Hi folks,

I’d like to introduce a new authentication library for CI, based on DX Auth.

The original DX Auth is pretty good, althouth it’s not as convenient to use as it could be. Also it has some leaks in security, what is proved by this test:  What Code Igniter authentication library is best?. Those were the reasons to make it better.

There are some keypoints of the new lib:

  * Very compact (less than 20 files and 4 DB-tables)
  * Using phpass library for password hashing (instead of unsafe md5).
  * Login using username, email address or both (depending on config settings).
  * Registration is instant or after activation by email (optional).
  * Forgot password (letting users pick a new password upon reactivation).
  * Change password or email for registered users.
  * CAPTCHA support (native and reCAPTCHA are available).

and many more…

Here is the link to detailed descripton with installation guide.

And this is a link to the zip-file.

First: thanks a bunch for sharing… I definitely appreciate the effort and I"m excited to check Tank Auth out!

So, I feel a little guilty to have to make a somewhat negative comment right of the bat, especially considering that it might seem trivial to some but… If this is based on DX Auth, it’s too bad you went out of your way to replace the well structured Standard compliant markup in the views with some not so well coded table based HTML, with inline styles…

But I don’t want to just criticize, so if you’d like me to help with that part, I’d be more than happy to redo the HTML/CSS in the views for you. Just shoot me an email if you’re interested.

one of the few things i would add to this is a kickass access system, especially one that could work on a CMS for instance where the pages are stored in the DB and you might want to lock certain people out of certain pages.

minimal design, thank you for the time you’ve spent on Tank Auth. This is my first experience of writing an open library, and I appreciate any comments on it.

What about removing some parts of HTML code from views… Well, I think that the authorization library cannot be used separately, standing alone on a web-server just for user authentication. It should be a part of some project, like social net, blogging platform or something else. So you’ll have to integrate it into code of your web-project and make a proper HTML-layout for every form or warning message—to make it look native for your site. I think that when view-files contain only necessary code then this integration will be much more easier. You won’t need to look through dumps of redundant HTML-tags and remove them because they don’t fit your site’s style. You have just to add your own layout (and maybe modify existing code a little bit).

That’s why I removed almost everything from views.

On the other side, email templates contain correct HTML-layout (including DOCTYPE), because it’s the part that likely won’t be modified according to the style of your site.

I’m thinking about checking this out since it sounds very promising. One thing that always holds me back from using someone elses auth system is the complications with adding new fields to a user. How hard would it be for me to add say, a field called “hometown” and something like “eye color”. See where I’m going with this? If this won’t be too hard, I’m all up for giving it a run…

Hi Iverson,

Adding new fields to a user is very easy. In fact I can do it for you. Take a look, there is an old user_profile table structure (from database schema at schema.sql file):

To add a couple of new fields (“hometown” and “eye_color”) you need to replace it with this table:

And that’s all! When user is registered a new record in this table is created automatically (and it deletes only when user deletes their account). So I see no problem with adding new fields.

The real problem may be with editing this data. In fact, Tank Auth doesn’t contain a controller or a method to edit user profile. It can only create and delete them. Profile management is beyond this lib version capabilities.

I agree it sounds silly, to create empty profiles without option to fill them, so it should be a 1st To-Do for the next version of the library.

Hi, I installed your package,
tried to register,
typed in 10 times the captcha code, that did not work,
then I switched it to case insensitive, did not work…
then I switched the capcha off…
tried to register, had problems with sending mails….
windows xp with xampp, using an external isp as mail server
.(JavaScript must be enabled to view this email address)...
needed a long time trying to alter the php.ini with smtp_user and smtp_pwd settings,
until I read somewhere that this simply does not work with mail()...
so this problem is gone now,
but do you know why the captcha does not work??

Hi gunter,

Tank_Auth uses native CI captcha, that not perfect. I agree that sometimes it’s very hard to recognize what’s written on it. Moreover, it may show ‘0’ (a letter) or ‘0’ (zero) and there’s no way to distinguish them.

If you met this problem, I would recommend you to play with captcha settings, and firstly to change the font. It’s $config[‘captcha_fonts_path’] parameter in config-file. There are 5 different fonts available, from 1.ttf to 5.ttf. Try 2.ttf, maybe it will be more convenient to you.

The other way to solve the problem is to use reCaptcha. I use it in my project, and it works fine.

thanks, now it works!
the unreadable font was exactly the problem!!!

Where did the role_id run off to? Are roles managed another way? Otherwise I’ll just write roles myself.

The lib contains only core auth methods. Sorry, role management is out of them.

Looks good@work so cant check this out til later :(

Is there a live demo of this online anywhere?

Thanks again dude, this sounds promising

Thank you, Gromozeka! When I was looking for an authorization library several months ago, I also stumbled on that StackOverflow page and decided to go for DX Auth.

Unfortunately though, I wasn’t completely happy with the library. The 8 db tables, the lack of password security and the (unneeded) roles & permission features were just a few examples of that.

Tank Auth seems to be just what I was looking for! You’ve got all my support on this one

I haven’t looked at the code in too much detail yet, so can’t judge on that one. Two little remarks though. E-mail/username field seems to be case-sensitive. Logging in without capitalization (laurentvw instead Laurentvw) failed. You may want to fix that.
Also, the captcha image isn’t displaying. But I also had that problem when using DX Auth. Not sure why, I’m probably doing something wrong (I did chmod /captcha to 777), but it doesn’t matter too much for me since I disabled captcha.

Anyway, thanks for the great library, good job!

Edit:
I managed to inject this using the user field on the login form: ’; foo ‘ (which resulted in a sql error)
Related to:

Hi Laurentvw,

Thank you for your support and for the time you’ve spent to work with Tank Auth.

I’ve fixed the issues you found. Now email and username fields are case-insensitive (so both ‘laurentvw’ and ‘Laurentvw’ will work). SQL-injection is also fixed. Please download the latest version (1.0.2) from the same location:

http://konyukhov.com/soft/tank_auth/tank_auth.zip

About captcha: I met the same problem with CAPTCHA while working with DX Auth, so maybe my experience will be useful for you. There were 2 problems: 1) server was unable to create captcha-files, and 2) browser was unable to show them.

The solution for 1st one was to fix write-rights for the captcha folder. Please notice, the path in the config-file is absolute and server-related. So if you set it this way: $config[‘captcha_path’] = ‘img/captcha/’; then you will have to create folder img (with writable folder captcha inside) in the same directory where your system folder is.

If the captcha-images are been creating in this folder but the browser cannot render them, I recommend you to check your htaccess file—maybe access to your captcha folder is not permitted (as it was in my case).

Hope that it will help you.

Really wish you hadn’t used <php= tags It would have definitely saved me some time integrating Tank Auth with my project

Hey, what’s wrong with these tags?