Re: [phplib-users] current status of phplib

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

At 10:08 AM -0700 19/7/07, aric caley wrote:

>I do have write access to the PHPLib repository, but I have not
>had discussions with other project devs or admins about
>development plans. I haven't seen anything from the PHPLib
>project admins in about 2 years, but Richard Archer (who is a
>project dev and may be able to publish new releases) has written
>recently.

I rolled in a few security patches and pushed a release
some time ago. I do monitor the SF trackers for patches
but they are few and far between these days. I don't
think many people are writing new apps using PHPLib these
days.

Personally I use the template and db on every job I do.
I don't often use session or auth and when I do I am often
left wondering if the complexity is worth while.

Several of the PHPLib developers are using Drupal for their
new projects. I had a good bash at using Drupal, but for my
specific requirements Drupal development moved too fast,
leaving my apps orphaned long before their expected EOL.

>It always seemed sensible to me which is why I've used it.  But after
>googling on the subject it seems that even this is not as secure as
>you might think, it only obscures things a bit better.  It should
>still be combined with SSL.

I did quite a bit of work on PHPLib's crcloginform.ihtml.
With it, the password does not pass over the network and
replay attacks are impossible. It does require Javascript
on the client browser (but falls back gracefully).

SSL is far superior if you can justify the expense.

>Excellent point.  I assume that phplib may be the only option for this
>flexibility... do you think it would be possible to make phplib use
>php's native sessions and extend them to be as flexible as the
>phplib-only sessions?

session4.inc is intended to offer all PHPLib's functionality
with PHP4-style sessions.

>>I would like to see phplib reworked and modernized around the core feature
>>of authentication and advanced sessions management.
>
>That's not a bad goal. Maybe you can convince a project admin to
>hand over the reins.

I'm happy to look at proposals.

I'm a big fan of backwards compatibility and a stable API.
But that doesn't mean the code can't be improved under the hood
or that new features can't be implemented.

 ...R.