开发者

Simple authentication that uses zend_auth independent of the rest of the Zend framework

开发者 https://www.devze.com 2023-01-04 03:19 出处:网络
I\'m working on the login system for a php web app.I\'m aware of the dangers of rolling your own system, so I\'m hoping to use a pre-built library of some kind.

I'm working on the login system for a php web app. I'm aware of the dangers of rolling your own system, so I'm hoping to use a pre-built library of some kind.

I have seen zend_auth recommended in several places. I have also heard that zend_auth can be used independent of the rest of the Zend framework. This would be 开发者_开发问答preferable, as my app does not rely on any frameworks, and I am reluctant to install an entire framework purely for auth.

I have no previous experience with Zend and I am finding the documentation in the manual a bit confusing. I am wondering: Does anyone know of any resources that would be helpful in explaining how to set up a simple authentication system based on zend_auth but that does not rely on the rest of the Zend framework?

Thanks for your help,


I'm aware of the dangers of rolling your own system

...

I am finding the documentation in the manual a bit confusing

Then it's not the right solution for exactly the reasons you've stated. If you don't understand how to use it properly it will never be secure and you can't provide any warranty that it is fit for purpose.

You might consider paying Zend for a support contact and asking for help.

There are other issues with using off the shelf code. If there is a defect in it, its difficult to identify, difficult to resolve, then difficult to merge back the vendors fixes. Also, while really this is really an argument for security by obscurity (and therefore not a well grounded one) the code you write is not visible to any potential attacker until you publish it (if ever) whereas using an off-the shelf product supplied as source, if there is a vulnerability then any script kiddy can run an attack against your site.

C.


the most important thing for a secure authentication/autorization is the concept where the whole application has only a sinlge entry point like an index.php everything is rewrited to. otherwise you have to care for each file beeing called to properly include and check the authorization etc.

zend_auth itsself won't really give you an extra security. it's more like an interface wich can be connected to anything. so what it does is mostly that your application(s) always use the same code for authentication/authorization but can rely on different data.

0

精彩评论

暂无评论...
验证码 换一张
取 消