Welcome Guest, Not a member yet? Register   Sign In
The best login and authorization concept
#1

I'm trying to make login and authorization for CI4 applications. I would like to make my own system and I am more concerned with the general concept which will be most suitable for CI4.

From what I understand is a good solution would be to create a base controller where in the constructor should start a session ie
Code:
   protected $session;
    protected $user;
    protected $isLogin = false;
    public function __construct(...$params) {
       parent::__construct(...$params);
       $this->session = \Config\Services::session();
       $this->session->start();
       // Your own constructor code
   }

$ This-> user variables would be written to the database from the user table to the logged-in user, and $ this-> session would be session variables

Is this a good approach? Please take any comments in this section.
Reply
#2

(This post was last modified: 06-10-2017, 08:25 AM by skunkbad.)

To say this is a good approach would be to see 1% of what needs to be done and give you an answer.

I never like to use the session for anything but an ID. The data is already in your database, so get it from there.

If you've never attempted to write an Auth library, you should. It's a great learning experience, especially when you start researching security issues. You've got a lot to think about:

1) Session security.
2) Password hashing.
3) Tracking login attempts.
4) Account recovery.
5) Is the user already logged in?
6) If logged in, what kind of user is it?
7) Does logged in user have special permissions to do anything?
8) Garbage collection on authentication/sessions.

There's a lot more to all of this than just creating a base controller.

Also, it's kind of the reason why there is no Auth in CI, that people like doing Auth their own way. There is no best way, as long as you don't do it wrong.
Reply
#3

I know that a professional and complete secure login and authorization system requires a lot of work. I have looked at a number of ready-made solutions that were used in CI3, but before that most of them were overly developed for my needs, and not compatible with php7 and the general CI4 concept. I want to start with the basic functionality and gradually expand. I mean basic assumptions, eg a good solution is to create a controller base class and check everything in the constructor or perhaps build a separate library and attach it to the controllers like DX-auth. I am not a CI4 specialist so I would like to point the direction of a professional or go in the right direction. Or is there any ready-made library worth recommending? I just found something like this
Gatekeeper: An Authentication & Authorization Library
However, as for me, it is extremely extended. And while creating your own concept, I would like to learn something more Smile
Reply
#4

I don't have any experience with Gatekeeper, but it sounds like you've already done some of your homework. Although it's been too long to remember, I played with Laravel 5.2 (a year ago?) and liked their approach to authentication. It might be worth checking into, since you're looking at auth libraries.

The difficult thing to do is make an authentication library truly framework agnostic, because it means:

1) The library doesn't use the framework's sessions, database connection, etc.
2) You've got foreign code to look through to figure out how everything works, because if you need to make customizations (and you will) then you need to know how it works.
3. You've got to spend time figuring out how to have that library use the framework's sessions, database connection, etc.

Honestly, I didn't make my auth for anyone else, even though I'm sharing it. Now in my 12th year of playing with auth, I know it well enough to make special modifications anytime I need. That's the best part of making your own.

Community Auth places most of the code in a library and a model. Because the library is autoloaded, it runs the constructor well before anything happens in the controllers. Controller routes (controller + public methods) call on methods that are placed in Auth_Controller (a base controller). That's just my way of doing it. In essence, the foundation of Community Auth is three files. Four files if you count the Tokens library.
Reply
#5

(06-10-2017, 09:14 AM)WitekS Wrote: I know that a professional and complete secure login and authorization system requires a lot of work. I have looked at a number of ready-made solutions that were used in CI3, but before that most of them were overly developed for my needs, and not compatible with php7 and the general CI4 concept. I want to start with the basic functionality and gradually expand. I mean basic assumptions, eg a good solution is to create a controller base class and check everything in the constructor or perhaps build a separate library and attach it to the controllers like DX-auth. I am not a CI4 specialist so I would like to point the direction of a professional or go in the right direction. Or is there any ready-made library worth recommending? I just found something like this
Gatekeeper: An Authentication & Authorization Library
However, as for me, it is extremely extended. And while creating your own concept, I would like to learn something more Smile

https://paragonie.com/blog/2016/02/how-s...rd-in-2016
https://paragonie.com/blog/2015/04/secur...ersistence
Reply
#6

I'm working on an application that will run on a local network so I do not need any super security ... it's about basic logging and checking permissions for the requested resource. I think what I have to do is use the ci_sessions table and the session mechanisms used in CI4. There is a need for a user table and hashed password, as well as a table with controller permissions / method ... User registration or password recovery is no longer important for me, additional functionalities ... your way would be to use an example from CI4 creators as you would introduce Basic logging mechanism. Everywhere I've seen it is everyone's defense before giving an example of the claim that everyone is doing it individually but not necessarily optimally and safely ...
Reply




Theme © iAndrew 2016 - Forum software by © MyBB