Redux Authentication 1.4a (24th July 2008)

[eluser]Popcorn[/eluser]
Sorry about that, back online.

[eluser]Popcorn[/eluser]
Hi,

A little update to keep you all informed for version 1.2.

Misc : Removed dependency on security helper.
I removed the dohash function and replaced it with the SHA1 function. I couldn't see a point in loading a new helper for 1 function which PHP can handle already. This will make 1 less potential mistake for the end user to make.

Misc : Removed the user list function.
The user list function was a personal preference and as of now, it's removed.

Optimization : Automation of loading auth config variables.
Instead of loading each config variable to a class variable, I loop through them now, this allows you to add a config var and it will be available in the library without any lib editing.

Feature : get and check functions to model.
Condensed a few model functions that could be used in 1 function.

Feature : Automatic login after registration. (Email Verification Disabled.)
This wont be a config option as I can see no point for it.

As always, your comments and input are greatly appreciated.

Kind Regards,
-Mathew Davies.

[eluser]Tom Glover[/eluser]
Nice, have you released this yet or is this the change log for the new release.

[eluser]Popcorn[/eluser]
This is not released yet, but rather a list of features already ready for the next version.

[eluser]Tom Glover[/eluser]
Cool, I can't wait to see it.

[eluser]Unknown[/eluser]
Hi, i'm new to CodeIgniter and i'm just learning things as i go. Sorry for my english, it's kinda bad

You got nice library here.

What do you guys think about a login-system that doesn't send usernames nor passwords as plaintext thru the internet?

I have done a login-system that uses javascript at client-side to make a md5-hmac-hash from password and unique challenge-key. Everytime a user comes to a login-page, the server sends him a random-generated challenge-key (at server-side we store this key to the database). Javascript uses this unique challenge-key and user input (=password) to create a md5-hmac-hash. Then we send that crypted-hash to the server.

At server-side i'm doing again that same md5-mhac-hash-string with PHP, using same unique challenge-key (we stored it to the db earlier) and the real password from the database. If client-side md5-hmac-hash and server-side md5-hmac-hash matches then we have a valid user. After the user is authenticated succesfully we just do sessions (i'm storing sessions to a db) as usual and delete the challenge-key.

Advantages:
+ password is not send in plaintext
+ hacking password is much more challenging for crackers, script-kiddies might pass by
+ challenge-key is used only one time
+ password is not md5-hash so cracker can't use md5-hash-lists to bruteforce the password.

Disadvantages:
- it's not SSL
- at server-side, we need to get passwords from the database, so we can create that server-side md5-hmac-hash. Currently i'm using blowfish to crypt passwords in db. One-way crypting would be safer.
- If user disables javascript, well can't help him. He can't login.
- if a cracker gets a challenge-key and crypted md5-hmac-hash from a valid user, he might do some bruteforcing and figure out the user's password some day. But it's not that simple as getting plaintext password or md5-password.

I currently have working login-system at my test-site, using methods i described here. I'm planning to make a ci-library from it.. i just don't know how yet.

Gimme feedback, what do you guys think about doing hashes at client-side javascript? Is it worth the coding or should i consider SSL?

Well, next option is to enable SSL on my site and do all logins and stuffs via SSL but i would hate to use user-made-certificates. Those are so annoying to users and shows that i'm a poor man who can't affort a real certificate

[eluser]Popcorn[/eluser]
Quissi : This is an interesting concept and I would love to see a CodeIgniter addon created based on it. It seems like it'd be very secure because it doesn't actually send the password but rather the unique key. Have I understood this correctly?

The next step would be to get SSL as you suggested, but don't worry about people thinking you are a poor man who can't afford a real certificate. If it offers protection then I personally think the public wont care.

Some little news on the new version of the Authentication Library 1.2

I just finished up the last feature for this release (Forgotten Password). I just need to clean the code up in places and finish off documentation then I will be able to release it sometime in the next week.

Thank you for being patient.

[eluser]gunter[/eluser]
hey popcorn!
I am very curious about the next release and I am curious about it!
nice weekend,
gunter

[eluser]artiraz[/eluser]
~Fixed.

[eluser]Popcorn[/eluser]
The only reason for the login function to be returning false is if the email address doesn't exist in the users table or the passwords do not match. There could be a number of reasons for this :

Did you change the salt key in the configuration file after you registered a user? Can you register another user, then proceed to login without changing any config items and see if it happens again.

If that does not work, can you echo the $password and $dbpassword variables in the login function? Just before the $password === $dbpassword check is made.

Code:

// Debugging.
echo $password, $dbpassword;

PS : Might not of known this, but you need an 'email' to login