I am using PHP and the codeigniter framework for a project I am working on, and require a user login/authentication system.

For now I'd rather not use SSL (might be overkill and the fact that I am using shared hosting discourages this). I have considered using openID but decided that since my target audience is generally not technical, it might scare users away (not to mention that it requires mirroring of login information etc.). I know that I could write a hash based authentication (such as sha1) since there is no sensitive data being passed (I'd compare the level of sensitivity to that of stackoverflow).

That being said, before making a custom solution, it would be nice to know if there are any good libraries or packages out there that you have used to provide semi-secure authentication? I am new to codeigniter, but something that integrates well with it would be preferable. Any ideas? (i'm open to criticism on my approach and open to suggestions as to why I might be crazy not to just use ssl). Thanks in advance.

Update: I've looked into some of the suggestions. I am curious to try out zend-auth since it seems well supported and well built. Does anyone have experience with using zend-auth in codeigniter (is it too bulky?) and do you have a good reference on integrating it with CI? I do not need any complex authentication schemes..just a simple login/logout/password-management authorization system.

Also, dx_auth seems interesting as well, however I am worried that it is too buggy. Has anybody else had success with this?

I realized that I would also like to manage guest users (i.e. users that do not login/register) in a similar way to stackoverflow..so any suggestions that have this functionality would be great

Accepted Answer

I've found dx_auth to be quite good in Codeigniter, and have used it before. It is certainly the most full featured authentication library for Codeigniter.

There were a few things i needed to do to change it, so I extended their User class with a few functions for my purposes (some of their functions don't do exactly what you might expect..). Here is a segment of some of the customizations I made:

     $CI = &get_instance();
     * For most things, try and use the dx_auth models, 
     * because it's already done, and some stuff is more 
     * annoying to figure out than might be expected.
     * For anything site-specific, use this model instead.

     class UserModel extends Users {
        * Sometimes when dx_auth sucks, you have to compensate 
        * functions that return useful results.
        * @param int $id id of user to check if banned
        * @return int $banned returns the result (0 or 1)
       function is_banned($id) {
            $query = "SELECT banned FROM users WHERE id=".(int)$id;
            $row = $result->row_array();
            return $row['banned'];

Written by Stephen J. Fuhry
This page was build to provide you fast access to the question and the direct accepted answer.
The content is written by members of the stackoverflow.com community.
It is licensed under cc-wiki