We are moving our forum in GitHub Discussions. For questions about Phalcon v3/v4 you can visit here and for Phalcon v5 here.

Proper way to make a simple authentication system

Well, I'm working with Phalcon to make a SaaS project, and it requires simple authentication (the user get logged, do his stuff, logout).

There is some doc about this in the INVO app sample, but there is alot of things around that make it difficult to understand the auth part. Maybe some simple tutorial would make it easier to beginners, such as:

How to do authentication?

  • Login page
  • Protected page (only accessed by auth user)
  • Logout action

How is the easiest way to do this kind of stuff?

So there could be an IndexController with a loginAction leading to login page, indexAction leading to the index page (which is protected), and the model to access the user base. But where would go the actions to check and make an authentication, i mean, there is some way to do this with Phalcon's API or its like the old school PHP way, setting sessions "manually" checking for it against database, etc?

Could any of you buddies help me out? :)


Hi Claudio,

The Invo example actually shows the basic concept quite clearly. The "Security.php" plugin is where most of the magic happens.

$allowed = $acl->isAllowed($role, $controller, $action);
        if ($allowed != Acl::ALLOW) {
            $this->flash->error("You don't have access to this module");
                    'controller' => 'index',
                    'action' => 'index'
            return false;

This is a sample using the full blown access control lists feature, but you could really simplify it and use the beforeDispatch function to perform your authentication logic and either continue with page flow or redirect somewhere else.