items of personal information from more than 70 000 Korean web sites in one automated hack in 2008  These attacks are not brain surgery  If you leave your back doors wide open  you shouldn t delude yourself into a false sense of security by bolting the front  Moreover  if you re serious enough about coding to choose a best-practices framework like CodeIgniter  you owe it to yourself to at least get the most basic security measures done right    lt rant gt  Basically  here s how it is  I don t care if an auth library offers a bunch of features  advanced role management  PHP4 compatibility  pretty CAPTCHA fonts  country tables  complete admin panels  bells and whistles -- if the library actually makes my site less secure by not following best practices  It s an authentication package  it needs to do ONE thing right  Authentication  If it fails to do that  it s actually doing more harm than good   lt  rant gt   Jens Roland

User · Answer

I m the developer of Redux Auth and some of the issues you mentioned have been fixed in the version 2 beta  You can download this off the offcial website with a sample application too         Requires autoloading  impeding performance    Uses the inherently unsafe concept of  security questions   Dealbreaker       Security questions are now not used and a simpler forgotten password system has been put in place         Return types are a bit of a hodgepodge of true  false  error and success codes      This was fixed in version 2 and returns boolean values  I hated the hodgepodge as much as you         Doesn t hook into CI s validation system      The sample application uses the CI s validation system         Doesn t allow a user to resend a  lost password  code      Work in progress  I also implemented some other features such as email views  this gives you the choice of being able to use the CodeIgniter helpers in your emails   It s still a work in progress so if have any more suggestions please keep them coming   -Popcorn  Ps   Thanks for recommending Redux

User · Answer

Also take a look at BackendPro  Ultimately you will probably end up writing something custom  but there s nothing wrong with borrowing concepts from DX Auth  Freak Auth  BackendPro  etc   My experiences with the packaged apps is they are specific to certain structures and I have had problems integrating them into my own applications without requiring hacks  then if the pre-package has an update  I have to migrate them in   I also use Smarty and ADOdb in my CI code  so no matter what I would always end up making major code changes

User · Answer

Ion auth  Looks very promising and small footprint  I like    http   github com benedmunds CodeIgniter-Ion-Auth

User · Answer

Also take a look at BackendPro  Ultimately you will probably end up writing something custom  but there s nothing wrong with borrowing concepts from DX Auth  Freak Auth  BackendPro  etc   My experiences with the packaged apps is they are specific to certain structures and I have had problems integrating them into my own applications without requiring hacks  then if the pre-package has an update  I have to migrate them in   I also use Smarty and ADOdb in my CI code  so no matter what I would always end up making major code changes

