gpt4 book ai didi

php - 我应该如何为 CodeIgniter 选择身份验证库?

转载 作者:行者123 更新时间:2023-12-01 16:10:28 25 4
gpt4 key购买 nike

关闭。这个问题不满足Stack Overflow guidelines .它目前不接受答案。












想改善这个问题吗?更新问题,使其成为 on-topic对于堆栈溢出。

6年前关闭。



Improve this question




我看到有a few .哪些易于维护且易于使用?它们的优缺点是什么?

最佳答案

更新(2010 年 5 月 14 日):
事实证明,俄罗斯开发人员 Ilya Konyukhov 在阅读本文后接受了挑战,并按照以下建议和要求为基于 DX Auth 的 CI 创建了一个新的身份验证库。
以及由此产生的 Tank Auth看起来像 OP 问题的答案。我打算在这里大胆地将 Tank Auth 称为当今可用的 CodeIgniter 的最佳身份验证库。这是一个坚如磐石的库,具有您需要的所有功能,而且没有您不需要的臃肿:
坦克认证

Pros

  • Full featured
  • Lean footprint (20 files) considering the feature set
  • Very good documentation
  • Simple and elegant database design (just 4 DB tables)
  • Most features are optional and easily configured
  • Language file support
  • reCAPTCHA supported
  • Hooks into CI's validation system
  • Activation emails
  • Login with email, username or both (configurable)
  • Unactivated accounts auto-expire
  • Simple yet effective error handling
  • Uses phpass for hashing (and also hashes autologin codes in the DB)
  • Does not use security questions
  • Separation of user and profile data is very nice
  • Very reasonable security model around failed login attempts (good protection against bots and DoS attacks)

(Minor) Cons

  • Lost password codes are not hashed in DB
  • Includes a native (poor) CAPTCHA, which is nice for those who don't want to depend on the (Google-owned) reCAPTCHA service, but it really isn't secure enough
  • Very sparse online documentation (minor issue here, since the code is nicely documented and intuitive)

Download Tank Auth here

原答案:
我也实现了我自己的(目前在几周的工作后完成了大约 80%)。我首先尝试了所有其他方法; FreakAuth Light、DX Auth、Redux、SimpleLogin、SimpleLoginSecure、pc_user、Fresh Powered 等等。它们都没有达到标准,IMO,要么它们缺乏基本功能,本质上不安全,要么过于臃肿,不符合我的口味。
实际上,我在测试 CodeIgniter 的所有身份验证库时(刚过新年)对它们进行了详细的汇总。 FWIW,我将与您分享:
DX认证

Pros

  • Very full featured
  • Medium footprint (25+ files), but manages to feel quite slim
  • Excellent documentation, although some is in slightly broken English
  • Language file support
  • reCAPTCHA supported
  • Hooks into CI's validation system
  • Activation emails
  • Unactivated accounts auto-expire
  • Suggests grc.com for salts (not bad for a PRNG)
  • Banning with stored 'reason' strings
  • Simple yet effective error handling

Cons

  • Only lets users 'reset' a lost password (rather than letting them pick a new one upon reactivation)
  • Homebrew pseudo-event model - good intention, but misses the mark
  • Two password fields in the user table, bad style
  • Uses two separate user tables (one for 'temp' users - ambiguous and redundant)
  • Uses potentially unsafe md5 hashing
  • Failed login attempts only stored by IP, not by username - unsafe!
  • Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext!
  • Role system is a complete mess: is_admin function with hard-coded role names, is_role a complete mess, check_uri_permissions is a mess, the whole permissions table is a bad idea (a URI can change and render pages unprotected; permissions should always be stored exactly where the sensitive logic is). Dealbreaker!
  • Includes a native (poor) CAPTCHA
  • reCAPTCHA function interface is messy

FreakAuth Light

Pros

  • Very full featured
  • Mostly quite well documented code
  • Separation of user and profile data is a nice touch
  • Hooks into CI's validation system
  • Activation emails
  • Language file support
  • Actively developed

Cons

  • Feels a bit bloated (50+ files)
  • And yet it lacks automatic cookie login (!)
  • Doesn't support logins with both username and email
  • Seems to have issues with UTF-8 characters
  • Requires a lot of autoloading (impeding performance)
  • Badly micromanaged config file
  • Terrible View-Controller separation, with lots of program logic in views and output hard-coded into controllers. Dealbreaker!
  • Poor HTML code in the included views
  • Includes substandard CAPTCHA
  • Commented debug echoes everywhere
  • Forces a specific folder structure
  • Forces a specific Ajax library (can be switched, but shouldn't be there in the first place)
  • No max limit on login attempts - VERY unsafe! Dealbreaker!
  • Hijacks form validation
  • Uses potentially unsafe md5 hashing

