EllisLab text mark
Advanced Search
1 of 5
1
   
Poll
Would You Like PHP 4 Support?
Yes 31
No 234
Total Votes: 265
You must be a logged-in member to vote
Redux Authentication 2 Beta Released
Posted: 06 September 2008 10:27 AM
Joined: 2007-11-08
237 posts

Home Page | Roadmap | SVN Server ( Requires Registration ) | Submit Ticket

PM me with your email address so I can add you to the SVN server.

So, what’s Redux Authentication 2 about?

The point of Redux Authentication 2 is to build upon Redux 1.*, but have a more stable, feature filled and generally better authentication library.

At the moment version 1 has some bugs with the method returns and has some other niggling issues such as forcing you to use an “email” as the login handle, not having a remember me, etc ...

Version 2 will fix those issues and go farther as to include a ready made website with administrative back-end, the ability to pick and select what columns you want to use to login with, an installation controller for fast set-up, Access Control Lists and integration with phpBB, Vanilla and other popular web applications.

I would love to hear what you think about Redux Authentication 2’s future plans and if you any feature requests I would love to hear them.

You can view the Road Map and see what is planned

Kind Regards,
-Mathew Davies.

 Signature 

Redux Auth is no longer maintained.

 
Posted: 06 September 2008 11:06 AM   [ # 1 ]   [ Rating: 0 ]
Avatar
Joined: 2006-03-20
753 posts

Sounds great.

Hurry up then….

 
Posted: 06 September 2008 12:39 PM   [ # 2 ]   [ Rating: 0 ]
Joined: 2007-11-08
237 posts

Thanks audiopleb.

SVN is now available. Topic Updated

 Signature 

Redux Auth is no longer maintained.

 
Posted: 07 September 2008 09:24 PM   [ # 3 ]   [ Rating: 0 ]
Joined: 2008-09-07
1 posts

Great news for me! Thank you for the release and waiting eagerly for the final version.

Thanks a lot!

 
Posted: 15 September 2008 02:21 AM   [ # 4 ]   [ Rating: 0 ]
Joined: 2008-07-02
5 posts

“integration with phpBB, Vanilla and other popular web applications.”

You have my mouth watering. If you can integrate with Wordpress logins - that would be extremely awesome!


I think the best thing that could help would also be a example site that we can quickly learn how to use the auth library.

 
Posted: 17 September 2008 12:06 PM   [ # 5 ]   [ Rating: 0 ]
Joined: 2008-05-11
92 posts

Yes please, some kind of tutorial!!

 
Posted: 22 September 2008 01:17 PM   [ # 6 ]   [ Rating: 0 ]
Avatar
Joined: 2008-07-16
411 posts

Unlike version 1, version 2 will use one dynamic salt. This would be enough protection against rainbow tables and would have one less configuration option to deal with. The hash column in the users table is going to removed and I will use a value such as the date registered as the dynamic salt.

Please don’t do this. That is the ONLY reason that I am using your auth system!  big surprise

 Signature 

My Blog, C2D, PHP Videos, Résumé, Super .htaccess, Extra hooks, and MicroMVC

 
Posted: 22 September 2008 01:32 PM   [ # 7 ]   [ Rating: 0 ]
Joined: 2007-11-08
237 posts

Can you explain to me why 1 dynamic salt is bad practice?

At the moment, the salt is the first 10 characters of the hashed password. When entering a password into the database for the first time the salt is randomly generated and pre-pended to the hashed password.

It’s basically doing the same thing as before, but without the hashed column in the table. This saves on table space.

 Signature 

Redux Auth is no longer maintained.

 
Posted: 22 September 2008 01:43 PM   [ # 8 ]   [ Rating: 0 ]
Avatar
Joined: 2008-07-16
411 posts
Popcorn - 22 September 2008 05:32 PM

At the moment, the salt is the first 10 characters of the hashed password. When entering a password into the database for the first time the salt is randomly generated and pre-pended to the hashed password.

It’s basically doing the same thing as before, but without the hashed column in the table. This saves on table space.

True, for 1 million users it would take about 40MB more space - but at that point I don’t think it would matter.  wink

Maybe you could keep a smaller VARCHAR(10) salt so that users with matching passwords would still get different hashes. Any extra step you can add to hashes is worth it.

 Signature 

My Blog, C2D, PHP Videos, Résumé, Super .htaccess, Extra hooks, and MicroMVC

 
Posted: 22 September 2008 02:35 PM   [ # 9 ]   [ Rating: 0 ]
Joined: 2007-11-08
237 posts

Users with matching passwords still have different hashes. Maybe you mis-understood the new concept?

 Signature 

Redux Auth is no longer maintained.

 
Posted: 22 September 2008 02:42 PM   [ # 10 ]   [ Rating: 0 ]
Avatar
Joined: 2008-07-16
411 posts
Popcorn - 22 September 2008 06:35 PM

Users with matching passwords still have different hashes. Maybe you mis-understood the new concept?

quite possible tongue rolleye

If you are using 1 salt only:

A) You are using a salt for each user - so if the database table is stolen they will have the salt for the user - and the user password hash it’s self.

B) you are using a global site salt - users with matching passwords will have the same hash.

That is why I would encourage you to keep the user and site salts as they both help protect things.

 Signature 

My Blog, C2D, PHP Videos, Résumé, Super .htaccess, Extra hooks, and MicroMVC

 
Posted: 22 September 2008 02:55 PM   [ # 11 ]   [ Rating: 0 ]
Joined: 2007-11-08
237 posts

If the database was stolen they’d have hashes, but not know the algorithm used to hash them. Now obviously my code is available online, but you shouldn’t be mentioning Codeigniter or Redux anywhere on the site for them to figure out you’re using Redux.

I can use a file salt, but I think most people would be satisfied with a dynamic salt.

 Signature 

Redux Auth is no longer maintained.

 
Posted: 22 September 2008 03:00 PM   [ # 12 ]   [ Rating: 0 ]
Avatar
Joined: 2008-07-16
411 posts

It is really easy to figure out what system people are running because of the way static files are included in the source… wink

Anyway, maybe you could make that a optional part so that people that want the extra security can have it.

 Signature 

My Blog, C2D, PHP Videos, Résumé, Super .htaccess, Extra hooks, and MicroMVC

 
Posted: 22 September 2008 03:06 PM   [ # 13 ]   [ Rating: 0 ]
Joined: 2007-11-08
237 posts

Cheers Xeoncross. I’ll consider it.

Keep an eye on the SVN smile

 Signature 

Redux Auth is no longer maintained.

 
Posted: 02 October 2008 01:55 PM   [ # 14 ]   [ Rating: 0 ]
Joined: 2008-01-30
159 posts

Nice Popcorn, any idea on the launch?
I currently use 1.x but some things dont work.

 
Posted: 12 October 2008 06:40 PM   [ # 15 ]   [ Rating: 0 ]
Avatar
Joined: 2008-07-22
96 posts

Hey popcorn, if you could stop by the thread for 1.4a and help me out by answering my questions about the forgotten password process, that would be great! Thanks!

 Signature 

twitter.com/andrhamm

 
1 of 5
1