Update (May 14, 2010):

更新（2010 年 5 月 14 日）：

It turns out, the russian developer Ilya Konyukhov picked up the gauntlet after reading this and created a new auth library for CI based on DX Auth, following the recommendations and requirements below.

事实证明，俄罗斯开发人员 Ilya Konyukhov 在阅读本文后接受了挑战，并按照以下建议和要求为基于 DX Auth 的 CI 创建了一个新的身份验证库。

And the resulting Tank Authis looking like the answer to the OP's question. I'm going to go out on a limb here and call Tank Auth the best authentication library for CodeIgniter available today. It's a rock-solid library that has all the features you need and none of the bloat you don't:

由此产生的Tank Auth看起来像是 OP 问题的答案。我打算在这里尝试一下，将 Tank Auth 称为当今可用的 CodeIgniter 的最佳身份验证库。这是一个坚如磐石的库，具有您需要的所有功能，并且没有您不需要的臃肿：

Tank Auth

坦克认证

Pros

• Full featured
• Lean footprint (20 files) considering the feature set
• Very good documentation
• Simple and elegant database design (just 4 DB tables)
• Most features are optional and easily configured
• Language file support
• reCAPTCHA supported
• Hooks into CI's validation system
• Activation emails
• Login with email, username or both (configurable)
• Unactivated accounts auto-expire
• Simple yet effective error handling
• Uses phpass for hashing (and also hashes autologin codes in the DB)
• Does not use security questions
• Separation of user and profile data is very nice
• Very reasonable security model around failed login attempts (good protection against bots and DoS attacks)

(Minor) Cons

• Lost password codes are not hashed in DB
• Includes a native (poor) CAPTCHA, which is nice for those who don't want to depend on the (Google-owned) reCAPTCHA service, but it really isn't secure enough
• Very sparse online documentation (minor issue here, since the code is nicely documented and intuitive)

优点

• 功能齐全
• 考虑到功能集的精益足迹（20 个文件）
• 非常好的文档
• 简单优雅的数据库设计（仅4个DB表）
• 大多数功能都是可选的并且易于配置
• 语言文件支持
• 支持 reCAPTCHA
• 与 CI 的验证系统挂钩
• 激活邮件
• 使用电子邮件、用户名或两者登录（可配置）
• 未激活的帐户自动过期
• 简单而有效的错误处理
• 使用 phpass 进行散列（也散列数据库中的自动登录代码）
• 不使用安全问题
• 用户和个人资料数据的分离非常好
• 围绕失败登录尝试的非常合理的安全模型（针对机器人和 DoS 攻击的良好保护）

（次要）缺点

• 丢失的密码代码不会在数据库中散列
• 包括原生（较差的）验证码，这对于那些不想依赖（谷歌拥有的）reCAPTCHA 服务的人来说很好，但它确实不够安全
• 非常稀疏的在线文档（这里的小问题，因为代码很好地记录和直观）

Download Tank Auth here

在此处下载 Tank Auth

Original answer:

原答案：

I've implemented my own as well (currently about 80% done after a few weeks of work). I tried all of the others first; FreakAuth Light, DX Auth, Redux, SimpleLogin, SimpleLoginSecure, pc_user, Fresh Powered, and a few more. None of them were up to par, IMO, either they were lacking basic features, inherently INsecure, or too bloated for my taste.

我也实现了我自己的（目前在几周的工作后完成了大约 80%）。我首先尝试了所有其他方法；FreakAuth Light、DX Auth、Redux、SimpleLogin、SimpleLoginSecure、pc_user、Fresh Powered 等等。它们都没有达到标准，IMO，要么它们缺乏基本功能，本质上不安全，要么过于臃肿，不符合我的口味。

Actually, I did a detailed roundup of all the authentication libraries for CodeIgniter when I was testing them out (just after New Year's). FWIW, I'll share it with you:

