Your feedback on an idea please :)

Hi,

I have noticed that many people that post to this forum ask about authentication. While there are several good role based authentication objects available on the web and from frameworks, generally these are complex or too involved for simpler permission based authentication.

I have been developing such a permission based system that I wondered if people here would like to help refactor into something that serves ‘stand alone’ application requirement?

I thought that I could put the first versions of the scripts here and then once the first refactoring I would start a project in GitHub with the authors of the system being all the people that extensively contributed to the refactoring?

Are you interested in this, or should I do this process on my own? I think that it would be fun for us, so what do you say?

Regards,
Steve

It’s a good idea. You meant you are developping a PHP framework, right?

Hi cuahangsimsodep,

No this is not a framework, this is a authentication library.

It is a set of classes that let a person easily generate a secure login form, create permission, and authentication roles in a database, object, or flat-file,

For the security standpoint it provides protection against denial of service attacks, rainbow-table vectors, Session Fixation and High-jack, Form Spoofing and SQL injection. It also will allow people to choose their own one-way hashing algorithm without having to rewire the SALT and PEPPER handling of the library. It also generates a new SALT and PEPPER for each new users (Though many people will argue - with good reason - that this is not necessary).

It allows for fine grain controls over permissions.

People could use this code to plug into their framework or a custom project they develop. If someone is using ZEND, CodeIgniter, or Symphony2 they would not use this library. It is available for those that want a simple yet robust authentication system without the need to use a full framework.

Regards,
Steve

Hi,

With the exception of cuahangsimsodep, this idea has not been well received. I, by no means what to trivialize cuahangsimsodep’s support, I was just hoping that a greater number of people would be interested working through working with unit tests, refactoring the classes to make them easier to read and simplify them creating better code, and in general having a greater amount of people understand how this library will work.

Either frameworks have replaced the need to have such a thing available, people are comforatable with the other libraries that are used for this, the sense of community here is not such that a collaborative effort is motivating, or people just don’t like the idea :)?

I will be refactoring the classes and ensuring that i have good test coverage. Then I am going to publish this to GitHub, and will let a few of the forums that I go to know about it. I still believe that there are enough people asking ‘Hey how do I add a login’ or ‘How can I let some people access this but not that?’ that they could benefit from a fairly ‘non-tech’ approach to implementing a log-in and permission based authentication system.

Regards,
Steve

Steve,

I think the idea is great, but I have been here long enough to know that my programming skills are still on the low end of the scale.

If you want someone that is still on the learning curve, I would love to help.

The idea has a lot of merit. And providing it on Github would be the best way to gain sufficient exposure and talent to develop a complete and useful product.
I am willing and anxious to help. My time has been spent (lately) with Ruby-on-Rails in favor of PHP. But I am “an old-timer” PHP developer and would be glad to help.

Hi CSU-Bill and ParkinT,

Thank your for your interest and support. I would be interested to have you and cuahangsimsodep be involved in this process. The way I thought it might benefit the most people would be to have the project files in GitHub, but do the unit tests, refactoring and class files here on the site. This way people can follow along, perhaps learn a little about OOP, unit testing and refactoring. Does this sound like a reasonable approach?

Regards,
Steve

Steve,

OOP is on my list for learning. I am starting a site for my daughter and plan to learn OOP while building her site.

Hi CPU-Bill,

This will then be a good opportunity for you to learn… I don’t want to put too much on you, but to begin you can start reviewing SimpleTest as the testing framework I have used for this project and you may want to take a look at Martin Fowler’s book ‘Refactoring - Improving the Design of Existing Code’ ISBN 0-201-4567-2 - I bought my copy a number of years ago on Amazon 2nd Hand (in great condition) the hard-cover version for $14.95. It would help if we speak a somewhat similar syntax. For example if I say ‘we may consider using the Extract Method on the method of the XYZ Class’ you would know what that means.

You may want to look at this simple OOP Reference, It does not use PHP 5.4’s new OOP features but is nicely laid out and does what it intends well.

Here is a non-long-winded tutorial that gets you through the basics of PHP OOP.

The php.net OOP manual is not bad either.

Glad to have you aboard, I will spend the next couple of weeks getting this organized as I am quite busy consulting currently.

Regards,
Steve

It might be a very useful project. There are very often questions about login scripts.
Unfortunately, I don’t have time right now to participate.

