tags:

views:

45

answers:

2
+1  Q: 

Simple authentication that uses zend_auth independent of the rest of the Zend framework

I'm working on the login system for a php web app. I'm aware of the dangers of rolling your own system, so I'm hoping to use a pre-built library of some kind.

I have seen zend_auth recommended in several places. I have also heard that zend_auth can be used independent of the rest of the Zend framework. This would be preferable, as my app does not rely on any frameworks, and I am reluctant to install an entire framework purely for auth.

I have no previous experience with Zend and I am finding the documentation in the manual a bit confusing. I am wondering: Does anyone know of any resources that would be helpful in explaining how to set up a simple authentication system based on zend_auth but that does not rely on the rest of the Zend framework?

Thanks for your help,

+1  A: 

I'm aware of the dangers of rolling your own system

...

I am finding the documentation in the manual a bit confusing

Then it's not the right solution for exactly the reasons you've stated. If you don't understand how to use it properly it will never be secure and you can't provide any warranty that it is fit for purpose.

You might consider paying Zend for a support contact and asking for help.

There are other issues with using off the shelf code. If there is a defect in it, its difficult to identify, difficult to resolve, then difficult to merge back the vendors fixes. Also, while really this is really an argument for security by obscurity (and therefore not a well grounded one) the code you write is not visible to any potential attacker until you publish it (if ever) whereas using an off-the shelf product supplied as source, if there is a vulnerability then any script kiddy can run an attack against your site.

C.

symcbean  2010-06-22 13:43:22
A: 

the most important thing for a secure authentication/autorization is the concept where the whole application has only a sinlge entry point like an index.php everything is rewrited to. otherwise you have to care for each file beeing called to properly include and check the authorization etc.

zend_auth itsself won't really give you an extra security. it's more like an interface wich can be connected to anything. so what it does is mostly that your application(s) always use the same code for authentication/authorization but can rely on different data.

zolex  2010-06-22 19:53:04

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases