Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking us to recommend or find a book, tool, software library, tutorial or other off-site resource are off-topic for Stack Overflow as they tend to attract opinionated answers and spam. Instead, describe the problem and what has been done so far to solve it.
Closed 8 years ago.
Improve this question
I see there are a few. Which ones are maintained and easy to use? What are their pros and cons?
Update (May 14, 2010):
It turns out, the russian developer Ilya Konyukhov picked up the gauntlet after reading this and created a new auth library for CI based on DX Auth, following the recommendations and requirements below.
And the resulting Tank Auth is looking like the answer to the OP's question. I'm going to go out on a limb here and call Tank Auth the best authentication library for CodeIgniter available today. It's a rock-solid library that has all the features you need and none of the bloat you don't:
Tank Auth
Pros
Full featured
Lean footprint (20 files) considering the feature set
Very good documentation
Simple and elegant database design (just 4 DB tables)
Most features are optional and easily configured
Language file support
reCAPTCHA supported
Hooks into CI's validation system
Activation emails
Login with email, username or both (configurable)
Unactivated accounts auto-expire
Simple yet effective error handling
Uses phpass for hashing (and also hashes autologin codes in the DB)
Does not use security questions
Separation of user and profile data is very nice
Very reasonable security model around failed login attempts (good protection against bots and DoS attacks)
(Minor) Cons
Lost password codes are not hashed in DB
Includes a native (poor) CAPTCHA, which is nice for those who don't want to depend on the (Google-owned) reCAPTCHA service, but it really isn't secure enough
Very sparse online documentation (minor issue here, since the code is nicely documented and intuitive)
Download Tank Auth here
Original answer:
I've implemented my own as well (currently about 80% done after a few weeks of work). I tried all of the others first; FreakAuth Light, DX Auth, Redux, SimpleLogin, SimpleLoginSecure, pc_user, Fresh Powered, and a few more. None of them were up to par, IMO, either they were lacking basic features, inherently INsecure, or too bloated for my taste.
Actually, I did a detailed roundup of all the authentication libraries for CodeIgniter when I was testing them out (just after New Year's). FWIW, I'll share it with you:
DX Auth
Pros
Very full featured
Medium footprint (25+ files), but manages to feel quite slim
Excellent documentation, although some is in slightly broken English
Language file support
reCAPTCHA supported
Hooks into CI's validation system
Activation emails
Unactivated accounts auto-expire
Suggests grc.com for salts (not bad for a PRNG)
Banning with stored 'reason' strings
Simple yet effective error handling
Cons
Only lets users 'reset' a lost password (rather than letting them pick a new one upon reactivation)
Homebrew pseudo-event model - good intention, but misses the mark
Two password fields in the user table, bad style
Uses two separate user tables (one for 'temp' users - ambiguous and redundant)
Uses potentially unsafe md5 hashing
Failed login attempts only stored by IP, not by username - unsafe!
Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext!
Role system is a complete mess: is_admin function with hard-coded role names, is_role a complete mess, check_uri_permissions is a mess, the whole permissions table is a bad idea (a URI can change and render pages unprotected; permissions should always be stored exactly where the sensitive logic is). Dealbreaker!
Includes a native (poor) CAPTCHA
reCAPTCHA function interface is messy
FreakAuth Light
Pros
Very full featured
Mostly quite well documented code
Separation of user and profile data is a nice touch
Hooks into CI's validation system
Activation emails
Language file support
Actively developed
Cons
Feels a bit bloated (50+ files)
And yet it lacks automatic cookie login (!)
Doesn't support logins with both username and email
Seems to have issues with UTF-8 characters
Requires a lot of autoloading (impeding performance)
Badly micromanaged config file
Terrible View-Controller separation, with lots of program logic in views and output hard-coded into controllers. Dealbreaker!
Poor HTML code in the included views
Includes substandard CAPTCHA
Commented debug echoes everywhere
Forces a specific folder structure
Forces a specific Ajax library (can be switched, but shouldn't be there in the first place)
No max limit on login attempts - VERY unsafe! Dealbreaker!