Steve,

Thanks for the links. I will check with Amazon to see about getting that book.

I would be interested to help, but the coming weeks I won’t have much time. And my helping would be more of a learning process at first. I have no experience @ this kind of projects. But I am really eager to improve my experience and skills.

I will read the book and some of the links you gave and If I can be helpfull in a few weeks I would happily offer you my services.

Why would you allow people with no knowledge in this area to build something like this? I’m sorry… that just seems like a road to failure. If your actually serious about recruiting people to help you should at the very least require them to have some type of experience with authentication models in the forms of having built one and/or used various solutions presented in existing frameworks/content management systems. Not to be rude or anything but yeah…

That would be interesting. Though the problem I have from a practical stand point is just about every project which I have worked on requires permissions be sculpted in a way that is very specific to the application itself. I could see using something like an access control list but really that only goes so far in a generic form. Probably more practical to keep privileges as straight-forward as possible but inflexible to start. I don’t think much should be done on the generic end of handling permissions. That seems like something outside of realm of a authentication system beyond booleans for whether a user has been authenticated or not and accessing registration data.

It is funny you mention this though because nothing really comes to mind in terms of a stand-alone authentication system. At least nothing worth using though I’m sure if I look on one of script sites there are plenty of poorly conceived ones out there.

Questions:

Has a development document been created outlining the required features and nice to haves?
Is the code hosted anywhere where I or anyone else can take a glance at it?

You make a great point, @oddz! I believe @ServerStorm was simply laying out an idea which is yet to be constructed.
As you have pointed out; there seems to be a HOLE in the PHP community for such a library/function/capability.

If, however, it can also server as A Weapon Of Mass Instruction that would be a wonderful thing. I endorse that approach and will gladly participate.

I challenge you to supply a list of YOUR “nice to haves” and “required features”. We all - regardless of experience level or time-committment - have something of value to contribute to a project like this. Let’s not slow progress by dwelling on why it WON’T work. :twocents:

Hi oddz,

I understand your concerns.

As @ParkinT ; pointed out I really thought of this as a way to get more people interested, learning about OOP, Patterns, Refactoring and Testing. The nice thing about refactoring is that we can take horrible code and turn it into something quite functional, so I am not worried about what we start with, when we do a good job on this refactoring, in the end we will have quality code that others would feel comfortable using for their projects. Also, too often the examples about OOP are model a person, car, or colour. This will show more practical uses of OOP in PHP.

I do actually have code that we can start with, but I first wanted to see who would be interested, put some structure to the idea, which includes the ‘most wanted features’; I would love it if you have some ideas for this, because having experienced people is a good thing.

With the current authentication system I build the controls are indeed fine grain but they are difficult to manage and even conceptualize how to implement them - it was my first try at a full blown authentication library. It is decent enough for a production site butt I thought it would be good to use this as the basis, as I could at least share the decisions why I did something a specific way and also about the security considerations. There is a lot of refactoring that can be done as there is a fair bit of code that may need help.

@RvanD85, we will work out the details on the best way that we can collaborate on these files. But glad to have your support. Thank you for looking through these links and getting prepared for this.

I think if we should work on the Database/Flatfile/XML and the Authentication classes first. Once we have a good handle on these, then we can look at the most flexible way to integrate the permissions.

Hey, if at the end of the day, we don’t like this, or individuals find it is not for them, it will not be the end of the world if someone opts out. Even in the worst case scenario the authenticaiton library doesn’t get off the ground. At least along this worst case people here will get experience working together in a distributive environment and with other developers (which may or may not be a new thing), and will certainly learn things about OOP, Security, Creating ‘Test Coverage’ over an application, and Refactoring. i’d think that it would be great if some or all of these things raise our collective abilities.

My plan was to put the code into GitHub and then branch the repo for anyone that is interested in helping. We then post the sections of code that we want to work on here at SP. We can determine roles and responsibilities for each person that has available time to work on something. We may have to look at merging code however others might have better suggestions on how we may work as a team on these files?

Thank you!
Steve

Hi Steve, the idea is great, but I am failing to see how it can be realized, my mind just starts wondering into this abyss of variables and if scenarios and I get lost.

For starters I would imagine that you include a php file that contains some class to some script, and then create and instance of that class.

