- User Guide Home
- Installation
-
Auth Configuration
- Internal Auth Config
- General Settings
- Session / Cookie Settings
- Validation / Security Settings
- Email Settings
- Status / Error Messages
- Define Language
- Database Tables and Columns
- Primary User Account Table
- Custom User Account Tables
- User Group Table
- User Privilege Table
- User Privilege Users Table
- User Privilege Groups Table
- User Login Session Table
-
Functions List
- Login / Validation
- Login / Captcha Functions
- Validation Functions
- User Functions
- User Account Functions
- User Group Functions
- User Privilege Functions
- Utility Functions
- Email Functions
- Status / Error Messages
- Customising SQL Statements
- Change Log
User Guide | Validation and Security Configuration
The key concept of the flexi auth library is to give the developer a toolbox of functions that they can use to build a user authentication system matching the custom specifications required by their site.
One of the ways that the library enhances the customisation of the authentication system is by allowing many of the internal library settings to be defined by the developer via the libraries config file.
Validation and Security Configuration
Validation Index | Validation FunctionsConfig File Settings
Password Settings | Failed Login Attempt Settings | Google reCAPTCHA Settings | Login Session/Cookie Settings
Help with the Table Configuration
Show / Hide HelpConfig Name: The name that flexi auth internally references the config setting by.
Default: The default value set within the config file.
Data Type: The data type that is expected by the config setting.
- bool : Requires a boolean value set as either '0' (FALSE) or '1' (TRUE).
- string : Requires a textual value.
- int : Requires a numeric value. It does not matter whether the value is an integer, float, decimal etc.
- array : Requires an array.
- datetime : Requires a datetime value. Typically either a MySQL DATETIME (2000-12-31 12:00:00) or UNIX timestamp (1234567890)
Config File Location
The config file is located in CodeIgniters 'config' folder and is named 'flexi_auth.php'.
Password Settings
Define the internal library settings for generating password hashes from salts, password validation and define how the library should handle forgotten password requests.
Table and Column Setup
Help| Config Name | Data Type | Default | Description |
|---|---|---|---|
| min_password_length | int | 8 |
Set the minimum required password character lengths. |
| valid_password_chars | string | \.\,\-_ a-z0-9 |
Set which characters are valid for user passwords via a regular expression. The default allows alpha-numeric, dashes, underscores, periods and commas. |
| static_salt | string | change-me! |
Set the static (non-database stored) salt used for password and hash token generation. Do NOT change this salt once users have started registering accounts as their passwords will not work without the original salt. Change the default static salt to your own random set of characters. |
| store_database_salt | bool | true |
Set whether a salt is stored in the database and then used in conjunction with the static salt for password and hash token generation. |
| database_salt_length | int | 10 |
Set the length of a stored database salt (See above). Note: Only used if |
| expire_forgotten_password | int | 15 |
Set the expiry time of unused 'Forgotten Password' tokens. Users will be required to request a new forgotten password token once expired. Example: Time set in minutes, 0 = unlimited, 60*24 = 24 hours, 1440 = 24 hours. |
Password Settings
// Defining the minimum required characters for the users password. $config['security']['min_password_length'] = 8; // Defining which characters are valid for user passwords. $config['security']['valid_password_chars'] = '\.\,\-_ a-z0-9'; // Defining the static (non-database stored) salt used for password and hash token generation. $config['security']['static_salt'] = 'change-me!'; // Defining whether a salt is stored in the database and then used for password and hash token generation. $config['security']['store_database_salt'] = TRUE; // Defining the length of a stored database salt (See above). $config['security']['database_salt_length'] = 10; // Defining the expiry time of unused 'Forgotten Password' tokens. $config['security']['expire_forgotten_password'] = 15;
Failed Login Attempt Settings
Define how the library should handle users that have made multiple failed login attempts.
Table and Column Setup
Help| Config Name | Data Type | Default | Description |
|---|---|---|---|
| login_attempt_limit | int | 3 |
Set a limit to the number of failed login attempts. Once limit is passed, user is blocked from another attempt until time ban passes (Defined by 'login_attempt_time_ban' below). Additionally/alternatively, a captcha can be set to show once this limit is reached by using the 'ip_login_attempts_exceeded()' library function. Note: If a user exceeds 3 times the limit set, the resulting time ban is doubled to further slow down attempts. Example: 0 = unlimited attempts, 3 = 3 attempts. |
| login_attempt_time_ban | int | 10 |
If a user has exceeded the failed login attempt limit, set the length of time they must wait before they can attempt to login again. Note: The time ban is doubled if the failed attempts are 3 times higher than the limit defined via 'login_attempt_limit'. Example: If 'login_attempt_limit' = 3 and 'login_attempt_time_ban' = 10, after 3 failed attempts, the user must wait 10 seconds between each next attempt, after 9 consecutive failed attempts, the user must wait 20 seconds between each next attempt. Attempts within the time ban are ignored and not even checked as being valid. IMPORTANT: It is NOT recommended that this time ban is set for a long period of time (> 5 mins). Example: Time in seconds, 0 = no time ban, 10 = 10 seconds, 60*3 = 3 minutes. |
Failed Login Attempt Settings
// Defining a limit to the number of failed login attempts. $config['security']['login_attempt_limit'] = 3; // Defining the length of time a user with too many failed login attempts must wait before they can // attempt to login again. $config['security']['login_attempt_time_ban'] = 10;
Google reCAPTCHA Settings
Google reCAPTCHA can be used to help slow down brute force login attempts, requiring the user to complete the CAPTCHA before their login details will be submitted.
Table and Column Setup
Help| Config Name | Data Type | Default | Description |
|---|---|---|---|
| recaptcha_public_key | string | - | Set your own unique 'recaptcha_public_key' reCAPTCHA api key. |
| recaptcha_private_key | string | - | Set your own unique 'recaptcha_private_key' reCAPTCHA api key. |
| recaptcha_theme | string | white |
Set the theme of the reCAPTCHA. For custom theming, see https://developers.google.com/recaptcha/docs/customization |
| recaptcha_language | string | en | Set the language of the reCAPTCHA. |
Example
// Defining your unique Google reCAPTCHA api keys. // Obtain your keys from http://www.google.com/recaptcha $config['security']['recaptcha_public_key'] = 'ENTER_RECAPTCHA_PUBLIC_KEY_HERE'; $config['security']['recaptcha_private_key'] = 'ENTER_RECAPTCHA_PRIVATE_KEY_HERE'; // Defining the theme of the reCAPTCHA. // See https://developers.google.com/recaptcha/docs/customization // Predefined themes: 'red', 'white', 'blackglass', 'clean'. Set 'custom' for custom themes. $config['security']['recaptcha_theme'] = 'white'; // Defining the language of the reCAPTCHA. // Supported languages: English 'en', Dutch 'nl', French 'fr', German 'de', // Portuguese 'pt', Russian 'ru', Spanish 'es', Turkish 'tr'. $config['security']['recaptcha_language'] = 'en';
Copyright © 2024, Rob Hussey, All Rights Reserved.
flexi auth was designed and developed by