User · Answer

Update  May 14  2010   It turns out  the russian developer Ilya Konyukhov picked up the gauntlet after reading this and created a new auth library for CI based on DX Auth  following the recommendations and requirements below  And the resulting Tank Auth is looking like the answer to the OP s question  I m going to go out on a limb here and call Tank Auth the best authentication library for CodeIgniter available today  It s a rock-solid library that has all the features you need and none of the bloat you don t  Tank Auth  Pros  Full featured Lean footprint  20 files  considering the feature set Very good documentation Simple and elegant database design  just 4 DB tables  Most features are optional and easily configured Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Login with email  username or both  configurable  Unactivated accounts auto-expire Simple yet effective error handling Uses phpass for hashing  and also hashes autologin codes in the DB  Does not use security questions Separation of user and profile data is very nice Very reasonable security model around failed login attempts  good protection against bots and DoS attacks    Minor  Cons  Lost password codes are not hashed in DB Includes a native  poor  CAPTCHA  which is nice for those who don t want to depend on the  Google-owned  reCAPTCHA service  but it really isn t secure enough Very sparse online documentation  minor issue here  since the code is nicely documented and intuitive    Download Tank Auth here  Original answer  I ve implemented my own as well  currently about 80  done after a few weeks of work   I tried all of the others first  FreakAuth Light  DX Auth  Redux  SimpleLogin  SimpleLoginSecure  pc user  Fresh Powered  and a few more  None of them were up to par  IMO  either they were lacking basic features  inherently INsecure  or too bloated for my taste  Actually  I did a detailed roundup of all the authentication libraries for CodeIgniter when I was testing them out  just after New Year s   FWIW  I ll share it with you  DX Auth  Pros  Very full featured Medium footprint  25  files   but manages to feel quite slim Excellent documentation  although some is in slightly broken English Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Unactivated accounts auto-expire Suggests grc com for salts  not bad for a PRNG  Banning with stored  reason  strings Simple yet effective error handling  Cons  Only lets users  reset  a lost password  rather than letting them pick a new one upon reactivation  Homebrew pseudo-event model - good intention  but misses the mark Two password fields in the user table  bad style Uses two separate user tables  one for  temp  users - ambiguous and redundant  Uses potentially unsafe md5 hashing Failed login attempts only stored by IP  not by username - unsafe  Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext  Role system is a complete mess  is admin function with hard-coded role names  is role a complete mess  check uri permissions is a mess  the whole permissions table is a bad idea  a URI can change and render pages unprotected  permissions should always be stored exactly where the sensitive logic is   Dealbreaker  Includes a native  poor  CAPTCHA reCAPTCHA function interface is messy   FreakAuth Light  Pros  Very full featured Mostly quite well documented code Separation of user and profile data is a nice touch Hooks into CI s validation system Activation emails Language file support Actively developed  Cons  Feels a bit bloated  50  files  And yet it lacks automatic cookie login     Doesn t support logins with both username and email Seems to have issues with UTF-8 characters Requires a lot of autoloading  impeding performance  Badly micromanaged config file Terrible View-Controller separation  with lots of program logic in views and output hard-coded into controllers  Dealbreaker  Poor HTML code in the included views Includes substandard CAPTCHA Commented debug echoes everywhere Forces a specific folder structure Forces a specific Ajax library  can be switched  but shouldn t be there in the first place  No max limit on login attempts - VERY unsafe  Dealbreaker  Hijacks form validation Uses potentially unsafe md5 hashing   pc user  Pros  Good feature set for its tiny footprint Lightweight  no bloat  3 files  Elegant automatic cookie login Comes with optional test implementation  nice touch   Cons  Uses the old CI database syntax  less safe  Doesn t hook into CI s validation system Kinda unintuitive status  role  system  indexes upside down - impractical  Uses potentially unsafe sha1 hashing   Fresh Powered  Pros  Small footprint  6 files   Cons  Lacks a lot of essential features  Dealbreaker  Everything is hard-coded  Dealbreaker    Redux   Ion Auth According to the CodeIgniter wiki  Redux has been discontinued  but the Ion Auth fork is going strong  https   github com benedmunds CodeIgniter-Ion-Auth Ion Auth is a well featured library without it being overly heavy or under advanced  In most cases its feature set will more than cater for a project s requirements   Pros  Lightweight and simple to integrate with CodeIgniter Supports sending emails directly from the library Well documented online and good active dev user community Simple to implement into a project  Cons  More complex DB schema than some others Documentation lacks detail in some areas   SimpleLoginSecure  Pros  Tiny footprint  4 files  Minimalistic  absolutely no bloat Uses phpass for hashing  excellent   Cons  Only login  logout  create and delete Lacks a lot of essential features  Dealbreaker  More of a starting point than a library    Don t get me wrong  I don t mean to disrespect any of the above libraries  I am very impressed with what their developers have accomplished and how far each of them have come  and I m not above reusing some of their code to build my own  What I m saying is  sometimes in these projects  the focus shifts from the essential  need-to-haves   such as hard security practices  over to softer  nice-to-haves   and that s what I hope to remedy  Therefore  back to basics  Authentication for CodeIgniter done right Here s my MINIMAL required list of features from an authentication library  It also happens to be a subset of my own library s feature list      Tiny footprint with optional test implementation Full documentation No autoloading required  Just-in-time loading of libraries for performance Language file support  no hard-coded strings reCAPTCHA supported but optional Recommended TRUE random salt generation  e g  using random org or random irb hr  Optional add-ons to support 3rd party login  OpenID  Facebook Connect  Google Account  etc   Login using either username or email Separation of user and profile data Emails for activation and lost passwords Automatic cookie login feature Configurable phpass for hashing  properly salted of course   Hashing of passwords Hashing of autologin codes Hashing of lost password codes Hooks into CI s validation system NO security questions  Enforced strong password policy server-side  with optional client-side  Javascript  validator Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks  All database access done through prepared  bound  statements    Note  those last few points are not super-high-security overkill that you don t need for your web application  If an authentication library doesn t meet these security standards 100   DO NOT USE IT  Recent high-profile examples of irresponsible coders who left them out of their software   17 is how Sarah Palin s AOL email was hacked during the Presidential campaign  a nasty combination of  18 and  19 were the culprit recently when the Twitter accounts of Britney Spears  Barack Obama  Fox News and others were hacked  and  20 alone is how Chinese hackers managed to steal 9 million items of personal information from more than 70 000 Korean web sites in one automated hack in 2008  These attacks are not brain surgery  If you leave your back doors wide open  you shouldn t delude yourself into a false sense of security by bolting the front  Moreover  if you re serious enough about coding to choose a best-practices framework like CodeIgniter  you owe it to yourself to at least get the most basic security measures done right    lt rant gt  Basically  here s how it is  I don t care if an auth library offers a bunch of features  advanced role management  PHP4 compatibility  pretty CAPTCHA fonts  country tables  complete admin panels  bells and whistles -- if the library actually makes my site less secure by not following best practices  It s an authentication package  it needs to do ONE thing right  Authentication  If it fails to do that  it s actually doing more harm than good   lt  rant gt   Jens Roland