实际上，我在测试 CodeIgniter 的所有身份验证库时（刚过新年）对它们进行了详细的汇总。FWIW，我将与您分享：

DX Auth

DX认证

Pros

• Very full featured
• Medium footprint (25+ files), but manages to feel quite slim
• Excellent documentation, although some is in slightly broken English
• Language file support
• reCAPTCHA supported
• Hooks into CI's validation system
• Activation emails
• Unactivated accounts auto-expire
• Suggests grc.com for salts (not bad for a PRNG)
• Banning with stored 'reason' strings
• Simple yet effective error handling

Cons

• Only lets users 'reset' a lost password (rather than letting them pick a new one upon reactivation)
• Homebrew pseudo-event model - good intention, but misses the mark
• Two password fields in the user table, bad style
• Uses two separate user tables (one for 'temp' users - ambiguous and redundant)
• Uses potentially unsafe md5 hashing
• Failed login attempts only stored by IP, not by username - unsafe!
• Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext!
• Role system is a complete mess: is_admin function with hard-coded role names, is_role a complete mess, check_uri_permissions is a mess, the whole permissions table is a bad idea (a URI can change and render pages unprotected; permissions should always be stored exactly where the sensitive logic is). Dealbreaker!
• Includes a native (poor) CAPTCHA
• reCAPTCHA function interface is messy

优点

• 功能很全
• 中等占用空间（超过 25 个文件），但感觉很苗条
• 优秀的文档，虽然有些是略带蹩脚的英语
• 语言文件支持
• 支持 reCAPTCHA
• 与 CI 的验证系统挂钩
• 激活邮件
• 未激活的帐户自动过期
• 建议 grc.com 获取盐（对于 PRNG 来说还不错）
• 使用存储的“原因”字符串禁止
• 简单而有效的错误处理

缺点

• 只让用户“重置”丢失的密码（而不是让他们在重新激活时选择一个新密码）
• Homebrew 伪事件模型 - 好意，但未达标
• 用户表中的两个密码字段，样式不好
• 使用两个单独的用户表（一个用于“临时”用户 - 模棱两可且冗余）
• 使用潜在不安全的 md5 散列
• 失败的登录尝试仅由 IP 存储，而不是由用户名存储 - 不安全！
• 自动登录密钥未在数据库中散列 - 实际上与以明文形式存储密码一样不安全！
• 角色系统是一团糟：is_admin 函数带有硬编码的角色名称，is_role 是一团糟，check_uri_permissions 是一团糟，整个权限表是个坏主意（URI 可以更改并使页面不受保护；权限应始终准确存储敏感逻辑在哪里）。交易破坏者！
• 包括原生（差）验证码
• reCAPTCHA 功能界面乱七八糟

FreakAuth Light

FreakAuth Light

Pros

• Very full featured
• Mostly quite well documented code
• Separation of user and profile data is a nice touch
• Hooks into CI's validation system
• Activation emails
• Language file support
• Actively developed

Cons

• Feels a bit bloated (50+ files)
• And yet it lacks automatic cookie login (!)
• Doesn't support logins with both username and email
• Seems to have issues with UTF-8 characters
• Requires a lot of autoloading (impeding performance)
• Badly micromanaged config file
• Terrible View-Controller separation, with lots of program logic in views and output hard-coded into controllers. Dealbreaker!
• Poor HTML code in the included views
• Includes substandard CAPTCHA
• Commented debug echoes everywhere
• Forces a specific folder structure
• Forces a specific Ajax library (can be switched, but shouldn't be there in the first place)
• No max limit on login attempts - VERY unsafe! Dealbreaker!
• HiHymans form validation
• Uses potentially unsafe md5 hashing

