1

Has anybody tried out simpleloginsecure authentication library for codeigniter? I like that it has such a small footprint. Also it uses phpass for hashing which is supposed to be good. I am concerned that it does not store session data in the database (i.e. $config['sess_use_database'] = FALSE;). I guess I could add custom functionality. But if the hashing is secure is it still important to validate session data or is it ok not to store it in the db?

oym
  • 6,983
  • 16
  • 62
  • 88

2 Answers2

2

I am sure simpleloginsecure is secure enough for production use for most smaller applications. This has become the authoritative post on Codeigniter authentication libraries.. it has a rundown of all the pros-cons of the major libraries, including simpleloginsecure:

How should I choose an authentication library for CodeIgniter?

Update: Also, zend-auth (courtesy of the zend framework) is supposed to be very good, and can be integrated into Codeigniter. I am working on integrating it myself for one of my side projects: http://freakauth.4webby.com/tutorials/using-zend-framework-components-in-code-igniter

Community
  • 1
  • 1
Stephen Fuhry
  • 12,624
  • 6
  • 56
  • 55
  • I used that tutorial to integrate Zend Auth with CI 1.7.1 just last week. Worked without any real hitches; been using it in Dev without any problems. Haven't tested it in the real world yet. – rooskie Jul 27 '09 at 15:48
0

Provided there are no glaring SQL injection vulnerabilities, and the passwords are salted before encyption, I wouldn't hesitate to use the library.

Sessions on the filesystem is only really a problem if you are running your application on multiple servers. You can extend PHP's inbuilt session handler to use the database, anyway.

Thomas R
  • 3,026
  • 5
  • 32
  • 31