Hijacks form validation
Uses potentially unsafe md5 hashing
pc_user
Pros
Good feature set for its tiny footprint
Lightweight, no bloat (3 files)
Elegant automatic cookie login
Comes with optional test implementation (nice touch)
Cons
Uses the old CI database syntax (less safe)
Doesn't hook into CI's validation system
Kinda unintuitive status (role) system (indexes upside down - impractical)
Uses potentially unsafe sha1 hashing
Fresh Powered
Pros
Small footprint (6 files)
Cons
Lacks a lot of essential features. Dealbreaker!
Everything is hard-coded. Dealbreaker!
Redux / Ion Auth
According to the CodeIgniter wiki, Redux has been discontinued, but the Ion Auth fork is going strong: https://github.com/benedmunds/CodeIgniter-Ion-Auth
Ion Auth is a well featured library without it being overly heavy or under advanced. In most cases its feature set will more than cater for a project's requirements.
Pros
Lightweight and simple to integrate with CodeIgniter
Supports sending emails directly from the library
Well documented online and good active dev/user community
Simple to implement into a project
Cons
More complex DB schema than some others
Documentation lacks detail in some areas
SimpleLoginSecure
Pros
Tiny footprint (4 files)
Minimalistic, absolutely no bloat
Uses phpass for hashing (excellent)
Cons
Only login, logout, create and delete
Lacks a lot of essential features. Dealbreaker!
More of a starting point than a library
Don't get me wrong: I don't mean to disrespect any of the above libraries; I am very impressed with what their developers have accomplished and how far each of them have come, and I'm not above reusing some of their code to build my own. What I'm saying is, sometimes in these projects, the focus shifts from the essential 'need-to-haves' (such as hard security practices) over to softer 'nice-to-haves', and that's what I hope to remedy.
Therefore: back to basics.
Authentication for CodeIgniter done right
Here's my MINIMAL required list of features from an authentication library. It also happens to be a subset of my own library's feature list ;)
Tiny footprint with optional test implementation
Full documentation
No autoloading required. Just-in-time loading of libraries for performance
Language file support; no hard-coded strings
reCAPTCHA supported but optional
Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
Login using either username or email
Separation of user and profile data
Emails for activation and lost passwords
Automatic cookie login feature
Configurable phpass for hashing (properly salted of course!)
Hashing of passwords
Hashing of autologin codes
Hashing of lost password codes
Hooks into CI's validation system
NO security questions!
Enforced strong password policy server-side, with optional client-side (Javascript) validator
Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
All database access done through prepared (bound) statements!
Note: those last few points are not super-high-security overkill that you don't need for your web application. If an authentication library doesn't meet these security standards 100%, DO NOT USE IT!
Recent high-profile examples of irresponsible coders who left them out of their software: #17 is how Sarah Palin's AOL email was hacked during the Presidential campaign; a nasty combination of #18 and #19 were the culprit recently when the Twitter accounts of Britney Spears, Barack Obama, Fox News and others were hacked; and #20 alone is how Chinese hackers managed to steal 9 million items of personal information from more than 70.000 Korean web sites in one automated hack in 2008.
These attacks are not brain surgery. If you leave your back doors wide open, you shouldn't delude yourself into a false sense of security by bolting the front. Moreover, if you're serious enough about coding to choose a best-practices framework like CodeIgniter, you owe it to yourself to at least get the most basic security measures done right.
<rant>
Basically, here's how it is: I don't care if an auth library offers a bunch of features, advanced role management, PHP4 compatibility, pretty CAPTCHA fonts, country tables, complete admin panels, bells and whistles -- if the library actually makes my site less secure by not following best practices. It's an authentication package; it needs to do ONE thing right: Authentication. If it fails to do that, it's actually doing more harm than good.
</rant>
/Jens Roland
Note that the "comprehensive listing" by Jens Roland doesn't include user roles. If you're interested in assigning different user roles (like admin/user or admin/editor/user), these libraries allow it:
Ion_Auth (rewrite of Redux)
Redux
Backend Pro
Tank_Auth (#1 above in Jens's list) doesn't have user roles. I realize it's not exactly part of authentication, but since
authentication and role management are both handled upon page load
Both involve security
The same table/model can be used for both.
