• 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Is Flexi Auth Secure and Reliable?

#1
Star 
Hello,

I have been searching for a user management script for the last month, i bought 6 scripts from ...some... php market, but all where huge failures,
some used MD5 with no salt, some used mysql_query with no escape at all, the things i have seen in these scripts were scarier than horror movies, and they all claimed to be Fully Secured and Professional

I also tested many CI systems, they were good but some had BruteForce vulnerablity, some had other issues..

Best one i found yet is Flexi Auth, it has most of the requirements,

But i am not a Security Expert,

If there are any CI/Security Experts here, have you checked this library?

1. Is it fully secure against "SQL Injection", XSS, CSRF , Session/Cookie Attacks , BruteForce etc?
2. Is it reliable for large projects with a lot of users? (will it become too slow, i mean the logic programmer used on database/retreiving data) etc
Reply

#2
Hello Again,

If any security expert see this, please just give me a brief overview of FlexiAuth
because old CI forum is down and i can't find any other sources
Reply

#3
Hi noobie.

I ran into a similar issue not so long ago with looking for an auth system. I ran into flexi auth and really liked it too but it seems the original author is no longer active. I've decided to maintain a fork so that the framework can become more mature over time here: flexi-auth/jeteon.

From the work so far I can tell you this much:
  • As far as I know it makes use of the CI database abstraction quite extensively, so it should have any SQL injection protection provided by that
  • Session and cookies are managed using the CI system which can encrypt the cookies and also creates a copy of the cookie in the database in order to prevent manipulation of the cookie you send (but you have to activate this in the CI config)
  • The system by default allows you to set a maximum number of incorrect login entries after which the user will be suspended for some time with that time increasing after each permitted period so it would discourage brute force attacks
  • I can't comment on XSS or CSRF, but from my limited exposure, these would be more front-end vulnerabilities than anything
  • I think its ok for a moderate number of users. I can't comment on the scalability with number of users. What counts as "large" to you?

I know it has short comings but please help me improve it by submitting  issues and pull requests, if you can to the link above.

Jeteon
Reply

#4
I can highly recommend taking a look at Ion Auth. It is regarded as the one of most secure and best auth library for CI.

I have personally used it on multiple projects, and passing corporation level security tests. (Obviously, this will also depend on how good the rest of your own code is)

Regarding security:
  • The library use CI database active records that do SQL injection protection.
  • XSS is up to you when you do the form validations (the library provides good example code)
  • CSRF is also up to you and how you implement it. (again, the library has good example code)
  • It stores cookies/sessions using the CI session library, allowing you to encrypt them
  • It has functionality for maximum allowed login attempts.
  • I don't know what "a lot of users" is for you, I have used the library that has between 4-5000 users without any issues.
Reply

#5
Brick 
Yoo...no doubt its cool
Rolleyes
Reply


Digg   Delicious   Reddit   Facebook   Twitter   StumbleUpon  


  Theme ¬© 2014 iAndrew  
Powered By MyBB, © 2002-2019 MyBB Group.