Home/ Questions/Q 3420986
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-18T06:03:52+00:00

I’m working to add a better authentication system to a mature backend site. I’ve

  • 0

I’m working to add a better authentication system to a mature backend site. I’ve been using HTTP Authentication just because it’s so easy to setup. But as the site has grown, the downsides to this method have become more and more pronounced; specifically, the lack of security over standard HTTP connections, and the lack of a standard mechanism to log users out.

I’ve read over every PHP authentication question I can find on SO, but I still haven’t found a satisfactory solution for upgrading a large existing codebase to use a session-based system. The takeaway from most answers seems to be:

  1. Don’t roll your own if you don’t know exactly what you’re doing
  2. Session-based authentication is a really involved subject

I have rolled my own user registration system before, and indeed, it seems woefully insecure looking at it now. I can see it taking months to polish, when all I really want to be doing is working on the backend itself.

I imagine this is a very common problem. Pretty much every website I’ve built has required at least a very minimal backend, and I think very few developers have the chops (“expertise”) to build an airtight system.

I’ve looked at solutions using Zend Framework, CodeIgniter, and CakePHP — but they all presume a specific coding style (or so it seems), and the prospect of reorganizing all of my code is, in a word, deflating. (And beyond that, the inefficiency of including one of these massive frameworks just for authentication really rubs me the wrong way.)

Is there a better solution? Can I isolate the authentication class from one of these frameworks? (Because this is just a backend site (closed), I don’t need to worry about registration, or CAPTCHAS — or really any of the ancillary features of an authorization system.)

Thanks so much for your consideration.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Inspired by Hamish’s comment on my question, I learned that it’s very easy to use the Zend_Auth class without having to use the rest of the framework, and without having created my project the “ZF way” — i.e., with the zf command line tool and the MVC pattern.

    In the end, I only used Zend_Auth and Zend_Db. I haven’t integrated my proof of concept into my actual site yet, but I think it captures the basic functionality I was looking for. All it does at the moment is cycle between the logged-in and logged-out states when the page is refreshed:

    require_once('Zend/Db.php');
require_once('Zend/Auth.php');
require_once('Zend/Auth/Adapter/DbTable.php');
require_once('PasswordHash.php');
require_once('PasswordHash_Auth_Adapter_DbTable.php');

$auth = Zend_Auth::getInstance();
if ($auth->hasIdentity()) {
    echo 'Logged in...';
    $auth->clearIdentity();
    echo 'logged out.';
} else {
    // authenticate
    echo 'Authenticating...';
    $db_options = parse_ini_file('../zend_db.ini');
    $db = Zend_Db::factory('PDO_MYSQL', $db_options);
    $authAdapter = new PasswordHash_Auth_Adapter_DbTable($db);
    $authAdapter->setIdentity('test')->setCredential('test');
    $result = $auth->authenticate($authAdapter);
    if (!$result->isValid()) {
        echo 'invalid.';
    } else {
        echo 'valid.';
    }
}

    PasswordHash_Auth_Adapter_DbTable.php is a custom Auth_Adapter_DbTable that uses phpass to obfuscate passwords, mostly copied from an article by Jonathan Street. I also found an article by Alexander Peslyak (who I think is the creator of phpass) that was very helpful to understanding user/password storage broadly.

    The users table is extremely bare-bones for the moment:

    CREATE TABLE `users` (
  `id` int(3) unsigned zerofill NOT NULL AUTO_INCREMENT,
  `user` varchar(60) NOT NULL,
  `pass` varchar(60) NOT NULL,
  PRIMARY KEY (`id`),
  UNIQUE KEY `user` (`user`)
) ENGINE=MyISAM

    I inserted the one “test” user, with a phpass-generated hash for the password. Ultimately I plan to have a login form that POSTs the user/password for authentication. On the surface, this method (plain old POST form) seems insecure, but I looked at how Facebook’s login form works, and indeed I can see my password in plaintext as part of the form data after logging in — so it can’t be that insecure (right?).

    Overall I’m very happy how simple this solution is… in a way it scares me how little I understand the actual nuts & bolts of Zend_Auth, but on the same token I’m glad it’s tried & tested code (vs. rolling my own).

    If I’ve made any egregious errors, please let me know!

    • 0