User · Answer

Ion auth  Looks very promising and small footprint  I like    http   github com benedmunds CodeIgniter-Ion-Auth

User · Answer

Maybe you d find Redux suiting your needs  It s no overkill and comes packed solely with bare features most of us would require  The dev and contributors were very strict on what code was contributed   This is the official page

User · Answer

Update  May 14  2010   It turns out  the russian developer Ilya Konyukhov picked up the gauntlet after reading this and created a new auth library for CI based on DX Auth  following the recommendations and requirements below  And the resulting Tank Auth is looking like the answer to the OP s question  I m going to go out on a limb here and call Tank Auth the best authentication library for CodeIgniter available today  It s a rock-solid library that has all the features you need and none of the bloat you don t  Tank Auth  Pros  Full featured Lean footprint  20 files  considering the feature set Very good documentation Simple and elegant database design  just 4 DB tables  Most features are optional and easily configured Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Login with email  username or both  configurable  Unactivated accounts auto-expire Simple yet effective error handling Uses phpass for hashing  and also hashes autologin codes in the DB  Does not use security questions Separation of user and profile data is very nice Very reasonable security model around failed login attempts  good protection against bots and DoS attacks    Minor  Cons  Lost password codes are not hashed in DB Includes a native  poor  CAPTCHA  which is nice for those who don t want to depend on the  Google-owned  reCAPTCHA service  but it really isn t secure enough Very sparse online documentation  minor issue here  since the code is nicely documented and intuitive    Download Tank Auth here  Original answer  I ve implemented my own as well  currently about 80  done after a few weeks of work   I tried all of the others first  FreakAuth Light  DX Auth  Redux  SimpleLogin  SimpleLoginSecure  pc user  Fresh Powered  and a few more  None of them were up to par  IMO  either they were lacking basic features  inherently INsecure  or too bloated for my taste  Actually  I did a detailed roundup of all the authentication libraries for CodeIgniter when I was testing them out  just after New Year s   FWIW  I ll share it with you  DX Auth  Pros  Very full featured Medium footprint  25  files   but manages to feel quite slim Excellent documentation  although some is in slightly broken English Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Unactivated accounts auto-expire Suggests grc com for salts  not bad for a PRNG  Banning with stored  reason  strings Simple yet effective error handling  Cons  Only lets users  reset  a lost password  rather than letting them pick a new one upon reactivation  Homebrew pseudo-event model - good intention  but misses the mark Two password fields in the user table  bad style Uses two separate user tables  one for  temp  users - ambiguous and redundant  Uses potentially unsafe md5 hashing Failed login attempts only stored by IP  not by username - unsafe  Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext  Role system is a complete mess  is admin function with hard-coded role names  is role a complete mess  check uri permissions is a mess  the whole permissions table is a bad idea  a URI can change and render pages unprotected  permissions should always be stored exactly where the sensitive logic is   Dealbreaker  Includes a native  poor  CAPTCHA reCAPTCHA function interface is messy   FreakAuth Light  Pros  Very full featured Mostly quite well documented code Separation of user and profile data is a nice touch Hooks into CI s validation system Activation emails Language file support Actively developed  Cons  Feels a bit bloated  50  files  And yet it lacks automatic cookie login     Doesn t support logins with both username and email Seems to have issues with UTF-8 characters Requires a lot of autoloading  impeding performance  Badly micromanaged config file Terrible View-Controller separation  with lots of program logic in views and output hard-coded into controllers  Dealbreaker  Poor HTML code in the included views Includes substandard CAPTCHA Commented debug echoes everywhere Forces a specific folder structure Forces a specific Ajax library  can be switched  but shouldn t be there in the first place  No max limit on login attempts - VERY unsafe  Dealbreaker  Hijacks form validation Uses