9 May, 2006

Show comments

Rant Alert

There have been a number of debates in the Google group about Authentication and how it can be done. There is a vast amount of confusion (IMHO).

So what is Authentication?§

I searched the internet and found a definition which should be of use:

Authentication is any process by which you verify that someone is who they claim they are. This usually involves a username and a password, but can include any other method of demonstrating identity, such as a smart card, retina scan, voice recognition, or fingerprints. Authentication is equivalent to showing your drivers license at the ticket counter at the airport.

Apache Manual

Authentication is something which most websites will need, and as such there are a vast number of solutions already available. Personally I don't believe in reinventing the wheel and use something rather similar to simple user auth taken from the cakePHP manual. Using this approach, when a user logs in their name is known to the application. No more no less.

Authentication and bare minimum Access Control§

Authentication is not Access Control; but for the most simple of applications it can be used as such. What do I mean? If there are pages or resources that are accessible to the public, and others which are only accessible to members (or the website owner in a 1 user system) then it is only necessary to check if there is a user logged in to determine if access is granted or not.

Real Access Control§

For more complex/granular solutions an access control system is required. I spent quite a lot of time getting familiar with phpGACL which is a very powerful access control system that you can configure any way you want. If you have a cake site and want to put in place access control I would recommend my [subsequent posts on the tpoc of ACL][Access Control for all (part 1)]; that said you can use anything at all for access control that is able of answering a question of the form "Can ARO access ACO?" or the slightly more complex "Can ARO do AXO with ACO?". In writing this blog the question will be raised "Can (ANDY) do (ADD) with (BLOGS)?". The answer will be yes, unless I take too long to write it and get timed out, in which case I will be denied as a mere member of the Public instead. And where does the variable name "Andy" come from..? From the Authentication mechanism which is NOT directly part of the ACL solution.


Authentication is fundamental to a web application. Without it you don't know who is accessing your website and are unable to allow or deny access based on their identity. Authentication is the first step to putting access control on your application, how to do that is covered in detail in the two-part [access control post][Access Control for all (part 1)] now published.