优点

• 功能很全
• 主要是有据可查的代码
• 用户和个人资料数据的分离是一个很好的接触
• 与 CI 的验证系统挂钩
• 激活邮件
• 语言文件支持
• 积极发展

缺点

• 感觉有点臃肿（50多个文件）
• 然而它缺乏自动cookie登录（！）
• 不支持同时使用用户名和电子邮件登录
• UTF-8 字符似乎有问题
• 需要大量自动加载（影响性能）
• 糟糕的微管理配置文件
• 可怕的视图控制器分离，视图中有很多程序逻辑，输出硬编码到控制器中。交易破坏者！
• 包含的视图中的 HTML 代码不佳
• 包括不合格的验证码
• 评论调试随处可见
• 强制特定的文件夹结构
• 强制使用特定的 Ajax 库（可以切换，但一开始就不应该存在）
• 登录尝试没有最大限制 - 非常不安全！交易破坏者！
• 劫持表单验证
• 使用潜在不安全的 md5 散列

pc_user

电脑用户

Pros

• Good feature set for its tiny footprint
• Lightweight, no bloat (3 files)
• Elegant automatic cookie login
• Comes with optional test implementation (nice touch)

Cons

• Uses the old CI database syntax (less safe)
• Doesn't hook into CI's validation system
• Kinda unintuitive status (role) system (indexes upside down - impractical)
• Uses potentially unsafe sha1 hashing

优点

• 因其占地面积小而具有良好的功能集
• 轻量级，无膨胀（3 个文件）
• 优雅的自动cookie登录
• 带有可选的测试实现（很好的触摸）

缺点

• 使用旧的 CI 数据库语法（不太安全）
• 不挂钩 CI 的验证系统
• 有点不直观的状态（角色）系统（索引颠倒 - 不切实际）
• 使用潜在不安全的 sha1 散列

Fresh Powered

新鲜动力

Pros

• Small footprint (6 files)

Cons

• Lacks a lot of essential features. Dealbreaker!
• Everything is hard-coded. Dealbreaker!

优点

• 占用空间小（6 个文件）

缺点

• 缺少许多基本功能。交易破坏者！
• 一切都是硬编码的。交易破坏者！

Redux / Ion Auth

Redux / 离子验证

According to the CodeIgniter wiki, Redux has been discontinued, but the Ion Auth fork is going strong: https://github.com/benedmunds/CodeIgniter-Ion-Auth

根据CodeIgniter wiki，Redux 已停产，但 Ion Auth 分支正在发展壮大：https: //github.com/benedmunds/CodeIgniter-Ion-Auth

Ion Auth is a well featured library without it being overly heavy or under advanced. In most cases its feature set will more than cater for a project's requirements.

Ion Auth 是一个功能齐全的库，不会过于沉重或不先进。在大多数情况下，它的功能集将不仅仅是满足项目的要求。

Pros

• Lightweight and simple to integrate with CodeIgniter
• Supports sending emails directly from the library
• Well documented online and good active dev/user community
• Simple to implement into a project

Cons

• More complex DB schema than some others
• Documentation lacks detail in some areas

优点

• 轻量级且易于与 CodeIgniter 集成
• 支持直接从图书馆发送电子邮件
• 良好的在线文档和良好的活跃开发/用户社区
• 简单实施到项目中

缺点

• 比其他一些更复杂的数据库模式
• 文档在某些方面缺乏细节

SimpleLoginSecure

简单登录安全

Pros

• Tiny footprint (4 files)
• Minimalistic, absolutely no bloat
• Uses phpass for hashing (excellent)

Cons

• Only login, logout, create and delete
• Lacks a lot of essential features. Dealbreaker!
• More of a starting point than a library

优点

• 占用空间小（4 个文件）
• 极简主义，绝对不臃肿
• 使用 phpass 进行散列（优秀）

缺点

• 仅登录、注销、创建和删除
• 缺少许多基本功能。交易破坏者！
• 比图书馆更像是一个起点

Don't get me wrong:I don't mean to disrespect any of the above libraries; I am very impressed with what their developers have accomplished and how far each of them have come, and I'm not above reusing some of their code to build my own. What I'm saying is, sometimes in these projects, the focus shifts from the essential 'need-to-haves' (such as hard security practices) over to softer 'nice-to-haves', and that's what I hope to remedy.

