1

I am currently exploring Zend_Auth, part of Zend Framework, but am dissapointed with the lack of more advanced features such as nonces, authentication tokens, lock-out, etc. In one of my recent projects, I implemented an authentication and ACL (Access Control List) scheme that has the following features:

  • Salted hashes
  • Automatic IP address lockout
  • Nonces (several types)
  • Authentication tokens (which persist for the entire session)

It would be great if I could abstract this functionality and make a reusable authentication class, but I was curious about whether a feature-rich authentication module already existed, so I could save myself the work. If not, I will most definitely do that.

I suppose my questions is this: What (database-based) authentication module/scheme are you currently using, and are you happy with its features? Specifically, is anyone using one that supports the features I listed above?

I look forward to your responses.

Chris Laplante
  • 29,338
  • 17
  • 103
  • 134
  • 1
    "Complexity is the worst enemy of security." -- Bruce Schneier. – rook Sep 16 '10 at 22:52
  • @Rook: Basic things like `nonces` are not complex. – Chris Laplante Sep 16 '10 at 22:54
  • @SimpleCoder features are not something you want in a security setting. Nonce generation is only a few lines of code, why do you need a library? – rook Sep 17 '10 at 03:02
  • @Rook; `Nonce generation is only a few lines of code, why do you need a library?` I know exactly how to implement a nonce, but that is not the point. I don't want a library for each of these; I'm after a single module like `Zend_Auth` that has all of these features. And you definitely do want `security features`, however, I'm, not sure that that's the right phrase. `Layered security` or `multi-faceted security` probably better describes what I'm after. Basically, something more than "log-in, log-out" to protect against things like session hijacking, XSS, etc. – Chris Laplante Sep 17 '10 at 20:54
  • @SimpleCoder So you want a magic wand. – rook Sep 17 '10 at 20:57
  • @Rook; No, I don't believe I said or indicated that. I am simply looking for an authentication module/library for PHP similar to Zend_Auth. – Chris Laplante Sep 17 '10 at 21:01

1 Answers1

1

Funny thing, I was going to answer "Zend Framework!" when I saw this question. I guess that you are already using that.

I've done a lot of what you are doing using ZF as well. True that it is not all made for you, but the parts are there. Honestly, if it was already put together, it would not be flexible and not apply to many use cases. I'd rather make it suit the app I'm building, rather than build my app around it. You can make your code into library and include that with your other ZF apps.

I'd be interested in other options as well though.

d-_-b
  • 6,555
  • 5
  • 40
  • 58