potentially unsafe md5 hashing   pc user  Pros  Good feature set for its tiny footprint Lightweight  no bloat  3 files  Elegant automatic cookie login Comes with optional test implementation  nice touch   Cons  Uses the old CI database syntax  less safe  Doesn t hook into CI s validation system Kinda unintuitive status  role  system  indexes upside down - impractical  Uses potentially unsafe sha1 hashing   Fresh Powered  Pros  Small footprint  6 files   Cons  Lacks a lot of essential features  Dealbreaker  Everything is hard-coded  Dealbreaker    Redux   Ion Auth According to the CodeIgniter wiki  Redux has been discontinued  but the Ion Auth fork is going strong  https   github com benedmunds CodeIgniter-Ion-Auth Ion Auth is a well featured library without it being overly heavy or under advanced  In most cases its feature set will more than cater for a project s requirements   Pros  Lightweight and simple to integrate with CodeIgniter Supports sending emails directly from the library Well documented online and good active dev user community Simple to implement into a project  Cons  More complex DB schema than some others Documentation lacks detail in some areas   SimpleLoginSecure  Pros  Tiny footprint  4 files  Minimalistic  absolutely no bloat Uses phpass for hashing  excellent   Cons  Only login  logout  create and delete Lacks a lot of essential features  Dealbreaker  More of a starting point than a library    Don t get me wrong  I don t mean to disrespect any of the above libraries  I am very impressed with what their developers have accomplished and how far each of them have come  and I m not above reusing some of their code to build my own  What I m saying is  sometimes in these projects  the focus shifts from the essential  need-to-haves   such as hard security practices  over to softer  nice-to-haves   and that s what I hope to remedy  Therefore  back to basics  Authentication for CodeIgniter done right Here s my MINIMAL required list of features from an authentication library  It also happens to be a subset of my own library s feature list      Tiny footprint with optional test implementation Full documentation No autoloading required  Just-in-time loading of libraries for performance Language file support  no hard-coded strings reCAPTCHA supported but optional Recommended TRUE random salt generation  e g  using random org or random irb hr  Optional add-ons to support 3rd party login  OpenID  Facebook Connect  Google Account  etc   Login using either username or email Separation of user and profile data Emails for activation and lost passwords Automatic cookie login feature Configurable phpass for hashing  properly salted of course   Hashing of passwords Hashing of autologin codes Hashing of lost password codes Hooks into CI s validation system NO security questions  Enforced strong password policy server-side  with optional client-side  Javascript  validator Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks  All database access done through prepared  bound  statements    Note  those last few points are not super-high-security overkill that you don t need for your web application  If an authentication library doesn t meet these security standards 100   DO NOT USE IT  Recent high-profile examples of irresponsible coders who left them out of their software   17 is how Sarah Palin s AOL email was hacked during the Presidential campaign  a nasty combination of  18 and  19 were the culprit recently when the Twitter accounts of Britney Spears  Barack Obama  Fox News and others were hacked  and  20 alone is how Chinese hackers managed to steal 9 million items of personal information from more than 70 000 Korean web sites in one automated hack in 2008  These attacks are not brain surgery  If you leave your back doors wide open  you shouldn t delude yourself into a false sense of security by bolting the front  Moreover  if you re serious enough about coding to choose a best-practices framework like CodeIgniter  you owe it to yourself to at least get the most basic security measures done right    lt rant gt  Basically  here s how it is  I don t care if an auth library offers a bunch of features  advanced role management  PHP4 compatibility  pretty CAPTCHA fonts  country tables  complete admin panels  bells and whistles -- if the library actually makes my site less secure by not following best practices  It s an authentication package  it needs to do ONE thing right  Authentication  If it fails to do that  it s actually doing more harm than good   lt  rant gt   Jens Roland

