Andy's Blog » codeigniter auth, tank auth, tank_auth, FreakAuth, CodeIgniter tank_auth, CI datamapper, tank, freak_auth, Tank Auth 21andy, TankAuth|Andy\sBlog, tank auth 1.06, TankAuth » 最佳CodeIgniter Auth扩展Tank Auth

最佳CodeIgniter Auth扩展Tank Auth


Tank Auth


先后看了FreakAuth, dx_auth, Redux Auth, BackendPro,auth_library

选定了DX auth, 在研究的过程中, 看到 What Code Igniter authentication library is best? 这篇文章, 几乎以上所有的auth都有缺点

作者还提到了20件Auth应该做到的事情, 见下面的引用

在看完这篇文章后, 我先择了Redux Auth, 目前相对来说它做得最好.

可就在我研究Redux Auth的时候, 又找到了Tank Auth, 是DX Auth的改进精简版, 可惜拿掉了DX Auth的Role部份, 用户资料部份也有待完善, 如果要拿来用, 得自己动动手.等作者还是真难.

似乎作者已经一二个月没更新了, 也没了动静.

目前来看, Tank Auth是最好的. 希望不要成太监了

DX Auth


  • Very full featured
  • Medium footprint (25+ files), but manages to feel quite slim
  • Excellent documentation, although some is in slightly broken English
  • Language file support
  • reCAPTCHA supported
  • Hooks into CI's validation system
  • Activation emails
  • Unactivated accounts auto-expire
  • Suggests for salts (not bad for a PRNG)
  • Banning with stored 'reason' strings
  • Simple yet effective error handling


  • Only lets users 'reset' a lost password (rather than letting them pick a new one upon reactivation)
  • Homebrew pseudo-event model - good intention, but misses the mark
  • Two password fields in the user table, bad style
  • Uses two separate user tables (one for 'temp' users - ambiguous and redundant)
  • Uses potentially unsafe md5 hashing
  • Failed login attempts only stored by IP, not by username - unsafe!
  • Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext!
  • Role system is a complete mess: is_admin function with hard-coded role names, is_role a complete mess, check_uri_permissions is a mess, the whole permissions table is a bad idea (a URI can change and render pages unprotected; permissions should always be stored exactly where the sensitive logic is). Dealbreaker!
  • Includes a native (poor) CAPTCHA
  • reCAPTCHA function interface is messy

FreakAuth Light


  • Very full featured
  • Mostly quite well documented code
  • Separation of user and profile data is a nice touch
  • Hooks into CI's validation system
  • Activation emails
  • Language file support
  • Actively developed


  • Feels a bit bloated (50+ files)
  • And yet it lacks automatic cookie login (!)
  • Doesn't support logins with both username and password
  • Seems to have issues with UTF-8 characters
  • Requires a lot of autoloading (impeding performance)
  • Badly micromanaged config file
  • Terrible View-Controller separation, with lots of program logic in views and output hard-coded into controllers. Dealbreaker!
  • Poor HTML code in the included views
  • Includes substandard CAPTCHA
  • Commented debug echoes everywhere
  • Forces a specific folder structure
  • Forces a specific Ajax library (can be switched, but shouldn't be there in the first place)
  • No max limit on login attempts - VERY unsafe! Dealbreaker!
  • Hijacks form validation
  • Uses potentially unsafe md5 hashing



  • Good feature set for its tiny footprint
  • Lightweight, no bloat (3 files)
  • Elegant automatic cookie login
  • Comes with optional test implementation (nice touch)


  • Uses the old CI database syntax (less safe)
  • Doesn't hook into CI's validation system
  • Kinda unintuitive status (role) system (indexes upside down - impractical)
  • Uses potentially unsafe sha1 hashing

Fresh Powered


  • Small footprint (6 files)


  • Lacks a lot of essential features. Dealbreaker!
  • Everything is hard-coded. Dealbreaker!



  • Tiny footprint, no bloat (3 files)
  • Excellent documentation
  • Database normalized to 3rd normal form (nice touch)
  • Activation emails
  • Sleek coding style
  • Suggests for salts (not bad for a PRNG)


  • Requires autoloading (impeding performance)
  • Uses the inherently unsafe concept of 'security questions'. Dealbreaker!
  • Return types are a bit of a hodgepodge of true, false, error and success codes
  • Doesn't hook into CI's validation system
  • Doesn't allow a user to resend a 'lost password' code

EDIT: Mathew Davies, who develops Redux Auth, says a bunch of the cons in my list (including the security questions dealbreaker) have been fixed in the latest beta, so that should definitely be worth checking out



  • Tiny footprint (4 files)
  • Minimalistic, absolutely no bloat
  • Uses phpass for hashing (excellent)


  • Only login, logout, create and delete
  • Lacks a lot of essential features. Dealbreaker!
  • More of a starting point than a library

Authentication for CodeIgniter done right

Here's my MINIMAL required list of features from an authentication library. It also happens to be a subset of my own library's feature list ;)

  1. Tiny footprint with optional test implementation
  2. Full documentation
  3. No autoloading required. Just-in-time loading of libraries for performance
  4. Language file support; no hard-coded strings
  5. reCAPTCHA supported but optional
  6. Recommended TRUE random salt generation (e.g. using or
  7. Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
  8. Login using either username or email
  9. Separation of user and profile data
  10. Emails for activation and lost passwords
  11. Automatic cookie login feature
  12. Configurable phpass for hashing (properly salted of course!)
  13. Hashing of passwords
  14. Hashing of autologin codes
  15. Hashing of lost password codes
  16. Hooks into CI's validation system
  17. NO security questions!
  18. Enforced strong password policy server-side, with optional client-side (Javascript) validator
  19. Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
  20. All database access done through prepared (bound) statements!

