Validation and Security Configuration
Validation Index |
Validation Functions
Help with the Table Configuration
Show / Hide Help
Config Name: The name that flexi auth internally references the config setting by.
Default: The default value set within the config file.
Data Type: The data type that is expected by the config setting.
- bool : Requires a boolean value set as either '0' (FALSE) or '1' (TRUE).
- string : Requires a textual value.
- int : Requires a numeric value. It does not matter whether the value is an integer, float, decimal etc.
- array : Requires an array.
- datetime : Requires a datetime value. Typically either a MySQL DATETIME (2000-12-31 12:00:00) or UNIX timestamp (1234567890)
Config File Location
The config file is located in CodeIgniters 'config' folder and is named 'flexi_auth.php'.
Password Settings
Define the internal library settings for generating password hashes from salts, password validation and define how the library should handle forgotten password requests.
Table and Column Setup
Help
Config Name |
Data Type |
Default |
Description |
min_password_length |
int |
8 |
Set the minimum required password character lengths.
|
valid_password_chars |
string |
\.\,\-_ a-z0-9 |
Set which characters are valid for user passwords via a regular expression.
The default allows alpha-numeric, dashes, underscores, periods and commas.
|
static_salt |
string |
change-me! |
Set the static (non-database stored) salt used for password and hash token generation.
Do NOT change this salt once users have started registering accounts as their passwords will not work without the original salt.
Change the default static salt to your own random set of characters.
|
store_database_salt |
bool |
true |
Set whether a salt is stored in the database and then used in conjunction with the static salt for password and hash token generation.
|
database_salt_length |
int |
10 |
Set the length of a stored database salt (See above).
Note: Only used if $config['security']['store_database_salt'] = true
|
expire_forgotten_password |
int |
15 |
Set the expiry time of unused 'Forgotten Password' tokens.
Users will be required to request a new forgotten password token once expired.
Example: Time set in minutes, 0 = unlimited, 60*24 = 24 hours, 1440 = 24 hours.
|
Password Settings
$config['security']['min_password_length'] = 8;
$config['security']['valid_password_chars'] = '\.\,\-_ a-z0-9';
$config['security']['static_salt'] = 'change-me!';
$config['security']['store_database_salt'] = TRUE;
$config['security']['database_salt_length'] = 10;
$config['security']['expire_forgotten_password'] = 15;
Failed Login Attempt Settings
Define how the library should handle users that have made multiple failed login attempts.
Table and Column Setup
Help
Config Name |
Data Type |
Default |
Description |
login_attempt_limit |
int |
3 |
Set a limit to the number of failed login attempts.
Once limit is passed, user is blocked from another attempt until time ban passes (Defined by 'login_attempt_time_ban' below).
Additionally/alternatively, a captcha can be set to show once this limit is reached by using the 'ip_login_attempts_exceeded()' library function.
Note: If a user exceeds 3 times the limit set, the resulting time ban is doubled to further slow down attempts.
Example: 0 = unlimited attempts, 3 = 3 attempts.
|
login_attempt_time_ban |
int |
10 |
If a user has exceeded the failed login attempt limit, set the length of time they must wait before they can attempt to login again.
Note: The time ban is doubled if the failed attempts are 3 times higher than the limit defined via 'login_attempt_limit'.
Example: If 'login_attempt_limit' = 3 and 'login_attempt_time_ban' = 10, after 3 failed attempts, the user must wait 10 seconds between each next attempt, after 9 consecutive failed attempts, the user must wait 20 seconds between each next attempt. Attempts within the time ban are ignored and not even checked as being valid.
IMPORTANT: It is NOT recommended that this time ban is set for a long period of time (> 5 mins). Long time bans could be abused by attackers to deny legitimate users access, it is designed to SLOW DOWN brute force attackers, not outright ban them.
Example: Time in seconds, 0 = no time ban, 10 = 10 seconds, 60*3 = 3 minutes.
|
Failed Login Attempt Settings
$config['security']['login_attempt_limit'] = 3;
$config['security']['login_attempt_time_ban'] = 10;
Google reCAPTCHA Settings
Google reCAPTCHA can be used to help slow down brute force login attempts, requiring the user to complete the CAPTCHA before their login details will be submitted.
Table and Column Setup
Help
Config Name |
Data Type |
Default |
Description |
recaptcha_public_key |
string |
- |
Set your own unique 'recaptcha_public_key' reCAPTCHA api key.
|
recaptcha_private_key |
string |
- |
Set your own unique 'recaptcha_private_key' reCAPTCHA api key.
|
recaptcha_theme |
string |
white |
Set the theme of the reCAPTCHA.
For custom theming, see https://developers.google.com/recaptcha/docs/customization
|
recaptcha_language |
string |
en |
Set the language of the reCAPTCHA.
|
Example
$config['security']['recaptcha_public_key'] = 'ENTER_RECAPTCHA_PUBLIC_KEY_HERE';
$config['security']['recaptcha_private_key'] = 'ENTER_RECAPTCHA_PRIVATE_KEY_HERE';
$config['security']['recaptcha_theme'] = 'white';
$config['security']['recaptcha_language'] = 'en';