PHP Authentication and Access Control Libraries

    Harry Fuecks
    Harry Fuecks

    Prompted by an email I got, asking for recommendations for PHP authentication and access control libraries, been trying to nail down what this kind of library needs to do. To be frank not sure I can 100% recommend an single library; I’m typically guilty of DIY – last time a really researched this, about a year and a half ago, wasn’t able to find anything that really convinced me.

    From my perspective, authentication (verifying a valid user) and access control (does a valid user have permission to do this) are different things and the library needs to reflect that. Authentication usually happens before anything else at a “global” level in an application while access control can become threaded throughout everything, to the point where a menu, for example, only shows items a user is allowed to perform. User management (registration, maintenance etc) should also be separate functionality (if provided at all).

    A few thoughts / requirements for a “dream” security library.

    – It must be secure. Obvious I know but there’s plenty of gotchas (e.g. session files on shared web server) to watch out for. Ideally it will have had a lot of eyes looking at the source and ideally be well covered by unit tests.

    – The authentication “protocol” (the mechanism between browser and web server) should be flexible allowing for different approaches; session (cookie) mechanisms, HTTP Basic and HTTP Digest should all be possible. Users should be able to use their own “plugin”, allowing them to meet their own design requirements, such as redirecting users to another page if authentication fails

    – Should be independent of the data source used to authenticate a user against – database, flat files, LDAP, XML-RPC, SOAP etc. Should also allow for different “schemas” rather than being stuck to a particular column names etc. Some users way way to authentication against three fields for example; a username, a password and a some kind of temporary access code, generated from a “Smart Card”.

    – Would be nice if access control logic didn’t always require hard coding i.e. instead of;

    if ( $User->hasPermission('taskName') ) {
    // Do the task
    } else {
    echo 'Permission denied';

    …you could (optionally) use some other mechanism for access control, e.g. a .ini file with the same name as the PHP script or perhaps something based on the URL. Perhaps something similar to the Unix filesystem permissions would be helpful here.

    – Allows for different access control “organisation” – e.g.
    user <=> permissions
    user <=> role / group <=> permissions

    – Flexibility: should work with any PHP coding style, from vanilla PHP to frameworks

    – How do the authentication and access control mechanisms communicate.

    – Fast (of course) – despite all the functionality it’s packing, you only pay the price for what you’re using

    Any other requirements for an ideal security library?

    If I was going to recommend something, it would have to a library from PEAR. There’s a number of packages in the Authentication category, the two which are most relevant to this discussion being;

    PEAR::Auth – focuses on authentication only. Hits the target of being able to authentication against multiple data sources, using a username / password combination. Uses sessions / forms to maintain state. Extended by PEAR::Auth_HTTP for HTTP Basic / Digest authentication. Gets a lot of screening which is good news. Performance? For some reason I can’t remember now, I’ve always been biased against PEAR::Auth, perhaps because I looked at an early release. Looking at the code know it seems generally a reasonable choice.

    PEAR::LiveUser – provides authentication and access control. Users sessions to maintain state and is able to handle a number of different access control organisational schemes. I’ve tried this before and struggled to make sense of it’s intended use but it is work in progress and has a lot of promise.

    Any other libraries you recommend?