User · Answer

Tank Auth looks good but the documentation is just a one-page explanation of how to install  plus a quick run-down of each PHP file  At least that s all I found after lots of Googling  Maybe what people mean above when they say that Tank Auth is well-documented is that the code is well-commented  That s a good thing  but different than documentation  It would have been nice to have some documentation about how to integrate Tank Auth s features with your existing code

User · Answer

Maybe you d find Redux suiting your needs  It s no overkill and comes packed solely with bare features most of us would require  The dev and contributors were very strict on what code was contributed   This is the official page

User · Answer

I use a customized version of DX Auth  I found it simple to use  extremely easy to modify and it has a user guide  with great examples  that is very similar to Code Igniter s

User · Answer

Ion Auth beats tank auth mainly for two reasons  user roles and documentation  these two are missing from tank auth

User · Answer

Also take a look at BackendPro  Ultimately you will probably end up writing something custom  but there s nothing wrong with borrowing concepts from DX Auth  Freak Auth  BackendPro  etc   My experiences with the packaged apps is they are specific to certain structures and I have had problems integrating them into my own applications without requiring hacks  then if the pre-package has an update  I have to migrate them in   I also use Smarty and ADOdb in my CI code  so no matter what I would always end up making major code changes

User · Answer

I use a customized version of DX Auth  I found it simple to use  extremely easy to modify and it has a user guide  with great examples  that is very similar to Code Igniter s

User · Answer

Maybe you d find Redux suiting your needs  It s no overkill and comes packed solely with bare features most of us would require  The dev and contributors were very strict on what code was contributed   This is the official page

User · Answer

I m the developer of Redux Auth and some of the issues you mentioned have been fixed in the version 2 beta  You can download this off the offcial website with a sample application too         Requires autoloading  impeding performance    Uses the inherently unsafe concept of  security questions   Dealbreaker       Security questions are now not used and a simpler forgotten password system has been put in place         Return types are a bit of a hodgepodge of true  false  error and success codes      This was fixed in version 2 and returns boolean values  I hated the hodgepodge as much as you         Doesn t hook into CI s validation system      The sample application uses the CI s validation system         Doesn t allow a user to resend a  lost password  code      Work in progress  I also implemented some other features such as email views  this gives you the choice of being able to use the CodeIgniter helpers in your emails   It s still a work in progress so if have any more suggestions please keep them coming   -Popcorn  Ps   Thanks for recommending Redux

User · Answer

I ve come across Flexi Auth  http   haseydesign com flexi-auth    It looks very promising  and I ve started using it  It has wonderfful features  Fully integrates with CI  and comes with two different library files  in which one is very heavy loaded with all the functions and the other one contains only the validations    One of the best is that the newly registered member gets temporary access for a given amount of time on the site  until they click on the link from their email and activate