$auth = new Auth($salt);
$auth->login($_POST['username'],$_POST['password'],$_POST['token']);

but this is in the scenario where we completely miss out most of the complexity and can really be made to work without any library.

In my 4 years of experience working with custom made php authentication systems, I can say that it is a topic thats much harder than expected, which is probably the reason for this to be a hole in the php community, there are just too many things that need to work together perfectly for this to be easy.

So, can you elaborate your concept of how it will work?

For example, consider these questions:
How will it connect with databases or even files?
How will the password be stored? (I mean, cryptography is hard, and hashes keep getting reversed)
Will it enable a shared authentication across multiple applications across servers?
How will it be XSS and [URL=“https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet”]CSRF protected, I mean when and how will the tokens and validation work? (this subject is too complex to explain in short)
Will it support the native HTTP authentication through php or use sessions with cookies for that? (e.g. [URL=“http://en.wikipedia.org/wiki/Digest_access_authentication”]digest)
Will it include forms, or generate forms, if so what options for form generation will it have? (it better have unlimited future-proof options)
How will the sensitive information be sent? Will it have the yahoo recommended[URL=“http://stackoverflow.com/questions/38838/two-way-password-encryption-without-ssl”] javascript password encryption before sending the info along with a [URL=“http://en.wikipedia.org/wiki/HTTP_Secure”]HTTPS protected connection?
Will there be javascript included and if there will, then how will the javascript be added to the html page? automatically or will the person have to add lengthy scripts and configure them too?
How will the library be configured?
Will it include field validation? and AJAX field validation?
Will it feature AJAX authentication?
How will it handle redirection? (I expect that it wont, although it will need callbacks to allow the dev to redirect (or do) whatever he wants to)
Will it have events that can be binded or triggered, for example an onBeforeLogin event?
How will user permissions be handled and more importantly configured? Will there be groups of users? Or will there be access-tags that can be assigned to users? (I like access-tags more because they are like keys that you give to users to allow them to specific access information)
How will information access levels be handled? I mean what happens when someone views something that contains info that he is not allowed to view? Will there just be an error message or a redirection, or just some event triggered without anything actually happening?
Will there be user roles?
Will it allow third-party applications to make use of it’s authentication system?
…and to top it all off, how will this library be simple to use? because if it’s not simple, fast and customizable, no one will use it. :stuck_out_tongue:

Now I got carried away in the above list, and I might have missed 70% of the questions I would like to ask, but it’s good for a start :slight_smile:

Also there are reasons why so few people seem interested, not only is the PHP community of sitepoint mostly inactive, it is also such a hard topic that the programmers here have seen people try these projects countless times, only to see them to give up and disappear.

Frameworks here have an advantage over a library, they are tightly coupled with the html and javascript and database that is required to handle it, they normally have this pre-built all-in-one authentication system that can handle most things, they also normally handle tons of tasks and have a relatively large community of users.

This is also the reason why I like your idea, if the authentication library your making becomes good enough, it might become part of a framework or at least teach people how to make authentication work properly, but this is only if you do it properly and simply, and thats hard because simplicity is the hallmark of genius.

I personally think this is a rather dead end pursuit, though I tend to be on the pessimistic side.

If someone is not capable of building a proper authentication system, you’d only be giving them a likely false sense of security when the rest of the site could be wide open.

I would think a guide on building an authentication system with a tutorial on WHY it should/could be done a certain way - would be better for new comers.

“Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.”

I disagree with the comments opposing this idea.

@oddz;, @YuriKolovsky;, and @wonshikee; make very good points. And they have raised concerns that are important to consider. But, I think, we are “putting the cart ahead of the horse”.

In this early stage of “devising” a system why restrict ourselves? We are merely “brainstorming”.

How about a PHP “framework” that INCLUDES proper Authentication, Access, Authorization (AAA)? Or an adjunct to an existing PHP framework that does the job better than any other?

What is ultimately created will, likely, look very different than what was initially proposed. I am in favor of that creative approach.

Working in a day-to-day environment where EVERYTHING must meed specific requirements (A Code Factory), it would be FUN to be allowed to “shoot from the hip” a little.
IMHO the “community” effort and the collaboration is far more valuable than the final product.

Hi,

I hope those that had a holiday or time with those people close to you had a great time.