不要误会我的意思：我并不是要不尊重上述任何库；我对他们的开发人员取得的成就以及他们每个人取得的成就印象深刻，而且我并没有重用他们的一些代码来构建我自己的代码。我的意思是，有时在这些项目中，重点从基本的“必需品”（例如硬安全实践）转移到更软的“可有可无”，这就是我希望解决的问题.

Therefore: back to basics.

因此：回归基础。

Authentication for CodeIgniter done right

CodeIgniter 的身份验证正确完成

Here's my MINIMAL required list of features from an authentication library. It also happens to be a subset of my own library's feature list ;)

这是我的身份验证库中所需的最小功能列表。它也恰好是我自己图书馆功能列表的一个子集；)

1. Tiny footprint with optional test implementation
2. Full documentation
3. No autoloading required. Just-in-time loading of libraries for performance
4. Language file support; no hard-coded strings
5. reCAPTCHA supported but optional
6. Recommended TRUE random salt generation (e.g. using random.org or random.irb.hr)
7. Optional add-ons to support 3rd party login (OpenID, Facebook Connect, Google Account, etc.)
8. Login using either username or email
9. Separation of user and profile data
10. Emails for activation and lost passwords
11. Automatic cookie login feature
12. Configurable phpass for hashing (properly salted of course!)
13. Hashing of passwords
14. Hashing of autologin codes
15. Hashing of lost password codes
16. Hooks into CI's validation system
17. NO security questions!
18. Enforced strong password policy server-side, with optional client-side (Javascript) validator
19. Enforced maximum number of failed login attempts with BEST PRACTICES countermeasuresagainst both dictionary and DoS attacks!
20. All database access done through prepared (bound) statements!

1. 具有可选测试实施的微小占用空间
2. 完整的文档
3. 无需自动加载。即时加载库以提高性能
4. 语言文件支持；没有硬编码的字符串
5. reCAPTCHA 支持但可选
6. 推荐的 TRUE 随机盐生成（例如使用 random.org 或 random.irb.hr）
7. 支持第 3 方登录的可选插件（OpenID、Facebook Connect、Google 帐户等）
8. 使用用户名或电子邮件登录
9. 用户和个人资料数据的分离
10. 用于激活和丢失密码的电子邮件
11. 自动cookie登录功能
12. 用于散列的可配置 phpass（当然要适当加盐！）
13. 密码的散列
14. 自动登录代码的散列
15. 丢失密码代码的散列
16. 与 CI 的验证系统挂钩
17. 没有安全问题！
18. 强制执行强密码策略服务器端，带有可选的客户端 (Javascript) 验证器
19. 使用针对字典和 DoS 攻击的最佳实践对策强制执行最大失败登录尝试次数！
20. 所有数据库访问都是通过准备好的（绑定的）语句完成的！

Note: those last few points are notsuper-high-security overkill that you don't need for your web application. If an authentication library doesn't meet these security standards 100%, DO NOT USE IT!

注意：最后几点并不是您的 Web 应用程序不需要的超高安全性矫枉过正。如果身份验证库 100% 不符合这些安全标准，请不要使用它！

Recent high-profile examples of irresponsible coders who left them out of their software: #17 is how Sarah Palin's AOL email was hacked during the Presidential campaign; a nasty combination of #18 and #19 were the culprit recently when the Twitter accounts of Britney Spears, Barack Obama, Fox News and others were hacked; and #20 alone is how Chinese hackers managed to steal 9 million items of personal information from more than 70.000 Korean web sites in one automated hack in 2008.

最近一些不负责任的程序员将他们排除在软件之外的引人注目的例子：#17 是 Sarah Palin 的 AOL 电子邮件在总统竞选期间被黑客入侵的方式；最近布兰妮斯皮尔斯、巴拉克奥巴马、福克斯新闻和其他人的推特账户被黑时，#18 和 #19 的令人讨厌的组合是罪魁祸首；仅 #20 就是china黑客如何在 2008 年的一次自动黑客攻击中从 70.000 多个韩国网站窃取 900 万条个人信息。

These attacks are not brain surgery. If you leave your back doors wide open, you shouldn't delude yourself into a false sense of security by bolting the front. Moreover, if you're serious enough about coding to choose a best-practices framework like CodeIgniter, you owe it to yourself to at least get the most basicsecurity measures done right.