User · Answer

I m the developer of Redux Auth and some of the issues you mentioned have been fixed in the version 2 beta  You can download this off the offcial website with a sample application too         Requires autoloading  impeding performance    Uses the inherently unsafe concept of  security questions   Dealbreaker       Security questions are now not used and a simpler forgotten password system has been put in place         Return types are a bit of a hodgepodge of true  false  error and success codes      This was fixed in version 2 and returns boolean values  I hated the hodgepodge as much as you         Doesn t hook into CI s validation system      The sample application uses the CI s validation system         Doesn t allow a user to resend a  lost password  code      Work in progress  I also implemented some other features such as email views  this gives you the choice of being able to use the CodeIgniter helpers in your emails   It s still a work in progress so if have any more suggestions please keep them coming   -Popcorn  Ps   Thanks for recommending Redux

User · Answer

Update  May 14  2010   It turns out  the russian developer Ilya Konyukhov picked up the gauntlet after reading this and created a new auth library for CI based on DX Auth  following the recommendations and requirements below  And the resulting Tank Auth is looking like the answer to the OP s question  I m going to go out on a limb here and call Tank Auth the best authentication library for CodeIgniter available today  It s a rock-solid library that has all the features you need and none of the bloat you don t  Tank Auth  Pros  Full featured Lean footprint  20 files  considering the feature set Very good documentation Simple and elegant database design  just 4 DB tables  Most features are optional and easily configured Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Login with email  username or both  configurable  Unactivated accounts auto-expire Simple yet effective error handling Uses phpass for hashing  and also hashes autologin codes in the DB  Does not use security questions Separation of user and profile data is very nice Very reasonable security model around failed login attempts  good protection against bots and DoS attacks    Minor  Cons  Lost password codes are not hashed in DB Includes a native  poor  CAPTCHA  which is nice for those who don t want to depend on the  Google-owned  reCAPTCHA service  but it really isn t secure enough Very sparse online documentation  minor issue here  since the code is nicely documented and intuitive    Download Tank Auth here  Original answer  I ve implemented my own as well  currently about 80  done after a few weeks of work   I tried all of the others first  FreakAuth Light  DX Auth  Redux  SimpleLogin  SimpleLoginSecure  pc user  Fresh Powered  and a few more  None of them were up to par  IMO  either they were lacking basic features  inherently INsecure  or too bloated for my taste  Actually  I did a detailed roundup of all the authentication libraries for CodeIgniter when I was testing them out  just after New Year s   FWIW  I ll share it with you  DX Auth  Pros  Very full featured Medium footprint  25  files   but manages to feel quite slim Excellent documentation  although some is in slightly broken English Language file support reCAPTCHA supported Hooks into CI s validation system Activation emails Unactivated accounts auto-expire Suggests grc com for salts  not bad for a PRNG  Banning with stored  reason  strings Simple yet effective error handling  Cons  Only lets users  reset  a lost password  rather than letting them pick a new one upon reactivation  Homebrew pseudo-event model - good intention  but misses the mark Two password fields in the user table  bad style Uses two separate user tables  one for  temp  users - ambiguous and redundant  Uses potentially unsafe md5 hashing Failed login attempts only stored by IP  not by username - unsafe  Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext  Role system is a complete mess  is admin function with hard-coded role names  is role a complete mess  check uri permissions is a mess  the whole permissions table is a bad idea  a URI can change and render pages unprotected  permissions should always be stored exactly where the sensitive logic is   Dealbreaker  Includes a native  poor  CAPTCHA reCAPTCHA function interface is messy   FreakAuth Light  Pros  Very full featured Mostly quite well documented code Separation of user and profile data is a nice touch Hooks into CI s validation system Activation emails Language file support Actively developed  Cons  Feels a bit bloated  50  files  And yet it lacks automatic cookie login     Doesn t support logins with both username and email Seems to have issues with UTF-8 characters Requires a lot of autoloading  impeding performance  Badly micromanaged config file Terrible View-Controller separation  with lots of program logic in views and output hard-coded into controllers  Dealbreaker  Poor HTML code in the included views Includes substandard CAPTCHA Commented