Both can be set up to load in the controller constructor (or even autoload)
It makes a LOT of sense to have one library to handle both, if you need it. I'm switching to Ion_Auth from Tank_Auth because of this.
Ion_auth! Looks very promising and small footprint! I like..
http://github.com/benedmunds/CodeIgniter-Ion-Auth
I'm the developer of Redux Auth and some of the issues you mentioned have been fixed in the version 2 beta. You can download this off the offcial website with a sample application too.
Requires autoloading (impeding performance)
Uses the inherently unsafe concept of 'security questions'. Dealbreaker!
Security questions are now not used and a simpler forgotten password system has been put in place.
Return types are a bit of a hodgepodge of true, false, error and success codes
This was fixed in version 2 and returns boolean values. I hated the hodgepodge as much as you.
Doesn't hook into CI's validation system
The sample application uses the CI's validation system.
Doesn't allow a user to resend a 'lost password' code
Work in progress
I also implemented some other features such as email views, this gives you the choice of being able to use the CodeIgniter helpers in your emails.
It's still a work in progress so if have any more suggestions please keep them coming.
-Popcorn
Ps : Thanks for recommending Redux.
I've come across Flexi Auth (http://haseydesign.com/flexi-auth/). It looks very promising, and I've started using it. It has wonderfful features. Fully integrates with CI, and comes with two different library files, in which one is very heavy loaded with all the functions and the other one contains only the validations.
One of the best is that the newly registered member gets temporary access for a given amount of time on the site, until they click on the link from their email and activate.
Maybe you'd find Redux suiting your needs. It's no overkill and comes packed solely with bare features most of us would require. The dev and contributors were very strict on what code was contributed.
This is the official page
Ion_Auth beats tank_auth mainly for two reasons, user roles and documentation, these two are missing from tank_auth.
I use a customized version of DX Auth. I found it simple to use, extremely easy to modify and it has a user guide (with great examples) that is very similar to Code Igniter's.
Also take a look at BackendPro
Ultimately you will probably end up writing something custom, but there's nothing wrong with borrowing concepts from DX Auth, Freak Auth, BackendPro, etc.
My experiences with the packaged apps is they are specific to certain structures and I have had problems integrating them into my own applications without requiring hacks, then if the pre-package has an update, I have to migrate them in.
I also use Smarty and ADOdb in my CI code, so no matter what I would always end up making major code changes.
Tank Auth looks good but the documentation is just a one-page explanation of how to install, plus a quick run-down of each PHP file. At least that's all I found after lots of Googling. Maybe what people mean above when they say that Tank Auth is well-documented is that the code is well-commented. That's a good thing, but different than documentation. It would have been nice to have some documentation about how to integrate Tank Auth's features with your existing code.
I'm trying Ion_Auth and appreciate it, btw...
SimpleLoginSecure
Makes authentication simple and secure.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
I've been developing in PHP for about 8 years as a hobby. In 2009, I picked up codeigniter and since then I've not managed to get a single project developed.
I find it slows me down trying to work out how to modify it to work the way I want, when if I was working in pure PHP, I'd know, or I'd be able to quickly find a snippet for.
I've tried CodeIgniter, Kohana and Symfony. I love the ease of use (and I've also started using doctrine as an ORM which massively sped up my database work), but I find projects are taking me 3-4 times the amount of time it took in pure PHP. I get bored and frustrated when I can't find a solution to a problem I've previously solved in pure PHP.
Has anyone gone back from using frameworks to a no-framework approach. Is there anything like a basic security framework (prevent XSS, filter posted data, provide a cleaning function for use with databases)? I think something like that would benefit me much more than a full scale framework. I think learning to work with frameworks has taught me a lot, but I'd be happier working with my own code.
Current versions of PHP5 include much of the security framework you're looking for as part of the standard library.
Use filter_input_array to declaratively sanitize stuff coming in from the outside.