这些攻击不是脑部手术。如果你让你的后门敞开着，你不应该通过栓上前门来让自己陷入一种虚假的安全感。此外，如果您对编码足够认真，以选择像 CodeIgniter 这样的最佳实践框架，那么您应该至少正确完成最基本的安全措施。

<rant>

<咆哮>

Basically, here's how it is: I don't careif an auth library offers a bunch of features, advanced role management, PHP4 compatibility, pretty CAPTCHA fonts, country tables, complete admin panels, bells and whistles -- if the library actually makes my site less secureby not following best practices. It's an authenticationpackage; it needs to do ONE thing right: Authentication. If it fails to do that, it's actually doing more harm than good.

基本上，它是这样的：我不在乎auth 库是否提供了一系列功能、高级角色管理、PHP4 兼容性、漂亮的 CAPTCHA 字体、国家/地区表、完整的管理面板、花里胡哨——如果该库确实提供了由于不遵循最佳实践，我的网站安全性较低。这是一个认证包；它需要做正确的一件事：身份验证。如果它没有做到这一点，它实际上弊大于利。

</rant>

</rant>

/Jens Roland

/延斯·罗兰

Note that the "comprehensive listing" by Jens Roland doesn't include user roles. If you're interested in assigning different user roles (like admin/user or admin/editor/user), these libraries allow it:

请注意，Jens Roland 的“综合列表”不包括用户角色。如果您有兴趣分配不同的用户角色（如 admin/user 或 admin/editor/user），这些库允许它：

• Ion_Auth (rewrite of Redux)
• Redux
• Backend Pro

• Ion_Auth（重写 Redux）
• 终极版
• 后端专业版

Tank_Auth (#1 above in Jens's list) doesn't have user roles. I realize it's not exactly part of authentication, but since

Tank_Auth（上面 Jens 列表中的第 1 名）没有用户角色。我意识到这不完全是身份验证的一部分，但是因为

• authentication and role management are both handled upon page load
• Both involve security
• The same table/model can be used for both.
• Both can be set up to load in the controller constructor (or even autoload)

• 身份验证和角色管理都在页面加载时处理
• 两者都涉及安全
• 相同的表/模型可用于两者。
• 两者都可以设置为在控制器构造函数中加载（甚至自动加载）

It makes a LOT of sense to have one library to handle both, if you need it. I'm switching to Ion_Auth from Tank_Auth because of this.

如果需要的话，让一个库来处理两者是很有意义的。因此，我从 Tank_Auth 切换到 Ion_Auth。

Ion_auth! Looks very promising and small footprint! I like..

离子认证！看起来很有前途，占地面积小！我喜欢..

http://github.com/benedmunds/CodeIgniter-Ion-Auth

http://github.com/benedmunds/CodeIgniter-Ion-Auth

I'm the developer of Redux Auth and some of the issues you mentioned have been fixed in the version 2 beta. You can download this off the offcial website with a sample application too.

我是 Redux Auth 的开发人员，您提到的一些问题已在版本 2 测试版中得到修复。您也可以使用示例应用程序从官方网站下载它。

• Requires autoloading (impeding performance)
• Uses the inherently unsafe concept of 'security questions'. Dealbreaker!

• 需要自动加载（影响性能）
• 使用本质上不安全的“安全问题”概念。交易破坏者！

Security questions are now not used and a simpler forgotten password system has been put in place.

现在不使用安全问题，并且已经安装了一个更简单的忘记密码系统。

• Return types are a bit of a hodgepodge of true, false, error and success codes

• 返回类型有点像真、假、错误和成功代码的大杂烩

This was fixed in version 2 and returns boolean values. I hated the hodgepodge as much as you.

这在版本 2 中得到修复并返回布尔值。我和你一样讨厌大杂烩。

• Doesn't hook into CI's validation system

• 不挂钩 CI 的验证系统

The sample application uses the CI's validation system.

