I am new to programming and I am making a login/pass authentication system for a project in Code Igniter. I can simply secure pages by setting session and then giving access based on whether the session is set or not ... Before I jump into it ... I see many auth libraries around .. like tank auth, ion auth and so on.
My question is, why would anyone use Auth libraries? If my app is simple which means there will be just one kind of user with same permissions, do I still need Auth lib like Ion Auth?
Existing Auth libraries usually are tested by users and their bugs and security flaws are, often corrected and the code is mantained.
An own implementation of it, disregarding its simplicity, is allways a test on what you know and what you can do about handling security.
There are good CI Auth libraries, but if you're going towards your own be sure to make it as safe as possible, assuming every user input is malicious... and also, go on and take a look at this article
Related
Since the new component Guard from Symfony I've started playing a little with it to learn it better and see what things it changes.
I've read the documentation from sf website to see what it brings and changes and i was wondering based on this example:
Let's say we create a login attempt counter that at some point will disable the user until password reset. Of course for this we would use the login failure handler.
But since guard should make everything easier i was wondering if we still need that handler or we just put a bit of logic in the onAuthenticationFailure / onAuthenticationSuccess / checkCredentials to do certain tasks like saving some info into database about the failed login etc and how much code should go in there.
The new Guard is aimed to ease the implementation of custom authentication patterns such as yours.
It is likely to be enough for most of the case even complex ones.
However, try to extract your custom processing, logging, etc. from your Guard and inject them to improve the maintainability of it.
Take a close look to GuardAuthenticatorInterface.php to find where and when in the process you have to set up your requirements.
I'm experimenting with CakePHP and I'm just surprised by how hard is it to accomplish the very simple task of reading a POST parameter.
The problem is, I don't use a form to submit the data. I'm using CakePHP as an API for my application and the provided values do not follow the naming conventions, so when I do pr($this->request->data) it just returns empty.
Suppose that I have parameters such as username and password sent to my /authenticate/login action and I need to read them to be able to perform the login. I don't want to require the users to provide parameters with names like data[Users][username].
I can't understand why CakePHP developers like to require you to do so to be able to access them in the application! Why making our lives harder and not just provide a simple function like $this->input->post('username')?
There's nothing to stop you accessing the $_POST superglobal, your data will be in there.
However, I don't recommend you go down this path. There's a reason that everyone recommends Convention over Configuration. For example, if you want to enable the security component so that people can't tamper with your forms, then you'll have to go back to the way that CakePHP recommends.
I strongly recommend doing things the 'Cake way' for the moment, everything is a lot easier if you do things the way that CakePHP recommends, especially when you start creating sites are not just simple one-user test cases.
I'm trying to design the authentication of my web application in an object oriented manner. Is this a concern of my domain in which case I would have something like this:
$user->authenticate($authenticator);
$user->login($authenticator);
Where $authenticator is an interface to my authentication service.
Or would this be a cross cutting concern and I would do it the other way around.
$authenticator->authenticate($user);
$session->setUser($user);
The first way seems more "OO" to me, since I don't have to ask anything from my user object...it passes the information the authenticator needs. But it feels like I'm "polluting" my domain in a certain respect...logging in is not a business requirement of my application...it is a side effect from the fact that I need a method of authentication to protect my application.
Unless your Domain includes authentication as a central concept, I would say that it's a cross-cutting concern and not part of the Domain Model.
Most developers write business applications that model something entirely different than software security. Authentication is a very important part of many applications, but really has nothing to do with the Domain itself.
That doesn't mean that you can't deal with authentication in an object-oriented way.
In Domain-Driven Design terminology, the business concept you model is part of your Core Domain while you could choose to implement authentication and other security concepts in a Generic Subdomain.
I can't help with the php-specific things, but in .NET, security is pretty much something that's just handled by the platform if you do it right. Here it's a truly cross-cutting concern by implementation, so that's how it's done elsewhere (FWIW).
IMHO passing an Authenticator is bad OO. Why should a user understand how to authenticate itself? It's a user it doesn't even need to know what an authenticator is. Also, passing an authenticator seems strange to me unless you plan on having different ways of authenticating a user thus having a need to pass different types of authenticators to your user. You make it seem like authentication isn't a major part of your application so I doubt you will have more than one way of authenticating a user.
