Topic: My CodeIgniter Auth / User Management

[sKunKbad]

Many hours of work have finally produced V1 of a Auth / User Management system that I made for CI. I am not claiming to be a security expert, but I tried to study and make the Auth as secure as possible. Many people have downloaded it, but so far I haven't heard back any comments, other than the code looks clean, and that maybe I overdid it a little.

I'd really appreciate some feedback on the system, and how secure or not secure it really is. While it does have some features common to typcial auth systems, I'd like to have a real assessment of potential vulnerabilities before going further. Any other comments are also appreciated.

If you're interested, please check out the system; download available from http://auth.brianswebdesign.com

Thanks

[thorpe]

Is there any docs around or an subversion browser or something?

[thorpe]

I'm not a codeignitor user but is this meant to be an extension to the framework or an application built with the framework?

Just looking at the directory structure....

Code: [Select]

.
|-- application
|   |-- config
|   |   |-- autoload.php
|   |   |-- config.php
|   |   |-- hooks.php
|   |   `-- routes.php
|   |-- controllers
|   |   |-- administration.php
|   |   |-- home.php
|   |   |-- register.php
|   |   |-- sudo.php
|   |   `-- user.php
|   |-- helpers
|   |   `-- MY_url_helper.php
|   |-- hooks
|   |   |-- my_session_start_hook.php
|   |   `-- my_site_definitions_hook.php
|   |-- language
|   |   `-- english
|   |       `-- authentication_lang.php
|   |-- libraries
|   |   |-- Authentication.php
|   |   `-- MY_Form_validation.php
|   |-- models
|   |   |-- administrative_functions.php
|   |   |-- formval_callbacks.php
|   |   |-- manage_users.php
|   |   `-- registration_functions.php
|   `-- views
|       |-- administration
|       |   |-- admin_menu.php
|       |   |-- create_user.php
|       |   |-- sort_users.php
|       |   |-- update_user.php
|       |   `-- users_table.php
|       |-- home
|       |   |-- column_a.php
|       |   `-- column_a_2.php
|       |-- register
|       |   |-- notify_admin_email.php
|       |   |-- registration_email.php
|       |   |-- registration_form.php
|       |   |-- settings.php
|       |   `-- show_pending.php
|       |-- template_content.php
|       `-- user
|           |-- choose_password_form.php
|           |-- column_a.php
|           |-- login_form.php
|           `-- recover_form.php
|-- css
|   |-- community_auth.css
|   `-- yui-reset-fonts-2.6.0.css
|-- img
|   `-- community_auth
|       |-- Thumbs.db
|       |-- bg.gif
|       `-- info.jpg
|-- readme.txt
`-- sql
    `-- community_auth.sql

It appears you have dumped a heap of files into userland.

[sKunKbad]

This is an extension. If neccessary, the whole application directory can be moved above root. While my readme file doesn't recommend this, it is worth noting that this only requires changing a single configuration setting in index.php (already noted in the readme).

Thanks for commenting. I'll make sure to change the readme to suggest that above root is obviously a better place for the application directory.

[thorpe]

Looks more like an application than an extension.

[sKunKbad]

Well, it is what it is.  I know, because you have helped me before, that you are very smart. If you see anything wrong please let me know.

[thorpe]

I haven't had a real good look but it seems if I where a codeignitor user the only part of your code I might find useful (and reusable) would be the actual Authentication library. Even then though, theres references to Brians Web Design which would need to be removed.

The rest of it IMO, should be thrown out and rebuilt by the developer. If you where asking opinions on an Auth script you made with CI instead of for CI my opinion might be different. As it is, its far too much of an application than any type of extension, most of which isn't likely to fit anyone else's needs except yours.

[sKunKbad]

It's not really my intention to have people use it without modification. The chances of somebody needing it as-is are very slim, however, there's always people asking how to log people in, and how to manage users. How to register and how to do a password recovery are common topics too. I'm happy to help people, so if anyone can use it, or use it as an example when they can't figure something out, then I'll be happy with that.