+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=22)
+--- Thread: Ion Auth - Lightweight Auth System based on Redux Auth 2 (/showthread.php?tid=27435)
Pages:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-29-2010
[eluser]dreamer111[/eluser]
What is more secure?
storing salt in the database separately or not?
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-30-2010
[eluser]Yorick Peterse[/eluser]
[quote author="Roobiz" date="1280168724"][quote author="maltzurra" date="1280151085"]Interesting library, good job. But to be honest, there are some pieces of code I don't like at all.
Like the way "remember me" cookies are being stored. I would NOT recommend to store your password in cookies. Even when it's sha1() encrypted. Concat fields, use salts, tokens... Whatever you prefer, but storing password in a file this way, it is just so risky.
Great job anyway
[/quote]For me $rmbcode = sha1(sha1(password + salt));
Well it's not very good but not too bad at all... The way to reverse a sha1 is not very easy so...[/quote]
Double hashing isn't actually more secure than hashing something once. You'd be better off using a secret key (a very long one that is) and a hashing algorithm such as sha512.
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-30-2010
[eluser]Ben Edmunds[/eluser]
Maltzurra,
I definitely see your point. I'll go through and examine that code soon to see how to make it more secure, I'll probably just create a random salt instead of the sha1 of the password as the remember code but I'll post on here once it's updated.
Thanks,
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-30-2010
[eluser]Ben Edmunds[/eluser]
Dreamer111,
They are both pretty equal. Not storing them separately (the default) should probably be considered a little more secure as the encryption algorithm is a little more complicated.
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-30-2010
[eluser]rickyracoon[/eluser]
Just tried out the library - surprised that duplicate usernames can be registered with different email addresses. When/why would anyone want this functionality? I feel like most people would want to sign in with either username or email. Can you describe the thought process behind allowing one or the other to be unique instead of requiring BOTH to be unique by default?
I just can't see it being useful to allow duplicate usernames registered under different emails, or duplicate emails registered under different usernames. Actually seems like it could lead to confusion and identity issues.
Maybe I'm missing something, just hard to imagine that this works for real world sites.
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-31-2010
[eluser]rickyracoon[/eluser]
Ok I see that it just increments the username when you enter a duplicate. I just think using unique username AND email by default would makes things so much simpler than having to specify an "identity" field. Like how Twitter does it. Sorry gettin' greedy. Everything was easy to set up don't mean to sound so critical...it really is my only complaint with the library. I'm trying to modify it to work the way I want to will share if I find a quick/easy way to do it.
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-31-2010
[eluser]Ben Edmunds[/eluser]
rickyracoon,
You can use the username_check and email_check methods to enforce that yourself.
So in your signup controller method use username_check and email_check as form_validation callbacks to make sure both are unique.
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-31-2010
[eluser]Unknown[/eluser]
I just downloaded Codeigniter 2.0 and I'm working on installing Ion Auth. At the auth index, I'm getting "Unable to load the requested class: Ion_auth"
It doesn't seem like anyone has run into this before, so I'm sure that I just haven't configured something correctly, but I can't figure it out.
Anyone have any pointers?
Thanks
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-31-2010
[eluser]rickyracoon[/eluser]
Ben, not nearly as simple as that. You are using $identity and $identity_column all over the place in the code...this makes it impossible to allow some users to log in with username and others to log in with email.
Has anyone managed to come up with a solution to break this restriction? I was thinking of maybe making the $identity_column dynamically set by checking for an '@' in the input.
Ion Auth - Lightweight Auth System based on Redux Auth 2 - El Forum - 07-31-2010
[eluser]kaejiavo[/eluser]
Hi Ben,
first i would like to say thank you for this very awesome library.
It saved me lots of work and trouble. To be honest, my php knowledge is not sufficient to come up with a secure auth system.
Now i come with a performance issue / question to you:
I need to fetch the user array on each of my pages as i have a strongly personalized site. Also on each page i update a 'meta' field with a timestamped (last_clicked).
So i have basically:
$this->user = $this->ion_auth->get_user_array();
...
$this->ion_auth->update_user($data);
And i have some pages on my site where even another update_user() is needed.
Now, what i figured out is that ion_auth_model->update_user($data) at first fetches the user data from the database ($user = $this->get_user($id)->row()
, so i have up to 3 or 4 times on a page a db access for the user.I don't exactly understand what the update_user function does with the user data, but i have a feeling that these checks are not needed, if only the meta data shall be updated. So is there any way, that you add an update_user_meta() function into the library?
I have added one into my controller, but it seems missing to me in the lib.
Quite a long explanation, hope i made my point clear enough.
Marco