Remember me Zend_Auth cookie

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Remember me Zend_Auth cookie

umpirsky
I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter.

Maybe we can contribute some component for this. I heard that Cake PHP already have one.

Regards,
Saša Stamenković.
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

Jurian Sluiman-4
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

dmitrybelyakov
In reply to this post by umpirsky

I think there is Zend_Session::rememberMe(); already.
Dmitry.
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

umpirsky
In reply to this post by Jurian Sluiman-4
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković


On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.

Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

Hector Virgen
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector


On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.


--
Hector Virgen
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

umpirsky
Sounds nice.

Zend_Auth in authenticate() do

$this->getStorage()->write($result->getIdentity());

so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written.

How did you inject password into play?

I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough.

Maybe a stupid question, but, what is 2-way encryption?

Regards,
Saša Stamenković


On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[hidden email]> wrote:
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector



On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.



Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

Hector Virgen
On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[hidden email]> wrote:
Sounds nice.

Zend_Auth in authenticate() do

$this->getStorage()->write($result->getIdentity());

so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written.

You can actually write whatever you want into the storage:

Zend_Auth::getInstance()->getStorage()->write($data);

 

How did you inject password into play?

I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough.

Maybe a stupid question, but, what is 2-way encryption?

2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was "username/password", then encrypted it would be something like "4df03dca/c922aldf" (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to "username/password" and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone).
 

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[hidden email]> wrote:
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector



On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.




--
Hector Virgen
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

umpirsky
But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution.

If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie?

I'm confused now...thinking...

Regards,
Saša Stamenković


On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[hidden email]> wrote:
On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[hidden email]> wrote:
Sounds nice.

Zend_Auth in authenticate() do

$this->getStorage()->write($result->getIdentity());

so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written.

You can actually write whatever you want into the storage:

Zend_Auth::getInstance()->getStorage()->write($data);

 

How did you inject password into play?

I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough.

Maybe a stupid question, but, what is 2-way encryption?

2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was "username/password", then encrypted it would be something like "4df03dca/c922aldf" (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to "username/password" and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone).
 

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[hidden email]> wrote:
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector



On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.





Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

Hector Virgen
If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work.

The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened.

--
Hector


On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <[hidden email]> wrote:
But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution.

If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie?

I'm confused now...thinking...

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[hidden email]> wrote:
On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[hidden email]> wrote:
Sounds nice.

Zend_Auth in authenticate() do

$this->getStorage()->write($result->getIdentity());

so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written.

You can actually write whatever you want into the storage:

Zend_Auth::getInstance()->getStorage()->write($data);

 

How did you inject password into play?

I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough.

Maybe a stupid question, but, what is 2-way encryption?

2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was "username/password", then encrypted it would be something like "4df03dca/c922aldf" (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to "username/password" and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone).
 

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[hidden email]> wrote:
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector



On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.






--
Hector Virgen
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

umpirsky
You can do a simple query

$this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash)

and authenticate it if there are results, right?

Sure, because it's faster, and you don't want all that data in clients cookie. 

Still thinking...

Regards,
Saša Stamenković


On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen <[hidden email]> wrote:
If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work.

The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened.

--
Hector



On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <[hidden email]> wrote:
But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution.

If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie?

I'm confused now...thinking...

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[hidden email]> wrote:
On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[hidden email]> wrote:
Sounds nice.

Zend_Auth in authenticate() do

$this->getStorage()->write($result->getIdentity());

so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written.

You can actually write whatever you want into the storage:

Zend_Auth::getInstance()->getStorage()->write($data);

 

How did you inject password into play?

I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough.

Maybe a stupid question, but, what is 2-way encryption?

2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was "username/password", then encrypted it would be something like "4df03dca/c922aldf" (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to "username/password" and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone).
 

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[hidden email]> wrote:
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector



On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.







Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

Hector Virgen
The problem with that query is that it will be very slow because it can't use indexes. The database would need to MD5 each row before it returned the matches.