As others have said, Authentication systems typically have a fair bit of complexity surrounding them. It is also true that when developers custom role their own security system they experience the depths of these complexities and security concerns. We want to end with a set of authentication and permission classes that ‘hide’ this complexity from the end user and provide great documentation so a junior user can understand how to safely implement these classes.

Even if we start with some bad code, I am confident that we can refactor it so that it becomes simpler and better.

As @YuriKolovsky; raised the questions regarding requirements&p=5097968&viewfull=1#post5097968) we can use this as a start to discussing and refining the requirements we wish to serve.

The system should have a users database with the corresponding users with hashed passwords, user details, and permissions set in one to many relationship user to permissions. For flexibility we could also look at implementing a similar structure in flat files /XML/YAML… that could be parsed into objects that ‘act’ as a database?

Yup cryptography is tricky and hashes do keep getting reversed. This means that our system can’t ‘hard’ code hashing, we need to be able to hash the users details using a supplied hashing algorithm that can be loaded into our system. When hashes do get cracked/reversed then a developer can supply a safe hash.

Multi application and across servers should be possible with appropriate SESSION handling and keeping the database separate from an application.

  • Authentication logic does to execute in the form. If a hacker tries to spoof the form we don’t want them to bypass the authentication logic.
  • We bind input parameters into the database and all form, SESSION, GET, parsed file logic should be filtered for special characters
  • We will regenerate the SESSION id everytime an important user function is launched. We also will use a token on login that will cause the session to regenerate.
  • We will Mitigate CSRF by using Post on forms, require verification for sensitive actions, and using an anti-CSRF token.
  • We will limit impersonation attempts by combining a SESSION and MD5 USER-AGENT
  • For XSS we will, filter all input and escape output, use htmlentities() where appropriate, and allow only ‘safe content’,
  • We will store the Sessions in the database (when using one) which will help with allowing it to run across multiple servers, and will help with performance on more demanding applications.

Initially my thinking was to use sessions with cookies and not support HTTP authentication.

Rather than building ‘Canned’ forms, it would be better to build a set of form examples that demonstrate how to integrate the classes, and validation into the form page.

Ultimately this would be a good idea.

[quote=“YuriKolovsky,post:16,topic:14056”]

Will there be javascript included and if there will, then how will the javascript be added to the html page? automatically or will the person have to add lengthy scripts and configure them too?

We have to be careful with Javascript as it can be turned off easily and in most cases hackers will be using a command line browser to attack. We should implement the JavaScript that provides convenience and a better user experience, however stripped away the authentication/permission management should be unaffected.

[QUOTE=YuriKolovsky;5097968]
How will the library be configured?

Probably not going too fancy with the structure and the deployment would make it easier to understand. All Auth classes would be under a single directory called ‘Auth’. Inside this directory their will be a ‘Scripts’ folder for any of the javascript.

Yes field server-side validation as well as AJAX field validation.

This is a nice feature that we would want I think?

I think that redirection is an important part of the authentication system so we will have a redirection class that is used inside our authentication system, however a user can make use of this redirector for any other redirect they need to implement.

My current Auth/Permission system does not have this but it is a great idea. We should include this in the feature set.

Yes users will belong to groups. Groups are mapped to permissions. Permissions designate roles and access.

We will define an initial set of permissions and groups, a user could make use of our permission mappings or they could create their own. The management of this would be provide using a number of PHP based pages that are designed to manage specific features of the authentication system.

If a user tries to access a restricted area without the appropriate permissions, they would be redirected somewhere without an error. In most cases the permissions are wrapped around the view logic in a way that things that are restricted to a logged in user are not seen; whereas someone with the appropriate permission will see those buttons, links, content areas and menus.

Yes, roles are defined as permissions; therefore roles can be thought of matching to groups of users.

I believe this should allow other third-party applications to provide validation of access. This get tricky though as quite a bit of thought has to go into how permissions will be granted or at least how users can be mapped so that they get the proper permissions?

Thank you YuriKolovsky for kick-starting this process!

Please feel free to add your thoughts to this high level description of some of the requirements.

Regards,
Steve

I am currently unexpectedly busy with aspects of the sale of my company so unfortunately I have not yet compiled the list of features in a clear way. I will not be able to do this for a while yet, but I plan to keep this going.

Thanks,
Steve