Access your database via PDO with parameterized SQL to prevent SQL injection attacks.
Use the following PHP settings to make your site more resistant to session fixation and cookie theft:
session.use_only_cookies (Prevents your session token from leaking into the URL)
session.cookie_httponly or the httponly attribute to session_set_cookie_params() (Protects against scripts reading the session cookie in compatible browsers)
More suggestions and PHP example code available on Wikipedia.
You can also use the httponly attribute with setcookie().
Nothing fancier than basic templating and header-setting is required for new HTTP and HTML5 features:
HTTP Strict Transport Security (Helps protect against WiFi exploits.)
X-Frame-Options (Restrict embedding of your pages. Good against phishing.)
HTML5 IFrame Sandbox Attribute (Sandbox 3rd-party ads/badges/videos. Already in WebKit. Likely to be at least partially implemented in Firefox 11.)
Content Security Policy (Firefox 4's new security framework, complimentary to the sandbox attribute. Now also being implemented in Chrome.)
If you're accepting HTML as input, I recommend grabbing HTML Purifier and calling it via a FILTER_CALLBACK line in your filter_input_array setup. Its whitelist-based approach to input security makes a great (and very powerful) first line of defense against XSS.
As far as I can tell, PHP doesn't come with a mechanism for protecting against cross-site request forgery, but I'm sure Google can help you with that one. The OWASP Security Cheatsheets include a section on it if you want to implement your own protection.
Out of curiosity, I decided to also start looking at standalone components and here's what I've found so far:
Templating:
PHP Template Inheritance (Regular PHP plus template inheritance)
TWIG (Django/Jinja2/Liquid-style syntax including autoescape and sandboxing. Compiles to cached PHP for speed.)
Dwoo (A faster, more featureful, PHP5-ish successor to Smarty. Includes a compatibility system for existing Smarty templates.)
Stuff I still haven't looked into properly:
Route dispatching (Only found RouteMap and Net_URL_Mapper so far. Thanks, cweiske.)
ORM (Just in case bare PDO isn't your thing)
I don't believe in frameworks... I have worked in many of them.
Reasons for hating MVC frameworks:
1) Code bloat, I purchase premium classes that assist me in development. Such as form classes or SQL classes.
2) I believe that MVC frameworks are not easily portable especially when using dependency managers.
3) I believe that you actually write more code with a MVC framework then if you had to use a boilerplate with a ton of useful classes that handle authentication etc.
4) Most frameworks also cater for just one or two databases natively.
I would suggest finding a form framework with authentication and text editor & a sql framework like madoo + a email class...
90% of your application is always forms , sql & ajax CLASSES - the rest can just be acquired when needed
I am a minimalist and I struggle with the idea of having code in my application that is not doing anything ... just in case I need it does not work for me.
With that much experience behind you, you must have your own set of favorite libraries, hand pick them and come up with your own simple framework. Framework or no framework (and which one at that) depends on the kind of project at hand, no glove fits all. So i would strongly suggest that if you feel that the existing frameworks are slowing you down, spend sometime and come up with a framework which works as per your needs.
Based on your statement that you've been using PHP as a hobby, as well as your profile statement "Slowly getting there", this seems like a learning curve issue. You don't appear to have the depth and breadth of experience to a) understand how to work within the structure that the framework imposes and b) you are thus unable to benefit from the efficiencies that the framework enables.
I urge you to stick with it. Go back to the beginning with the video tutorials. Find and read other peoples code until you understand it. Build your projects from the bottom up - start simply, and add functionality. Follow the forums, trying to answer questions yourself before reading replies.
I've been programming professionally for almost 20 years, across a variety of platforms, and it still took me a while to become comfortable with CI. But now that I am, I wouldn't go back to pure PHP (for my own projects) unless I had a site of sufficient scale that it exposed quantifiable performance issues (think Twitter).
Zend Framework is really super for that. You can use as much or as little as you want. Its all coded in php and open sourced so you can just hack at it and make it your own. The different component are not dependant on eachothers as much as in other frameworks.