Note: those last few points are not super-high-security overkill that you don't need for your web application. If an authentication library doesn't meet these security standards 100%, DO NOT USE IT!

另把Tank Auth的内容COPY过来

Tank Auth

Tank Auth is an authorization library for PHP-framework CodeIgniter. It's based on DX Auth, althouth the code was seriously reworked.

Download Tank Auth 1.0.3


The key points of the library are:

It's simple

  • Basic auth options (login, logout, register, unregister).
  • Very compact (less than 20 files and 4 DB-tables).
  • Username is optional, only email is obligatory.

It's secure

  • Using phpass library for password hashing (instead of unsafe md5).
  • Counting login attempt for bruteforce preventing (optional). Failed login attempts determined by IP and by username.
  • Logging last login IP-address and time (optional).
  • CAPTCHA for registration and repetitive login attempt (optional).
  • Unactivated accounts and forgotten password requests auto-expire.

It's easy to manage

  • Strict MVC model: controller for controlling, views for representation and library as model interface.
  • Language file support.
  • View files contain only necessary HTML code without redundant decoration.
  • Most of the features are optional and can be tuned or switched-off in well-documented config file.

It's full featured

  • Login using username, email address or both (depending on config settings).
  • Registration is instant or after activation by email (optional).
  • "Remember me" option.
  • Forgot password (letting users pick a new password upon reactivation).
  • Change password or email for registered users.
  • Email can be changed even BEFORE account is activated.
  • Ban user (optional).
  • User Profile (optional).
  • CAPTCHA support (CI-native and reCAPTCHA are available).
  • HTML or plain-text emails.

Installing Tank Auth

  1. Download the latest version of the library.
  2. Unzip the package.
  3. Copy the application folder content to your CI application folder.
  4. Copy the captcha folder to your CI folder. Make sure this folder is writable by web server.
  5. Install database schema into your MySQL database.
  6. Open the application/config/config.php file in your CI installation and change $config['sess_use_database'] value to TRUE.

That's it!

Please don't forget to look into config files (tank_auth.php and email.php) if something will go wrong. The library should work perfectly right after installation, but depending on your server condition and your own needs some options would better be changed.

The library in a nutshell

The library uses MVC model, which means that all database-related methods are incapsulated in model files, and the library itself is used as interface to these methods. A controller (auth) dispatches incoming requests, calls the library methods and renders corresponding views (to show in browser or to send as emails). The controller includes the following methods:

  • login: Login user on the site. If login is successful and user account is activated, s/he is redirected to the home page. If account is not activated, then send_again is invoked (see below). In case of login failure user remains on the same page.
  • logout: Logout user.
  • register: Register user on the site. If registration is successful, a new user account is created. If email_activation flag in config-file is set to TRUE, then this account have to be activated by clicking special link sent by email; otherwise it is activated already. Please notice: after registration user remains unauthorised; to authorize login is still required.
  • send_again: Send activation email again, to the same or new email address. This method is invoked every time after non-activated user logins on the site. It may be useful when user didn't receive activation mail sent on registration due to problem with mailbox or a misprint in email address. User may change their email or leave it as is.
  • activate: Activate user account. Normally this method is invoked by clicking a link in activation email. User is verified by user Id and authentication code in the URL.
  • forgot_password: Generate special reset code (to change password) and send it to user. Obviously this method may be used when user has forgotten their password.
  • reset_password: Replace user password (forgotten) with a new one (set by user). The method can be called by clicking on link in mail. User is verified by user Id and authentication code in the URL.
  • change_password: "Normal" password changing (as compared with resetting forgotten password). Can be called only when user is authorized and activated. For higher security user's old password is needed.
  • change_email: Change user's email. Can be called only when user is authorized and activated. For higher security user's password is required. The new email won't be applied until it is activated by clicking a link in a mail sent to this email address.
  • reset_email: Activate new email address and replace user's email with a new one. This method can be called by clicking on link in mail. User is verified by user Id and authentication code in the URL.
  • unregister: Delete user account. Can be called only when user is authorized and activated. For higher security user's password is required.

Since the auth controller does all the management of user account (including login and logout), so it unlikely that you will have to call the most of the library methods directly. But some of them definitely you will:

  • is_logged_in: Check if user authorized on the site.
  • get_user_id: Get user_id if user is authorized on the site, FALSE otherwise.
  • get_username: Get username for authorized user, FALSE otherwise. This method is meaningless if username is not used on registration (in this case it returns an empty string for every user).

Incoming search terms:

Tags: CodeIgniter, Auth, Tank Auth


1 评论 to “PHP开源CMS之MODx”

  1. allankliu 于 2010-03-19 17:30:10 发表: