| Authentication (ACL) - Challenges - Solutions - Dilemmas |
[eluser]manilodisan[/eluser]
What kind of appreciation you want from us here after selling a "a simple class" for $35? In a community used with free things, with programmers sharing knowledge and source code you must earn the good words and not expect them to rise out of nothing. What should the good words be about? About the fact that we have to pay in order to actually see how good or bad your code really is? Let me tell you my impression about that page of yours: "marketing". A focused "on the topic" opinion. Nobody hijacked your thread. You started it with a wrong impression about this forum and it's community.
[eluser]Randy Casburn[/eluser]
@manilodisn - Thanks for taking the time to reply. Maybe you misunderstood. I'll reiterate what I said. Quote:Your product looks really nice...but a lot different than what I’m offering in a simple class folks can use in custom-built, one-off software. I'm sorry you didn't have time to explore the site a little more deeply. Maybe on your next visit you'll be able to explore these pages... Documentation Auth Overview Class Reference Data Architecture Installation Troubleshooting Demo Demo Page Test Suite Full Test Suite There is a great deal of history in the very long topic that is referred to at the top of this post. I didn't want to go through all that here. Thanks for your understanding. Thanks for your feedback, Randy
[eluser]Pascal Kriete[/eluser]
I have a few thoughts on this. This is my impression so far, and honestly, it's not great. Attempt at being constructive: I know not everyone is a designer - or can afford to hire one. But the buy page with all those sign reminds me of this. It's ugly. And the right column is totally out of place - it links to the same page. A few tweaks might encourage someone to buy. Also, there's a small typo on said page. It says CI 6.1.3. The rest: So you say this is only the first in a row of products to build a full ACL. Will the others be free? Suffice to say that I would have a hard time justifying a $100 auth system. I can get EE personal for that price. And that one isn't compiled. Which brings me to the real deal breaker: Quote:Plurious Auth is compiled to byte code and requires [NuSphere PHPExpress] to interface with the PHP interpreter.It's compiled so I can't change it, the license says I cannot decompile it, and it's declared as final so I can't extend it. You really think this is usable? Reading the documentation (and I read most of it), it looks like this doesn't offer a lot more than Redux can offer. Less in a lot of cases. No 'forgotten password', no native group control, and captcha for a fee. Redux on the other hand is free, open source, and MIT licensed. Plurious allows me to create (and manage?) users and then check their credentials on login. With some javascript to make mitm attacks a little harder. Sell it to me, how is this new or better? I trust your code more than I trust most people's, but honestly, it reeks of security through obscurity. If I have to pay for software, I like having certain freedoms and for 35 bucks I would be in violation of the license agreement within 10 minutes. And don't get me started on the domain restriction...
[eluser]Michael;[/eluser]
Boy oh boy, the mean and nasty just got quick in this thread. Give 'em an inch and they want a yard. Great, people are used to getting it for free... but haven't you ever heard the saying "the best things in life are never free". Look guys, I understand where Randy is coming from, I run my own business and can't give away my time and effort when I have a family to take care of; this is the number one reason why OSS will never be able to replace good old fashion commercial software. Great, there are plenty of alternatives; but who's going to answer your questions when things don't go right? And don't give me that old use the forums routine... there are PLENTY of questions that go unanswered on these very forums. Look, everyone needs to just slow their roll and get a grip. Is all the fussing really necessary? Inparo... so Randy has chosen to obfuscate his code; so what... you're not gonna use it as you pointed out. Let others make up there own minds without being so nasty about things. To be perfectly honest, Auth is such an easy thing to write there are hundreds of potential systems out there already... An excellent ACL on the other hand is a whole different matter. Randy just chose a different path than the rest of us... my solution, is hosted. You won't ever even have access to my code. You might not like it, or use it, or ever even consider it. But my clients do every single day.
