If I don’t have a need for user table and I only need to use the password and username that are as plain text in UserIdentity.php, I’m wondering is that a safe way to make the authentication or should I use the table for users and have the hashed passwords there.
So can I use only UserIdentity.php and change the admin and demo credentials there? Is it safe enough for the application? Or should I have the table for users and save the hashed passwords there?
You don’t need to create a user table if your application isn’t big enough to warrant it. Keeping the user names and passwords in the UserIdentity class means that your users won’t be able to change their passwords. If your password was ever compromised, you’d need to alter the code file and reupload.
I take it you’re not going to have to deal with new users very frequently, nor users who will want to be able to securely set their own passwords?
Yes the site comes for an internal use of company, and it would be suitable to have username and password as plain text in useridentity.php file. The only concern I have is that is it secure enough to have them as plain text in that file? Or what can I do to make it to be as secure as possible?
It depends who has access to your server. You could introduce some security by storing the hashed version of the password in the file rather than the plain text version. Obscuring the password in this way is a step in the right direction.
Of course, if a potential attacker can access the content of your code file, you’re already screwed.