You could build yourself a simple framework using some components from Zend without any problems.
Check it out!
I Know exactly the way you feel. I started 4~5 years ago in PHP (I came from Delphi, lol), and started in pure php. What I had back them was a "CMS Panel like" wich just read all tables fields and create the form. After sometime I reached somehow in the knowledge of PHP Frameworks, I tried CakePHP for first and didn't liked, after, got into Yii wich in my opinion is pretty intuitive and easy-use (With it's Gii generator it rocks pretty much). I Tried Symfony, ZF2, Laravel, Yii2-Beta and some frameworks for RAD, but still I wasn't feeling fast enough like before the frameworks.
Happened that I developed my own framework (It was naturally, not exactly that I woke up some day and said "I'm going to create a new framework", happened with the time) . I Know it's a bad bad bad practice and "wheel reinvention" move, BUT, I now develop my projects much faster (more than PHP only).
Since it's code is a total MESS, I started about one month ago to reformulating my framework, now it uses composer, follows common rules that exists between the php frameworks, is MVC.
Why I'm reformulating ? Because if someone needs to repair a project of mine it will not be a another world thing.
So I Understand you.
My Advice is, prepare your tools (call it a framework, a preset-app or whatever people names it), and use it the way you feel better, but still follow some common rules (Like MVC, "easy to module" things wich you can replace in case of broken.
For basic security, I use a custom filter method that wraps up my superglobals. Its syntax needs some getting used to, but is simpler than the PHP filter_var() API and doesn't let you slip sanitization:
$_GET->text("inputvar") or $_POST->name["field"]
It also allowed inline $_REQUEST->sql() escaping. But for database work keep using parameterized SQL, or your DAL/ORM of choice.
I did a one day study of ToroPHP and found it quite nice. It is a minimalist framework targetted to RESTful applications. This makes it possible to keep the server side code modular, without having to deal with bloat of any framework.
I don't know what is troubling you but codeigniter is a great framework.It has nice documentation and since lots of people use codeigniter you will find all the help in its documentation,or forum or on stackoverflow.I have worked on many frameworks (Codeigniter,CakePHP,Zend,Spring 3.0, Ruby on Rails),but I must say codeigniter has the best documentation.There are lot of things in codeigiter which are automatically handled and you don't have to worry about security.
Working on core PHP is like re-inventing the wheel. Well the most important thing is that moving from a core to framework will need lots of your effort once you are used to it, you will start loving it.Also Ruby on rails is also a great framework once you know its ins and outs you can have double speed.
I am building a website with individual user customization in mind. So for instance, client #1 may say i want this feature to be designed for my account and then user #2 may say i want this added to my account. I was thinking of implementing a php if code where upon authentication those features will be loaded each time they login. But i have hundreds of thousands of customizations that i will be doing, to add each php code for each client will be terrible, is there a way i can do it more easily and with less stress?
Added from comments to particular answer:
"Basically i am running the technical side of a business intelligence company. We offer various reports and information along with a dozen analytic tools. So one user might say i want all that you offer plus a custom feature where a particular area of the business is being analyzed and then upload to their account. As you can imagine there can be hundreds of such requests for a lot of accounts."
Your best bet is to either design yourself a framework, or find an existing one that supports this level of customization. Either way, it's not a small job, and launching code for each user leaves you prone to security issues and bugs arising from out-of-date methods as time goes on.
Ask yourself what kind of customizations you're doing, and if they can be abstracted away from the code level by (for example) a templating system.
Designs can fit in certain generic requirements. So until and unless you have some generic requirements, you can not do the design. For example, if requirement is for different look and feel for each client, you might go for dynamic theming. Similarly, for positional changes for different users, you can think of user profiling. For language, also you can keep the user language as part of the profile. Study different approaches for user profile management and then take a step ahead.
As others have said, its impossible to give a specific answer without knowing a lot more about what you mean by "Customization". The only sensible answer is the one you've already provided - i.e. to implement as much as possible of the variable behaviour in data.