[eluser]Randy Casburn[/eluser]
[quote author="inparo" date="1222292680"]So you say this is only the first in a row of products to build a full ACL. Will the others be free? Suffice to say that I would have a hard time justifying a $100 auth system.[/quote] As much as I embellish I should expect this, but nowhere on the site did you see $100 for anything. I've never suggested that nor will I. I knew it would be up hill to generate any interest at all in a Free based community. So that was a little unfair. [quote author="inparo" date="1222292680"] It's compiled so I can't change it, the license says I cannot decompile it, and it's declared as final so I can't extend it. You really think this is usable?[/quote] You bet your buttons it is! [quote author="inparo" date="1222292680"]Reading the documentation (and I read most of it), it looks like this doesn't offer a lot more than Redux can offer.[/quote] If you look at from a user's perspective, Redux and others have more "features". When you take the dress, or the pants, off Plurious Auth has more Chastity (it's more secure than any other CodeIgniter authentication capability in existence.[/quote] That is what is so cool about this whole affair. If features are more important than security, than there are always other choices. Now, when it comes to features, you, of all people, looked right past the direct interface with JS frontends and the JSON encoded return to an AJAX login requests. That's one I've not seen built into any of the others. [quote author="inparo" date="1222292680"]Sell it to me, how is this new or better?[/quote] 1) Want to secure a controller? Move the file to the 'secure' directory. OK. Now it is secure. There is not code the write, nothing to modify, period. You cannot access the contents that controller controls without logging in... 2) Want to un-secure that controller? Move the file out of the 'secure' directory. OK. Now it is no longer secure. No code to change, nothing to modify, period. You can now access the contents that controller controls... 3) You don't have to write any code to check any user stuff unless you want to 4) Every bit of session handling is done inside the class. You don't have to write any code to handle a bit of it. 5) Every bit of page caching is handling inside the class. There are no more worries about the darn "back button" issue that plagues almost every CI application in existence. At least the browser folks are helping (FF3 is fixing this). If you're not using FF3, log out of this forum and hit the back button...you'll see your old outdated authenticated page!!! That is Expression Engine ladies and Gentleman. That cannot happen with Plurious Auth. [quote author="inparo" date="1222292680"]I like having certain freedoms and for 35 bucks I would be in violation of the license agreement within 10 minutes.[/quote] Then this isn't the solution for you. This solution is for folks that compare the business cost of spending 1, 2, 3, 4, 5, or 20 man hours to create or integrate a solution to a $35 drop-in solution. Most PHP developers cost more than $35/hr US. @inparo -- thanks so much for taking the time to provide your detailed feedback. I truly appreciate and respect your words here and will consider everything you've said. Randy
[eluser]manilodisan[/eluser]
@michael. The guy obfuscates a library, puts it in a package up there for sell and then comes here opening a thread to ask for our opinion about the library. How the hell should I know how's the lib without purchasing it (I hope you get the "marketing" irony here)?
[eluser]Randy Casburn[/eluser]
[quote author="manilodisan" date="1222296170"]@michael. The guy obfuscates a library, puts it in a package up there for sell and then comes here opening a thread to ask for our opinion about the library. How the hell should I know how's the lib without purchasing it (I hope you get the "marketing" irony here)?[/quote] Actually, I pointed to a thread that indicated there was a need that was not being met currently by an "officially" sanctioned capability. The thread I referred to, and then referred you to again, pointed out that part of the need was not only the need for the capability, but for a level of support too. Derek Jones put out the challenge at that point that this would be difficult to do. Then ...I pointed to my web site with a solution for the capability and support. @manilodisan - So here is the bottom line: Think of the pricing model as a forced donation model. I don’t have the resources to support a “community” of open source users. I will support those willing to pay me. I don’t have the resources to support those hacking at my top quality code and then belly-aching when they cannot get it to work any more. I do have the resources to support code completely under my control. Hope this clears things up. Randy
[eluser]Pascal Kriete[/eluser]
Randy, I appreciate your level-headed reply. As for the 100$. I derived it from the fact that this will be a three part application. I see the auth part to be at par (in terms of size/difficulty to implement properly) with the other two parts, so I extrapolated the cost. It was indeed an unfair estimate to make. I can certainly see the benefits of a true 'drop-in' solution. Quote:direct interface with JS frontends and the JSON encoded return to an AJAX login requestsI saw mention of the async request to get the unique id, which is certainly clever (doesn't degrade, but I'm not fussed about that). I haven't found mention of the json encoded return to the auth request. The demo simply refreshes. I think I might be missunderstanding something - pointers are appreciated. Quote:it’s more secure than any other CodeIgniter authentication capability in existenceI can't really comment on that. On the one hand, I truly trust your programming knowledge. On the flip side, even open source security issues occasionally remain undiscovered for years. Quote:Then this isn’t the solution for you.We've certainly established that  . Incidentally I fit into all three of the 'asks for free software' groups. Although I probably painted myself too stubborn. If I'm ever on a tight deadline to implement a thorough ACL, your solution is certainly one I will look at. When push comes to shove, I'm definitely willing to weigh my reservations with closed-source security software against a solid drop-in solution.@michael., I use closed-source and hosted solutions every day. I run OSX, code in Textmate, write email through Yahoo and Google. I'm not about to dump it for an open-source project for the sake of open-source. I know that the corporate world operates quite differently from a 'mostly free' community and I respect that. Everyone has to pay the bills at the end of the month. Again, thank you for remaining professional (as always), Pascal
[eluser]Randy Casburn[/eluser]
@inparo - here you go -- JSON Encoded Return Hit the little green plus sign next to login() to expand the topic. It's just magic man. No page reloads to log in... Beautiful! Randy
[eluser]Pascal Kriete[/eluser]
[quote author="Randy Casburn" date="1222299424"]@inparo - here you go -- JSON Encoded Return Hit the little green plus sign next to login() to expand the topic. It's just magic man. No page reloads to log in... Beautiful! Randy[/quote] Ah perfect, thanks. |
| Welcome Guest, Not a member yet? Register Sign In |