电脑用户

Pros

  • Good feature set for its tiny footprint
  • Lightweight, no bloat (3 files)
  • Elegant automatic cookie login
  • Comes with optional test implementation (nice touch)

Cons

  • Uses the old CI database syntax (less safe)
  • Doesn't hook into CI's validation system
  • Kinda unintuitive status (role) system (indexes upside down - impractical)
  • Uses potentially unsafe sha1 hashing

新鲜动力

Pros

  • Small footprint (6 files)

Cons

  • Lacks a lot of essential features. Dealbreaker!
  • Everything is hard-coded. Dealbreaker!

Redux/ ionic 验证
根据 the CodeIgniter wiki , Redux 已停产,但 Ion Auth fork 正在走强: https://github.com/benedmunds/CodeIgniter-Ion-Auth
Ion Auth 是一个功能齐全的库,不会过于沉重或不先进。在大多数情况下,它的功能集将不仅仅是满足项目的要求。

Pros

  • Lightweight and simple to integrate with CodeIgniter
  • Supports sending emails directly from the library
  • Well documented online and good active dev/user community
  • Simple to implement into a project

Cons

  • More complex DB schema than some others
  • Documentation lacks detail in some areas

简单登录安全

Pros

  • Tiny footprint (4 files)
  • Minimalistic, absolutely no bloat
  • Uses phpass for hashing (excellent)

Cons

  • Only login, logout, create and delete
  • Lacks a lot of essential features. Dealbreaker!
  • More of a starting point than a library


不要误会我的意思:我并不是要不尊重上述任何一个库;我对他们的开发人员取得的成就以及他们每个人取得的成就印象深刻,而且我并没有重用他们的一些代码来构建我自己的代码。我的意思是,有时在这些项目中,重点从基本的“必需品”(例如硬安全实践)转移到更软的“可有可无”,这就是我希望解决的问题.
因此:回归基础。
CodeIgniter 的身份验证正确完成
这是我的身份验证库中所需的最小功能列表。它也恰好是我自己图书馆功能列表的一个子集;)
  1. Tiny footprint with optional test implementation
  2. Full documentation
  3. No autoloading required. Just-in-time loading of libraries for performance
  4. Language file support; no hard-coded strings
  5. reCAPTCHA supported but optional
  6. Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
  7. Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
  8. Login using either username or email
  9. Separation of user and profile data
  10. Emails for activation and lost passwords
  11. Automatic cookie login feature
  12. Configurable phpass for hashing (properly salted of course!)
  13. Hashing of passwords
  14. Hashing of autologin codes
  15. Hashing of lost password codes
  16. Hooks into CI's validation system
  17. NO security questions!
  18. Enforced strong password policy server-side, with optional client-side (Javascript) validator
  19. Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
  20. All database access done through prepared (bound) statements!

注意:最后几点并不是您的 Web 应用程序不需要的超高安全性矫枉过正。 如果身份验证库 100% 不符合这些安全标准,请不要使用它!
最近一些不负责任的程序员将他们排除在软件之外的引人注目的例子:#17 是 Sarah Palin 的 AOL 电子邮件在总统竞选期间如何被黑客入侵;最近布兰妮斯皮尔斯、巴拉克奥巴马、福克斯新闻和其他人的推特账户被黑时,#18 和#19 的令人讨厌的组合是罪魁祸首;仅 #20 就是中国黑客如何在 2008 年的一次自动黑客攻击中从 70.000 多个韩国网站窃取 900 万条个人信息。
这些攻击不是脑部手术。如果你让你的后门敞开着,你不应该通过栓上前门来让自己陷入一种虚假的安全感。此外,如果您对编码足够认真,以选择像 CodeIgniter 这样的最佳实践框架,那么您应该至少正确完成最基本的安全措施。

<咆哮>
基本上,它是这样的:我不在乎 auth 库是否提供了一系列功能、高级角色管理、PHP4 兼容性、漂亮的 CAPTCHA 字体、国家/地区表、完整的管理面板、花里胡哨——如果该库确实提供了我的网站 不太安全 不遵循最佳实践。这是一个认证包;它需要做正确的一件事:身份验证。如果它没有做到这一点,它实际上弊大于利。

/延斯·罗兰

关于php - 我应该如何为 CodeIgniter 选择身份验证库?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/346980/

25 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com