This in itself may not be a trivial exercise - on one application I worked on, I designed a heuristic artificial intelligence engine (in PHP) which was hugely successful - but this was a fairly complex exercise in software engineering, and one I'd be hesitant to recommend to anyone who needs to ask the question.
Assuming that pushing all the application logic into data is not practical, then there are some other approaches you might consider, e.g. splitting the customizations into seperate php files (or templates if its just a display thing):
<?php
session_start();
/* do authentication checks...*/
$app=$_SESSION['user_profile'] . '/' . dirname($_SERVER['SCRIPT_NAME'] . '/inc.php');
if (! include_once($app)) {
include_once('default/'.dirname($_SERVER['SCRIPT_NAME'].'/inc.php');
}
...
Although it would be posible to store php code in a database and eval it at runtime - I'd not recommend this as it opens the door to code injection attacks. OTOH, it may prove easier to implement the customizations in a different language and call that from PHP e.g. prolog.
C.
As a web developer I am using PHP and I know that I have to worry about security but when you use a framework, there is a lot-of code and design that you relay on but that you didn't code or design and for instance I am using CakePHP.
so in this case with frameworks how much should i worry about security ?
You should always continue respecting the basic principles of security :
don't trust the user
never trust the user
Which kinda means :
filter / validate everything that comes to your application
escape any output.
Using a framework doesn't change much about that, except that :
Output to the database often es some layer of the framework, which should deal with escaping
Frameworks often provide filtering / validation solutions ; use them ;-)
Frameworks often have some guidelines ; read them.
As a sidenote : you said this :
there is a lot-of code and design that
you relay on but that you didn't code
or design
Considering you are using a well-known framework that lots of people use, this code has probably been more tested/reviewed than any code you could write ;-)
That's an advantage of open-source, actually : you are not the only one responsible for the code, and lots of eyes have seen it -- which means lots of hands have enhanced it.
There are a lot of things to consider when dealing with security in an application. As Pascal said, it is a good idea to use a popular framework that has had a number of people looking at it.
I see a few areas of concern in regards to CakePHP.
The first issue is the end user. You should expect someone to do something foolish on every page you build. Some examples of this are:
A person clicking the submit button rapidly over and over. This may skew or mess up your system in a way if you're not careful. The solution for this is not based on the framework, but rather your coding methodology and testing.
SQL Injection and other bad things. Any field on a page can be potentially abused, therefore every form element must be sanitized. CakePHP has simple methods to take care of these security issues. http://book.cakephp.org/view/153/Data-Sanitization
Clean URL's are very important. You should never design a system that allows a user to access integer primary keys directly. For instance, if you have a site that has /show_user/2098 then someone can simply type in show_user/2097 to see someone else's account. CakePHP allows you to incorporate slugs or UUID's quite easily, to prevent this from happening.
Second, you must be concerned with attacks dealing with the code and permissions itself. For example:
Never use eval() or system() in your code from data that may come from the end user. There have been applications in the past written in perl that have been hijacked because of this issue.
The folder structure and permissions is important in regards to security. Users should never have access to get into a writable directory. With CakePHP the folder structure is designed so that you can point apache directly to app/webroot. This means the tmp directory is outside of the apache path, making the system a bit more secure.
Third, you should be concerned with the protection of your administration pages and who has permissions to access what.
CakePHP has an Auth and an Acl component that allows you to choose what users get access to which pages. This makes use of custom Cake Sessions which can be stored in a database, by using PHP or written to the file system.
I would suggest reading up on some of the important components and being sure you set them up properly, to ensue you have built an application without security flaws. Take a look at some of these elements as you research further: http://book.cakephp.org/view/170/Core-Components
I suggest you check out ESAPI: http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API#tab=PHP
It is not a framework per se, but does contain a lot of tools for the problems Pascal mentions.
Forgive me if this has already been asked (and feel free to provide a reference and close this).
The ultimate goal is to associate some data with each user (obviously) and display that data to users differently based on their roles.
I have looked extensively for a simple, drop-in solution for authenticating users in PHP.
