On the LeaseWeb Labs blog there's a continuation from a previous post about migrating your Symfony1 application over to Symfony2. In the first part of this series of posts, Stefan Koopmanschap talked about wrapping your code to make it work. In this second post, Maurtis van der Schee tackles two issues Stefan mentioned - performance problems and handling authorization/authentication.

On December 21, 2011 Stefan Koopmanschap wrote an excellent article on this blog titled "Painless (well, less painful) migration to Symfony2." [...] We were very much inspired by his passionate elucidation and we were fully convinced of the urge to start migrating to Symfony2 as soon as possible. However, he also provided us with a "A word of caution" about 2 things: performance and authentication/authorization. This might get some people worried, but not us: it challenged us to find a solution for those two open issues.

They explain why these two things are a problem and some of their solutions they've created - a .htaccess for routing and manually replicating the Symfony2 session in the Symfony1 code. Included in the post are the rewrite rules and code to make these two things happen (and a small configuration change to make them work).

On the AndroidHive site there's a recent tutorial (plus screencast) about combining PHP, MySQL and SQLite to act as the backend authorization for your Android application.

In my previous article Android Login and Registration Screen Design i explained designing the login and registration interfaces, but it has no functionality. In this tutorial i am explaining how to build complete login and registration system in android using PHP, MySQL and SQLite. Also this tutorial covers how to build simple API using PHP and MySQL.

The tutorial walks you through each step of the process:

• Creating MySQL Database and Tables
• Building PHP API Classes
• Starting Android Project
• Making the JSON Parser, SQLite Database Handler and User Functions Classes
• Designing the Screens
• Switching between Activities
• Finally Updating AndroidManifest.xml

If you want to get started quickly, you can just download the final result and go.

As mentioned on DZone.com, there's a video tutorial series from Andrew Perkins about setting up an authentication system in CakePHP-based applications.

Here you can find the related articles to my Cakephp videos if you would prefer to read them rather than watch. You will can also download all of the source code for the corresponding videos. [...] They only include the app folder, as we'll never change anything in the other folders, at least not in these tutorials.

The videos currently cover installation of the framework and some of the naming conventions to follow. The source has the full authentication system, though - all the way from setting up helper methods to creating the actual authentication component.

On PHPMaster.com today they're posted the second part of their OAuth series showing you how to use the authentication mechanism to connect to Twitter's API. (Part one is here.

Welcome back to Understanding OAuth - Tweeting from Scratch. This is Part 2 of the two-part series and picks up right where we left off in Part 1 with your returned Access Credentials. Since obtaining the credentials is the grueling part of the process, there's not much more left to do except posting a tweet on the user's behalf. Hopefully you'll find the final steps to be a lot easier to follow and more fun to implement.

They show you how to store the credentials from Part 1 into your session for safe keeping and include a simple form you will use to send a tweet to Twitter. They choose to manually build the HTTP POST request, including the credential headers along with the payload (oauth_consumer_key, oauth_signature, oauth_token, etc).

Carson McDonald has posted an example of how to use the Google OAuth for Installed Apps tool to authenticate users.

I have been working on a long needed update to the Google analytics dashboard plugin for WordPress and one of the items I had on my TODO list was using Google's OAuth login instead of the old ClientLogin. Setting OAuth up for a WordPress plugin is complicated because it isn't a hosted application and as such I can't register it to get OAuth keys. That is where a special way of doing OAuth comes in called OAuth for installed apps.

He uses this OAuth library to handle the "dirty work" of the connections. With that included in the application, he shows how to - in two phases - make an authentication system that direct the user to a Google link for completing the authentication process. He points to the Google OAuth docs and playground as good resources to help you during the process.

Fuel framework users have another option when it comes to user authentication management in their applications. Ando has released Warden, a package that manages logins, password hashing and user ACLs.

Warden is a user database authorization package for the FuelPHP framework that aims to fast track development by handling the work load of uthenticating user's. Built for performance, it comes with a ready-to-use user model and database install script.

The package uses bcrypt for password hashing and also provides features for forgotten passwords, password resets and "remember me" functionality. Installation is as simple as adding it to your "always_load" package list and setting up a few configuration options. Sample code for its features is included. You can get the latest version directly from github.

Ade Slade has written up a quick new post to his blog today showing how you can use the lightweight Silex framework to link your login with Twitter and validate users from their API.

For those not acquainted with Silex: Silex is a PHP microframework for PHP 5.3 A microframework provides the guts for building simple single-file apps. It's awesome. For the example, I've setup a virtual host of example.local on my development machine.

He includes the contents of the .htaccess you'll need to get the rewrite to work for Silex, a link to the OAuth extension you'll need to install for PHP and the code to make the login and auth routes. You'll need to create a Twitter application for your site to get the OAuth secret key to make the authentication work. You can see the complete code here.

Mike Purcell has a handy new post for the Symfony users out there wanting more flexibility with their sfGuardPlugin use in their application. He describes how you can use email instead of a username for working with the user information.

sfGuardPlugin is pretty awesome. It allows a symfony developer the ability to quickly implement a user login and access control system. However, there is an issue with respect to telling the plugin whether to use the username or the email column for validating user submitted input. After some Googling I found a few sites which forced sfGuardPlugin to use email rather than username, but only after quite a bit of work. What I am going to show will accomplish the same end goal, but with minor changes.

He starts with a look at the validator class, showing how the values are going to be passed to the backend. The plugin makes a call to a "retrieveByUsername" method to get the user's information, but his method overrides this...sort of. His method actually contains the query to fetch the user information by email instead. This is useful if you want to use the email address as a username for the site but still want to maintain data integrity on the user records (valid emails can then be used for auth and for sending messages).

If you haven't seen it yet, there's a post over on StackOverflow that's been growing over the past few days about form-based authentication in websites. The author wants to make a definitive resource for people to use when making good, secure user authentication systems.

Please help us create the definitive resource for this topic. We believe that stackoverflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form Based Authentication For Websites" should be a fine topic for such an experiment.

They want to include topics like logins, storing passwords, "forgot password" security, OpenID, browser autocompletion, password strength, email validation and more. They already laid out eight different sections with summaries including:

• How To Remain Logged In - The Infamous "Remember Me" Checkbox
• Using Secret Questions
• Checking Password Strength
• Much More - Or: Preventing Rapid-Fire Login Attempts
• Two-Factor Authentication and Authentication Providers

There's some good feedback from other users with other suggestions and links to external resources that could shed some more light on the topic.

Anthony Wlodarski has put together a new post to his blog talking about authenticating a Zend Framework app against Node.js with the help of the Socket.io component for handling credentials.

Zend Framework which is PHP based and Node.js which is JavaScript based don't have a common connection to pass data in a bi-directional nature. I was tasked with building a bridge of sorts that would utilize existing information from Zend Framework with the latest release of Socket.io's authorization mechanisms. (If you don't do this then arbitrary connections can happen and will be authorized.)

He starts with the code (on the Node.js side) to create a simple HTTP server to listen for the requests from the Zend Framework application. He gets into the details of how that all works before moving to the other side - a simple update to the authentication to store a session cookie with the information that is passed, via Socket.io to the waiting Node.js server for handling.