User authentication

Question

If I am to follow What should a developer know before building a public web site? on authentication, then what options do I have ?

I have never used PEAR, and I'm not about to start. I have read about phpGALC but have yet to try it.

After the authentication do rights/access level kick in. I'm not a big fan of using a single tinyint value which decides what a user can and cannot do, besides its not very flexible. I have recently written a section system where I specify what kind of access each user type have access to, but is there something better ?

If you want a language, then PHP5.

Answer 1

ACL and Auth are the things I'm working on at this very moment. I'm using CakePHP at the moment, and it provides an extensive (albeit not simple) module for ACL, and a simple way to do authentication. I'm interested in answers too.

What I've gathered:

• Learn to validate input, especially the difference between blacklists and whitelists
• Consider carefully your email validation pattern
• Consider what languages will you have to support (pesky little accents, tildes and the like get in the way in names, e.g. Añagaza or Alérta).
• Roll-your-own or prebuilt?
• ACL: keep it simple or it could swallow you whole.
• Careful about CSRF and XSRF!

Answer 2

I'm not a big fan of using a single tinyint value which desides what a user can and cannot do, besides its not very flexible.

That depends... Are you referring to using the value as an integer or as a bitfield?

If you're using it simply as a number (level 5 user has all the abilities of level 1-4 users, plus a little more), then, yeah, that's not very flexible.

If you're using it as a bitfield, it gives you 8 (sets of) capabilities which can be turned on or off in any combination for any user. I'd call that flexible. And, if 8 capabilities isn't enough for you, it's trivial to change the tinyint (8 bits) to a smallint (16 bits/capabilities), int (32 bits), or bigint (64 bits), which should be more than sufficient for just about any application most of us are likely to write.

Answer 3

Most frameworks have an authentication module built-in. So you may want to checkout Zend, CakePHP, Code Ignighter, etc.

Also one thing that tends to get confusing is the difference between escaping and encoding data. Things are a lot more flexible when data is encoded then escaped.

Answer 4

Authentication is fairly straightforward. Authorization, through an ACL or whatever, can be complex.

Authentication is usually just matching a username and password with stored credentials. Just use SSL and hash passwords using a salt.

Authorization can be a beast and the solution depends on your requirements. You might try PhpGALC and the Zend Framework ACL component. Both options have roles, resources, and optional privileges although they are all named differently. The Zend ACL is simpler and more generic (rules can be defined simply in your code and it doesn't require a database). If your roles, resources, and privileges are not static, then with the Zend ACL you'll have to write code to populate the ACL from your data store. The big advantage of phpGALC is that it has a web GUI. I found the GUI clumsy, but unless you really understand your ACL, it can be dangerous to make changes directly in the database considering ACL complexities like role and resource inheritance. Keep in mind that the Zend ACL can be used on its own without any other Zend Framework dependencies besides Zend Exception.