debug echoes everywhere Forces a specific folder structure Forces a specific Ajax library  can be switched  but shouldn t be there in the first place  No max limit on login attempts - VERY unsafe  Dealbreaker  Hijacks form validation Uses potentially unsafe md5 hashing   pc user  Pros  Good feature set for its tiny footprint Lightweight  no bloat  3 files  Elegant automatic cookie login Comes with optional test implementation  nice touch   Cons  Uses the old CI database syntax  less safe  Doesn t hook into CI s validation system Kinda unintuitive status  role  system  indexes upside down - impractical  Uses potentially unsafe sha1 hashing   Fresh Powered  Pros  Small footprint  6 files   Cons  Lacks a lot of essential features  Dealbreaker  Everything is hard-coded  Dealbreaker    Redux   Ion Auth According to the CodeIgniter wiki  Redux has been discontinued  but the Ion Auth fork is going strong  https   github com benedmunds CodeIgniter-Ion-Auth Ion Auth is a well featured library without it being overly heavy or under advanced  In most cases its feature set will more than cater for a project s requirements   Pros  Lightweight and simple to integrate with CodeIgniter Supports sending emails directly from the library Well documented online and good active dev user community Simple to implement into a project  Cons  More complex DB schema than some others Documentation lacks detail in some areas   SimpleLoginSecure  Pros  Tiny footprint  4 files  Minimalistic  absolutely no bloat Uses phpass for hashing  excellent   Cons  Only login  logout  create and delete Lacks a lot of essential features  Dealbreaker  More of a starting point than a library    Don t get me wrong  I don t mean to disrespect any of the above libraries  I am very impressed with what their developers have accomplished and how far each of them have come  and I m not above reusing some of their code to build my own  What I m saying is  sometimes in these projects  the focus shifts from the essential  need-to-haves   such as hard security practices  over to softer  nice-to-haves   and that s what I hope to remedy  Therefore  back to basics  Authentication for CodeIgniter done right Here s my MINIMAL required list of features from an authentication library  It also happens to be a subset of my own library s feature list      Tiny footprint with optional test implementation Full documentation No autoloading required  Just-in-time loading of libraries for performance Language file support  no hard-coded strings reCAPTCHA supported but optional Recommended TRUE random salt generation  e g  using random org or random irb hr  Optional add-ons to support 3rd party login  OpenID  Facebook Connect  Google Account  etc   Login using either username or email Separation of user and profile data Emails for activation and lost passwords Automatic cookie login feature Configurable phpass for hashing  properly salted of course   Hashing of passwords Hashing of autologin codes Hashing of lost password codes Hooks into CI s validation system NO security questions  Enforced strong password policy server-side  with optional client-side  Javascript  validator Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks  All database access done through prepared  bound  statements    Note  those last few points are not super-high-security overkill that you don t need for your web application  If an authentication library doesn t meet these security standards 100   DO NOT USE IT  Recent high-profile examples of irresponsible coders who left them out of their software   17 is how Sarah Palin s AOL email was hacked during the Presidential campaign  a nasty combination of  18 and  19 were the culprit recently when the Twitter accounts of Britney Spears  Barack Obama  Fox News and others were hacked  and  20 alone is how Chinese hackers managed to steal 9 million items of personal information from more than 70 000 Korean web sites in one automated hack in 2008  These attacks are not brain surgery  If you leave your back doors wide open  you shouldn t delude yourself into a false sense of security by bolting the front  Moreover  if you re serious enough about coding to choose a best-practices framework like CodeIgniter  you owe it to yourself to at least get the most basic security measures done right    lt rant gt  Basically  here s how it is  I don t care if an auth library offers a bunch of features  advanced role management  PHP4 compatibility  pretty CAPTCHA fonts  country tables  complete admin panels  bells and whistles -- if the library actually makes my site less secure by not following best practices  It s an authentication package  it needs to do ONE thing right  Authentication  If it fails to do that  it s actually doing more harm than good   lt  rant gt   Jens Roland

User · Answer

I m trying Ion Auth and appreciate it  btw     SimpleLoginSecure Makes authentication simple and secure

[php] How should I choose an authentication library for CodeIgniter?

Examples related to php

Examples related to codeigniter

Examples related to authentication