Jump to content

Recommended Posts

Many hours of work have finally produced V1 of a Auth / User Management system that I made for CI. I am not claiming to be a security expert, but I tried to study and make the Auth as secure as possible. Many people have downloaded it, but so far I haven't heard back any comments, other than the code looks clean, and that maybe I overdid it a little.

 

I'd really appreciate some feedback on the system, and how secure or not secure it really is. While it does have some features common to typcial auth systems, I'd like to have a real assessment of potential vulnerabilities before going further. Any other comments are also appreciated.

 

If you're interested, please check out the system; download available from http://auth.brianswebdesign.com

 

Thanks

Link to comment
https://forums.phpfreaks.com/topic/172401-my-codeigniter-auth-user-management/
Share on other sites

I'm not a codeignitor user but is this meant to be an extension to the framework or an application built with the framework?

 

Just looking at the directory structure....

 

.
|-- application
|   |-- config
|   |   |-- autoload.php
|   |   |-- config.php
|   |   |-- hooks.php
|   |   `-- routes.php
|   |-- controllers
|   |   |-- administration.php
|   |   |-- home.php
|   |   |-- register.php
|   |   |-- sudo.php
|   |   `-- user.php
|   |-- helpers
|   |   `-- MY_url_helper.php
|   |-- hooks
|   |   |-- my_session_start_hook.php
|   |   `-- my_site_definitions_hook.php
|   |-- language
|   |   `-- english
|   |       `-- authentication_lang.php
|   |-- libraries
|   |   |-- Authentication.php
|   |   `-- MY_Form_validation.php
|   |-- models
|   |   |-- administrative_functions.php
|   |   |-- formval_callbacks.php
|   |   |-- manage_users.php
|   |   `-- registration_functions.php
|   `-- views
|       |-- administration
|       |   |-- admin_menu.php
|       |   |-- create_user.php
|       |   |-- sort_users.php
|       |   |-- update_user.php
|       |   `-- users_table.php
|       |-- home
|       |   |-- column_a.php
|       |   `-- column_a_2.php
|       |-- register
|       |   |-- notify_admin_email.php
|       |   |-- registration_email.php
|       |   |-- registration_form.php
|       |   |-- settings.php
|       |   `-- show_pending.php
|       |-- template_content.php
|       `-- user
|           |-- choose_password_form.php
|           |-- column_a.php
|           |-- login_form.php
|           `-- recover_form.php
|-- css
|   |-- community_auth.css
|   `-- yui-reset-fonts-2.6.0.css
|-- img
|   `-- community_auth
|       |-- Thumbs.db
|       |-- bg.gif
|       `-- info.jpg
|-- readme.txt
`-- sql
    `-- community_auth.sql

 

It appears you have dumped a heap of files into userland.

This is an extension. If neccessary, the whole application directory can be moved above root. While my readme file doesn't recommend this, it is worth noting that this only requires changing a single configuration setting in index.php (already noted in the readme).

 

Thanks for commenting. I'll make sure to change the readme to suggest that above root is obviously a better place for the application directory.

I haven't had a real good look but it seems if I where a codeignitor user the only part of your code I might find useful (and reusable) would be the actual Authentication library. Even then though, theres references to Brians Web Design which would need to be removed.

 

The rest of it IMO, should be thrown out and rebuilt by the developer. If you where asking opinions on an Auth script you made with CI instead of for CI my opinion might be different. As it is, its far too much of an application than any type of extension, most of which isn't likely to fit anyone else's needs except yours.

It's not really my intention to have people use it without modification. The chances of somebody needing it as-is are very slim, however, there's always people asking how to log people in, and how to manage users. How to register and how to do a password recovery are common topics too. I'm happy to help people, so if anyone can use it, or use it as an example when they can't figure something out, then I'll be happy with that.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.