15

I'm aware of the risks of rolling your own user authentication scripts, but I'm also wary of using packages that don't seem to be actively maintained: the current version of PEAR LiveUser is almost a year old.

Please recommend (and argue the case for) an actively-maintained user-authentication library which can be integrated into an existing web project. It should ideally support various roles - anonymous users, registered users and administrators at various levels.

Rob
  • 47,999
  • 5
  • 74
  • 91
Ken
  • 77,016
  • 30
  • 84
  • 101
  • 2
    It's not necessarily a bad idea to roll your own system. Just make sure your system *is a good one*. That does mean months of research and careful thought, but it can be done and you'll learn a lot. Or if you don't have time, then find someone else's. But if you don't know how to create your own... how can you know how good someone else's system is? :) – Abhi Beckert Mar 27 '12 at 12:59
  • You may want to take a look at https://github.com/delight-im/PHP-Auth which is both framework-agnostic and database-agnostic. – caw Sep 21 '16 at 05:26

4 Answers4

6

It sounds like what you want is a user control library, rather than an authentication library.

For example, in the Zend Framework there are two classes: Zend_Auth (which handles user authentication: logins (e.g. simple database tables to OpenID)) and Zend_Acl (which handles the user access side of things).

I quite like the ZF classes - I haven't tried using them outside of a ZF project but most of their classes can so give it a try. Even if you decide to build your own they'd be useful for reference.

Ross
  • 46,186
  • 39
  • 120
  • 173
5

It looks to me like PEAR hasn't changed much because it's stable. I wouldn't be afraid of using it.

EdgarVerona
  • 1,488
  • 1
  • 15
  • 23
3

http://ulogin.sourceforge.net/

Is quite secure and well-thought. It's also very configurable.

Martin_Lakes
  • 318
  • 3
  • 5
  • 1
    Where is documentation? Not work well, error in the installation. – devasia2112 Jul 06 '12 at 16:05
  • I just had a bad time with this (perhaps I am using it wrong? I don't know the documentation is the comments in the exapmple), I am currently looking for something else. – Trass Vasston May 29 '13 at 04:40
-3

When using md5(); to store passwords on a table in your mysql database.

keep in mind the same proccess will be required when checking the entered password from the login form, aganst the one in the database.

Another example of a hash generating function is

sha1();

u could always wrap the 2 functions and create a simple hash generation method

$string = md5(sha1($string));

return $string; // RETURNED HASHED VALUE

It is also possible to use the salt() function, which allows your own "public key" to an extent.

salt("mystring123", "jz");

Shane
  • 23
  • 2
  • 9
  • 1
    Doing `md5(sha1($string))` would only increase the collision rate and make your application less secure. You should use only sha1, or if that is not enough try sha 256 or sha 512 algorithms – Petah Oct 26 '10 at 11:46
  • 1
    **Salting** the password string should be used along with some hash function. It is not another method. – Tun Dec 05 '11 at 07:25
  • 1
    Do not add md5() to sha1() or vice versa. You are wasting CPU cycles with zero positive benefit and possibly actually making your security worse. Just use sha1 instead (it's better than md5). And a salt/random password generator are not a *replacement* for sha1/md5, they are something that should always be used *along side* sha1/md5 when working with passwords. Please do yourself a favour and read up on it further. – Abhi Beckert Mar 27 '12 at 12:56