Another simple login library for CodeIgniter 2.X

[eluser]costales[/eluser]
Hi! I would like to announce the release of another simple login library for CodeIgniter 2.X, based on Anthony Graddy & Alex Dunae & Hitesh Ubharani's versions.

Code: http://bazaar.launchpad.net/~costales/si...nk/files/7
Web: https://launchpad.net/simplelogincodeigniter
Bugs: https://bugs.launchpad.net/simplelogincodeigniter
Answers: https://answers.launchpad.net/simplelogincodeigniter

You can read the 'reference.html' file for a complete explanation and a complete example

The resume is: these new methods:
is_logged Returns if the user is logged
get_data_user Returns current username or email
change_password Allow change/reset the password for an user
change_email Change the email for an user

Cheers!

[eluser]Unknown[/eluser]
Unsure where I see the code?

[eluser]costales[/eluser]
@martinez3 You can browse the trunk branch or you can download with Bazaar:

Code:

bzr branch lp:simplelogincodeigniter

Best regards

[eluser]jmadsen[/eluser]
A few comments:

1) you should set up the table fields the same way you did the table to allow people to use it with their existing table

2) md5 for passwords is simply not strong enough anymore. At least give the option of using bcrypt

3) likewise, adding a salt is not very complicated

4) autologin is great - too many leave that out & always have to hack it. good feature add

5) if they are using the session table, then every set() & get() is a db call, so combine those logged_in sets with the rest

6) I guess this still works, but:

Code:

$this->CI->db->where('username', $user);
        $query = $this->CI->db->get_where($this->user_table);

could be:

Code:

$this->CI->db->where('username', $user)b->get($this->user_table);

7) up to you, but this sets the entire user table row to the session:

Code:

$this->CI->session->set_userdata($row);

which could be just fine, or could be quite big. perhaps configurable?

8) Why are you setting a session var of "logged_in" and then not using it?

Code:

function is_logged() {
        if ($this->CI->session->userdata('username'))
            return TRUE;
        else
            return FALSE;
    }

9) This is a nice idea:

Code:

function get_data_user($param = 'username') {
        if ($param == 'username')
            return $this->CI->session->userdata('username');
        if ($param == 'email')
            return $this->CI->session->userdata('email');
        
        return '';
    }

but why not just let it look up ANY $param off the session? ie, (untested)

Code:

function get_data_user($param = 'username') {
        $session = $this->CI->session->userdata();
        return (empty($session[$param]))? false : $session[$param];
    }

[eluser]costales[/eluser]
@jmadsen Awesome review! Thank you very much!

About the changes:
1. The original library uses the username field, fork libraries are using the email field. Then I think is complicate fix this point
2. Fixed.
3. Fixed.
4. That isn't my idea It was implemented in original libraries.
5. Fixed > Removed the variable (read next point 8).
6. Fixed.
7. Fixed.
8. Fixed > It wasn't necessary.
9. I think a program could need the username and/or email, and it doesn't need an internal value as 'id' field and returns the password could be a vulnerability.

Cheers!

[eluser]jmadsen[/eluser]
Hey,

Haven't looked at changes yet, but what I had in mind for 1) was just set

Code:

private $username = 'username';

and then use

$this->username

as your field, rather than hard-coding the field name. Then anyone can change it to suit them, just like they can do with the users table name

[eluser]costales[/eluser]
@jmadsen: Point 1 fixed!
http://bazaar.launchpad.net/~costales/si...nk/files/7
I really appreciate your review!!
Cheers!