views:

412

answers:

2

Has anybody tried out simpleloginsecure authentication library for codeigniter? I like that it has such a small footprint. Also it uses phpass for hashing which is supposed to be good. I am concerned that it does not store session data in the database (i.e. $config['sess_use_database'] = FALSE;). I guess I could add custom functionality. But if the hashing is secure is it still important to validate session data or is it ok not to store it in the db?

A: 

Hi there,

Provided there are no glaring SQL injection vulnerabilities, and the passwords are salted before encyption, I wouldn't hesitate to use the library.

Sessions on the filesystem is only really a problem if you are running your application on multiple servers. You can extend PHP's inbuilt session handler to use the database, anyway.

Tom R
+2  A: 

I am sure simpleloginsecure is secure enough for production use for most smaller applications. This has become the authoritative post on Codeigniter authentication libraries.. it has a rundown of all the pros-cons of the major libraries, including simpleloginsecure:

http://stackoverflow.com/questions/346980/what-code-igniter-authentication-library-is-best/476902#476902

Update: Also, zend-auth (courtesy of the zend framework) is supposed to be very good, and can be integrated into Codeigniter. I am working on integrating it myself for one of my side projects: http://freakauth.4webby.com/tutorials/using-zend-framework-components-in-code-igniter

Stephen J. Fuhry
I used that tutorial to integrate Zend Auth with CI 1.7.1 just last week. Worked without any real hitches; been using it in Dev without any problems. Haven't tested it in the real world yet.
rooskie