Authentication for CodeIgniter done right

Got good piece of information from stack overflow, by Jens Roland

http://stackoverflow.com/questions/346980/what-code-igniter-authentication-library-is-best

Just republishing it...
Disclaimer: none of the golden words below are written by me.


Authentication for CodeIgniter done right

Here's my MINIMAL required list of features from an authentication library. It also happens to be a subset of my own library's feature list ;)

1. Tiny footprint with optional test implementation
2. Full documentation
3. No autoloading required. Just-in-time loading of libraries for performance
4. Language file support; no hard-coded strings
5. reCAPTCHA supported but optional
6. Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
7. Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
8. Login using either username or email
9. Separation of user and profile data
10. Emails for activation and lost passwords
11. Automatic cookie login feature
12. Configurable phpass for hashing (properly salted of course!)
13. Hashing of passwords
14. Hashing of autologin codes
15. Hashing of lost password codes
16. Hooks into CI's validation system
17. NO security questions!
18. Enforced strong password policy server-side, with optional client-side (Javascript) validator
19. Enforced maximum number of failed login attempts with BEST PRACTICES countermeasures against both dictionary and DoS attacks!
20. All database access done through prepared (bound) statements!

Note: those last few points are not super-high-security overkill that you don't need for your web application. If an authentication library doesn't meet these security standards 100%, DO NOT USE IT!

Recent high-profile examples of irresponsible coders who left them out of their software: #17 is how Sarah Palin's AOL email was hacked during the Presidential campaign; a nasty combination of #18 and #19 were the culprit recently when the Twitter accounts of Britney Spears, Barack Obama, Fox News and others were hacked; and #20 alone is how Chinese hackers managed to steal 9 million items of personal information from more than 70.000 Korean web sites in one automated hack in 2008.

These attacks are not brain surgery. If you leave your back doors wide open, you shouldn't delude yourself into a false sense of security by bolting the front. Moreover, if you're serious enough about coding to choose a best-practices framework like CodeIgniter, you owe it to yourself to at least get the most basic security measures done right.