示例应用程序使用 CI 的验证系统。

• Doesn't allow a user to resend a 'lost password' code

• 不允许用户重新发送“丢失密码”代码

Work in progress

工作正在进行中

I also implemented some other features such as email views, this gives you the choice of being able to use the CodeIgniter helpers in your emails.

我还实现了一些其他功能，例如电子邮件视图，这使您可以选择在电子邮件中使用 CodeIgniter 助手。

It's still a work in progress so if have any more suggestions please keep them coming.

它仍在进行中，所以如果有更多建议，请继续提出。

-Popcorn

-爆米花

Ps : Thanks for recommending Redux.

Ps : 感谢推荐 Redux。

I've come across Flexi Auth (http://haseydesign.com/flexi-auth/). It looks very promising, and I've started using it. It has wonderfful features. Fully integrates with CI, and comes with two different library files, in which one is very heavy loaded with all the functions and the other one contains only the validations.

我遇到了 Flexi Auth ( http://haseydesign.com/flexi-auth/)。它看起来很有前途，我已经开始使用它。它有很棒的功能。与 CI 完全集成，并带有两个不同的库文件，其中一个加载了所有功能，另一个只包含验证。

One of the best is that the newly registered member gets temporary access for a given amount of time on the site, until they click on the link from their email and activate.

最好的方法之一是新注册的会员在网站上的给定时间内获得临时访问权限，直到他们单击电子邮件中的链接并激活为止。

Maybe you'd find Reduxsuiting your needs. It's no overkill and comes packed solely with bare features most of us would require. The dev and contributors were very strict on what code was contributed.

也许您会发现Redux适合您的需求。它没有矫枉过正，并且仅包含我们大多数人需要的基本功能。开发人员和贡献者对贡献的代码非常严格。

This is the official page

这是官方页面

Ion_Auth beats tank_auth mainly for two reasons, user roles and documentation, these two are missing from tank_auth.

Ion_Auth 击败 tank_auth 主要有两个原因，用户角色和文档，tank_auth 中缺少这两个。

I use a customized version of DX Auth. I found it simple to use, extremely easy to modify and it has a user guide (with great examples)that is very similar to Code Igniter's.

我使用自定义版本的DX Auth。我发现它使用简单，非常容易修改，并且它有一个与 Code Igniter 非常相似的用户指南（有很好的例子）。

Also take a look at BackendPro

也看看BackendPro

Ultimately you will probably end up writing something custom, but there's nothing wrong with borrowing concepts from DX Auth, Freak Auth, BackendPro, etc.

最终你可能最终会写一些自定义的东西，但借用 DX Auth、Freak Auth、BackendPro 等的概念并没有错。

My experiences with the packaged apps is they are specific to certain structures and I have had problems integrating them into my own applications without requiring hacks, then if the pre-package has an update, I have to migrate them in.

我对打包应用程序的经验是它们特定于某些结构，我在将它们集成到我自己的应用程序中时遇到了问题而无需 hack，然后如果预包有更新，我必须将它们迁移进来。

I also use Smarty and ADOdb in my CI code, so no matter what I would always end up making major code changes.

我还在我的 CI 代码中使用 Smarty 和 ADOdb，所以无论我最终做出什么重大的代码更改。

Tank Auth looks good but the documentation is just a one-page explanation of how to install, plus a quick run-down of each PHP file. At least that's all I found after lots of Googling. Maybe what people mean above when they say that Tank Auth is well-documented is that the code is well-commented. That's a good thing, but different than documentation. It would have been nice to have some documentation about how to integrate Tank Auth's features with your existing code.

Tank Auth 看起来不错，但文档只是对如何安装的一页解释，以及对每个 PHP 文件的简要介绍。至少这是我在大量谷歌搜索后发现的全部内容。也许人们在上面说 Tank Auth 有据可查的意思是代码有很好的注释。这是一件好事，但与文档不同。最好有一些关于如何将 Tank Auth 的功能与现有代码集成的文档。