I think your second approach makes more sense although still seems like overkill to me. My favorite framework is symfony and they have a great plugin called sfGuard that handles authentication. Take a look at the source code of the plugin and see if it gives you any inspiration.
Coupling
$user->authenticate($authenticator);
$user->login($authenticator);
Inversion of control
$authenticator->authenticate($user);
$session->setUser($user);
Coupling is bad, inversion is good. Go with the later.
My web application only has one level of authorization. It's either you're logged in or not. Would ACL be overkill for this? Would the Auth component be sufficient/secure enough to handle this situation?
Does CakePHP session anonymous users? If so, is there a way to turn that off? I don't think I need sessions to be passed around if the user is anonymous.
The ACL component is only needed if you need to provide access to certain parts of the site to certain groups of users and not others. If you only need to know if someone is a user or not, Auth will have you covered.
By default, sessions are created for everyone. If you're not using them for anonymous users, it's okay to leave them turned on all the time because a) it's easier that way and b) the overhead of doing so is extremely minimal. If you decide to go ahead and turn them off when not used, you can set Session.start to false in app/config/core.php.
However, you will have to add code to start the session when a user is logged in. You may also experience issues with the Auth component. It makes use of the Session component and I believe it expects sessions to be started on every page load.
Short answer: Maybe.
Long answer: seems that, for the case you explain, Auth should be enough (provided you also use Sanitize, but that's something you should also do if using ACL anyway).
As for the use of sessions, I don't think you have to worry about Cake using them for anonymous users, but I really haven't read the code. Anyway, I don't think that it will be easy to turn them off for non logged in users but leaving them on for logged in people.
Using the Auth component is fine
Using the Sanitize library has nothing to do with this at all. Knowing Cake, if something needed sanitized in conjunction with the AuthComponent then that component will make use of Sanitize internally. You don't need to do anything with it yourself.
If you set up a User Model with id, username, password fields and simply include the Auth component in your AppController and set the component to allow the 'display' action ( for the homepage IE PagesController::display( 'home' ); ) that should get you started.
Googling or searching bakery.cakephp.org should turn you up some good Auth tutorials.
I am writing a web application using PHP. I want to use the MVC pattern for this, and decided to go with CodeIgniter. My application will have some pages which will require authentication, and some pages won't. I want to design this in a very generic way, so that there should be no code duplication. Can any one point to some good "design/class structure" for this?
Write a custom library that you can autoload in your code igniter app on every page view. It should have functions that:
Authenticate the user ie. check if a user is logged in or not
Log you in ie. set a session variable or something
Log you out
Then in your controller classes you can do a call to the authentication function in the constructor then depending on the outcome continue as normal or redirect them to a login screen with an access denied message.
Do a search on the code igniter wiki for 'authentication' and there are a number of results that may help: http://codeigniter.com/wiki/
"Ion Auth" is lean, well-programmed, somewhat widely used and is actively maintained.
http://github.com/benedmunds/CodeIgniter-Ion-Auth
If by "some pages" you mean some controllers (the gateway to your views), then you may want to investigate controller inheritance. Extend the default CodeIgniter controller with your own and put an authentication check in the constructor (check the session for a logged in flag or something and if not logged in then redirect to login page). Then, all controllers that require authentication will need to extend your new parent controller. That's it.
Head on over to the CodeIgniter forums and search for some different ways to extend the controller. Here is one http://codeigniter.com/forums/viewthread/89768/#452890
May be you can use CL_AUTH library for CI. I've used it and it works good. You can find it here http://www.jasonashdown.co.uk/cl_auth_doc/
I was looking into the same thing recently, and I found a CodeIgniter fork called Kohana that includes a nice authentication module. If you are set on CI, maybe adapting Kohana's auth module backwards to CI would save you some time? If you have just started out on your project and PHP5 is OK to use, consider switching over; they are very similar frameworks.
Visit GitHub and search for Codeigniter Auth or Authentication, or check the CodeIgniter Wiki, you'll find many libraries with different features.. explore them and choose the one you need! But be careful, many are for CI 2, and you have to ucfirst the classes to use with CI 3, otherwise they don't work at all.
Use flexi auth a modified version of the popular Ion Auth library. It's more advanced and do all the job out-of-the-box.
flexi auth is a free open source user authentication/login library for use with the CodeIgniter 2.0+ framework.
I know it's too late but I hope someone else will find it helpful. Cheers!