Features of flexi cart

flexi auth is a free user authentication (User login) library for use with the CodeIgniter 2.0+ framework.

The flexi auth library initially started out as a modified version of the popular Ion Auth library. As the original library was tweaked with feature after feature being added, the original code base had transformed into a new library all of its own.

Below is a compiled list of the core features included within the flexi auth library.

The Feature List

Flexibility and Customisation

The features in flexi auth are designed to be modularised, so that you can use bits and pieces of different features without needing to setup other features that are not required.

If you want a login system that requires users to activate their account via an email, but to allow them a 30 minute access period immediately upon registration - just use and define the functions and settings you need.

If the default session/table names clash with your existing setup, or maybe simply don't match your coding conventions, then simply change just one setting via the libraries config file.

The idea of flexi auth is to let you build the site, the way you want it built, rather than being confined to a one path design flow.

Database Structure
  • All tables and column names are renamable via just one config file setting to match whatever name coding convention you prefer.
  • The library consists of only 5 tables to provide every feature within flexi auth.
  • Unlimited additional custom tables can be added and related to the core library tables, allowing you to capture whatever data you require.
  • The 5 core library tables can be modified with the addition of new columns that can then be managed via library functions.
  • The data type for storing dates and times within the database can be defined via the config file.
  • Functions that modify multiple rows of data across multiple tables use SQL transactions to rollback any changes that could be interrupted by an error halfway through the action of a function.
User Management
  • Users can be assigned user groups and privileges that allow/restrict them from performing custom actions throughout the site.
  • If a user updates their email address, functions within the library can be used to require that the new email address must be validated by the user clicking a link sent to the new email address, before it is activated.

    This method prevents misspelt email addresses that would otherwise prevent future login.

  • Users can be primarily identified within the library via either their email address of a unique username.
  • The library includes a user search function that can look for a match in user table columns defined via the libraries config file.
  • Users can be suspended from logging in to their account, without deleting any of their records or data.
  • Users can be prevented from logging in to their account until after a defined date and time.
  • The dates and times of account creations, and login attempts are automatically managed by library functions.
  • Users can change their password without needing to log the user out.
User Registration
  • The minimum required length and valid characters of a password can be defined using a regular expression (Regex) set via the config file.
  • Upon registration, new user accounts can be either automatically activated, sent an account activation email or suspended pending review by an admin.
  • Newly registered users that are sent an account activation email can be given temporary instant login access for a defined period of time. Once the time period has elapsed, the user must activate their account prior to future logins
  • Allow users to login instantly on registration, but require them to activate their account before a defined timed otherwise they will be unable to login.
  • If the library is setup to require users setting a username, the config setting can be defined to suffix an auto incremented number to any duplicate usernames rather than warning the user of an existing username.
  • Account activation emails can be easily resent to users who have not received or deleted the original sent to them upon registration.
User Login Methods
  • The login method is compatible with logging in users via either their email address, username, or via both.
  • The login method includes a simple out-of-the-box 'Remember me' feature via defining a boolean parameter to remember a users login credentials upon a successful login.
CAPTCHAs

flexi auth includes two different CAPTCHA functions, the popular Google reCAPTCHA and a basic math based question and answer CAPTCHA.

Using reCAPTCHA requires each site to apply for a free API key from Google before the reCAPTCHA can be deployed.
The math based Q&A CAPTCHA is custom to the flexi auth library and asks simple addition and subtraction questions.

The CAPTCHAs would typically be used during registration or login, but implementation of them is completely optional.
The library further includes other functions that can be used to detect when to deploy the CAPTCHA based on specific IP addresses that have been related to numerous failed login attempts.

Forgotten Passwords
  • Forgotten passwords can either be reset by generating a new random password and emailing it to the user, or by allowing the user to manually reset the password after click a verifcation link that is emailed to them.
  • If a verification email is sent to a user that has forgotten their password, the verification token can be set to expire after a defined time limit.
Password Security
  • All passwords are hashed via the popular password hashing library PHPASS.
  • The library additionally allows for two password salts to be defined, a static salt defined via the libraries config file, and a unique database salt assigned to each user within the database.
  • All failed login attempts per user are tracked, if user fails a defined number of attempts, an option is available to set a short time limit ban until the user can attempt to login again.
General Security
  • The libraries login feature is based on a technique put forward by two articles by Charles Miller and Barry Jaspan.
    Charles Miller's 'Best Practices' article.
    Barry Jaspan's Improved Best Practices.
  • The login tokens outlined via the above articles are saved in a cookie that can be encrypted using CodeIgniters config settings.
  • A config setting can be defined to destroy a users login session when they close their browser.
    Alternatively, a time limit can be defined that the user will be able to revisit the site using the same login credentials.
  • A config setting can be defined to instruct the library to automatically validate a users login credentials are still valid on every page load.

    If a user is logged into the same account on multiple computers, if they chose to logout of all session via one computer, then a user on the other computer will not be able to continue browsing the site until they re-login.

    Additionally, if an administrator was to suspend an account whilst the user was on the site, the users credentials would be removed the next time they refreshed the page.

  • When a user logs into their account, they are issued with a login expiry time. If required, this expiry time can be extended upon every page load.
  • Upon every login attempt, the users IP address is tracked for successful and failed login attempts. This data can then be used to deploy additional security techniques like CAPTCHAS.
Miscellaneous
  • The library includes fully customisable email templates for account activation, forgotten password, new password and validate updated email.
  • Multilingual and customisable status and error messages.
Two Different Purpose Libraries

It's likely that the majority of pages on your site will not require the complete functionality of the flexi auth library, which would result in wasting memory resources loading parts of the library that would not be used.

To solve this, the functionality of flexi auth is split into two different libraries, each with a different intended purpose.


  • The 'lite library' is primarily used for three purposes, validating a users login credentials and permissions, getting a users account data or managing status and error messages.

    These are core features that are most likely to be required on most pages throughout your site, therefore the 'lite library' is designed to be small enough to include on all pages.

  • The 'standard library' is used for functions that tend to have a single purpose, as such as user login, deploying CAPTCHAs and sending forgotten password emails.

    These features are likely to only be required by specific pages, and so the library should only be included when needed.

    Note: When including the 'standard library', it extends the 'lite library', so all features within both libraries are then available.

What's Not Included

Whilst flexi auth offers a good ground base of features for a fully fledged user authentication system, here is a list of some of the more notable features that are not included within the library.

Third Party API Logins

The flexi auth library does not include any features to login via a third party api like Facebook, Twitter and OpenID.