I am not looking for:
A CMS with authentication
A PHP MVC Framework
This project is too simple for both, and while it should go to production eventually, will be performed by novice programmers. I want to be teaching them PHP, not specifics for a CMS or a framework. I am not completely opposed to the idea of a framework, but all the frameworks I have looked at enforce MVC and that is too advanced a concept at this point.
I am looking for something that will allow me to easily register users, login users, and put users into roles. Ideally, this means having a library that will handle the database & encryption logic and provide me with a simple API to do the above. I prefer to provide the library with a database and let it do its thing without any interaction from me - storing data in the session is also preferable but not required.
I know I could easily do this myself, but I want to make things simple for those I am teaching. A library/component/etc is what I want for this. I've been all over PEAR, and the modules there seem overly complicated. The two authentication providers given in the PHP5 documentation seem unclear to me. Examples of those in action, if they do what I've described, would work. Any ideas?
Login Sessions
It's a little out-dated, but still comes with great concepts.
If I am to follow What should a developer know before building a public web site? on authentication, then what options do I have ?
I have never used PEAR, and I'm not about to start. I have read about phpGALC but have yet to try it.
After the authentication do rights/access level kick in. I'm not a big fan of using a single tinyint value which decides what a user can and cannot do, besides its not very flexible. I have recently written a section system where I specify what kind of access each user type have access to, but is there something better ?
If you want a language, then PHP5.
Authentication is fairly straightforward. Authorization, through an ACL or whatever, can be complex.
Authentication is usually just matching a username and password with stored credentials. Just use SSL and hash passwords using a salt.
Authorization can be a beast and the solution depends on your requirements. You might try PhpGALC and the Zend Framework ACL component. Both options have roles, resources, and optional privileges although they are all named differently. The Zend ACL is simpler and more generic (rules can be defined simply in your code and it doesn't require a database). If your roles, resources, and privileges are not static, then with the Zend ACL you'll have to write code to populate the ACL from your data store. The big advantage of phpGALC is that it has a web GUI. I found the GUI clumsy, but unless you really understand your ACL, it can be dangerous to make changes directly in the database considering ACL complexities like role and resource inheritance. Keep in mind that the Zend ACL can be used on its own without any other Zend Framework dependencies besides Zend Exception.
ACL and Auth are the things I'm working on at this very moment. I'm using CakePHP at the moment, and it provides an extensive (albeit not simple) module for ACL, and a simple way to do authentication. I'm interested in answers too.
What I've gathered:
Learn to validate input, especially the difference between blacklists and whitelists
Consider carefully your email validation pattern
Consider what languages will you have to support (pesky little accents, tildes and the like get in the way in names, e.g. Añagaza or Alérta).
Roll-your-own or prebuilt?
ACL: keep it simple or it could swallow you whole.
Careful about CSRF and XSRF!
I'm not a big fan of using a single tinyint value which desides what a
user can and cannot do, besides its
not very flexible.
That depends... Are you referring to using the value as an integer or as a bitfield?
If you're using it simply as a number (level 5 user has all the abilities of level 1-4 users, plus a little more), then, yeah, that's not very flexible.
If you're using it as a bitfield, it gives you 8 (sets of) capabilities which can be turned on or off in any combination for any user. I'd call that flexible. And, if 8 capabilities isn't enough for you, it's trivial to change the tinyint (8 bits) to a smallint (16 bits/capabilities), int (32 bits), or bigint (64 bits), which should be more than sufficient for just about any application most of us are likely to write.
Most frameworks have an authentication module built-in. So you may want to checkout Zend, CakePHP, Code Ignighter, etc.
Also one thing that tends to get confusing is the difference between escaping and encoding data. Things are a lot more flexible when data is encoded then escaped.
User Authentication makes sure that if a user tries to access a page which application denies free access, it redirects the user to logging page and after a successful login brings back to the requested page. One such implementation of cake's default Auth is explained in following wrt pitfalls, approach and ways.
http://enbake.com/cakephp-user-authentication-auth-component
The framework doesnt make you restricted. But rather grants you speed of dev with existing modules and more organized code. Can show you comparison b/w frameworks if interested.