--
Hector


On Fri, Mar 26, 2010 at 9:45 AM, Саша Стаменковић <[hidden email]> wrote:
You can do a simple query

$this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash)

and authenticate it if there are results, right?

Sure, because it's faster, and you don't want all that data in clients cookie. 

Still thinking...

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen <[hidden email]> wrote:
If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work.

The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened.

--
Hector



On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <[hidden email]> wrote:
But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution.

If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie?

I'm confused now...thinking...

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[hidden email]> wrote:
On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[hidden email]> wrote:
Sounds nice.

Zend_Auth in authenticate() do

$this->getStorage()->write($result->getIdentity());

so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written.

You can actually write whatever you want into the storage:

Zend_Auth::getInstance()->getStorage()->write($data);

 

How did you inject password into play?

I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough.

Maybe a stupid question, but, what is 2-way encryption?

2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was "username/password", then encrypted it would be something like "4df03dca/c922aldf" (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to "username/password" and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone).
 

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[hidden email]> wrote:
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector



On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.








--
Hector Virgen
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

umpirsky
You are right, storing user Id can speed up, but that becomes complicated....

Regards,
Saša Stamenković


On Fri, Mar 26, 2010 at 5:47 PM, Hector Virgen <[hidden email]> wrote:
The problem with that query is that it will be very slow because it can't use indexes. The database would need to MD5 each row before it returned the matches.

--
Hector



On Fri, Mar 26, 2010 at 9:45 AM, Саша Стаменковић <[hidden email]> wrote:
You can do a simple query

$this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash)

and authenticate it if there are results, right?

Sure, because it's faster, and you don't want all that data in clients cookie. 

Still thinking...

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen <[hidden email]> wrote:
If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work.

The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened.

--
Hector



On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <[hidden email]> wrote:
But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution.

If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie?

I'm confused now...thinking...

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[hidden email]> wrote:
On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[hidden email]> wrote:
Sounds nice.

Zend_Auth in authenticate() do

$this->getStorage()->write($result->getIdentity());

so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written.

You can actually write whatever you want into the storage:

Zend_Auth::getInstance()->getStorage()->write($data);

 

How did you inject password into play?

I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough.

Maybe a stupid question, but, what is 2-way encryption?

2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was "username/password", then encrypted it would be something like "4df03dca/c922aldf" (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to "username/password" and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone).
 

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[hidden email]> wrote:
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. 

The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work.

--
Hector



On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[hidden email]> wrote:
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie.

@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting.

Regards,
Saša Stamenković



On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <[hidden email]> wrote:
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO Soflomo V.O.F.
http://soflomo.com

On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.









Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

Marian Meres-2
In reply to this post by umpirsky
You may find this usefull:
http://jaspan.com/improved_persistent_login_cookie_best_practice

On Fri, Mar 26, 2010 at 2:50 PM, umpirsky <[hidden email]> wrote:

>
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.
> --
> View this message in context: http://n4.nabble.com/Remember-me-Zend-Auth-cookie-tp1692215p1692215.html
> Sent from the Zend Framework mailing list archive at Nabble.com.
>
Reply | Threaded
Open this post in threaded view
|

Re: Remember me Zend_Auth cookie

umpirsky
Hehum...thanks :)

Regards,
Saša Stamenković


On Sat, Mar 27, 2010 at 7:43 AM, Marian Meres-2 [via Zend Framework Community] <[hidden email]> wrote:
On Fri, Mar 26, 2010 at 2:50 PM, umpirsky <[hidden email]> wrote:

>
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component for this. I heard that Cake PHP
> already have one.
>
> Regards,
> Saša Stamenković.
> --
> View this message in context: http://n4.nabble.com/Remember-me-Zend-Auth-cookie-tp1692215p1692215.html
> Sent from the Zend Framework mailing list archive at Nabble.com.
>



To unsubscribe from Remember me Zend_Auth cookie, click here.