Sorry I haven't replied for a couple of days, I went on a fishing trip over the weekend, it was pretty exciting, a mate of mine saw a crab swimming in the water, he leapt in after it and caught it with bare hands!
Anyway, back to more technical matters - here's my login method. This might
be the issue. I copied and worked on this from some "this is how you do user
auth" tutorial about 40 versions of ZF ago...
public function logUserIn($email, $password) {
$config = Zend_Registry::get('config');
$salt = $config['password']['salt'];
//setup Zend_Auth adapter for a database table
$db = DbTable_Base::getDefaultAdapter();
$authAdapter = new Zend_Auth_Adapter_DbTable(
$db,
'user',
'email',
'password', "MD5(CONCAT('$salt',?)) AND
deleted=0");
$authAdapter->setIdentity($email)->setCredential($password);
//do the authentication
$auth = Zend_Auth::getInstance();
$result = $auth->authenticate($authAdapter);
if ($result->isValid()) {
//success: store database row to auth's storage system. (Not the
password though!)
$data = $authAdapter->getResultRowObject(null, 'password');
$auth = Zend_Auth::getInstance();
$auth->getStorage()->write($data);
$authNamespace = new Zend_Session_Namespace('Zend_Auth');
$authNamespace->id = $data->id;
$authNamespace->email = $data->email;
$authNamespace->role = $data->role;
$authNamespace->setExpirationSeconds(36000);
return true;
}
return false;
}
Is it possible the $authNamespace = new Zend_Session_Namespace('Zend_Auth');
stuff is incorrect? I mean it *works*, but is it correct?
On Fri, Mar 5, 2010 at 9:45 PM, Bart McLeod <[email protected]> wrote:
> My guess is that it will only help if you allow the request to complete
> within your application logic. That is why I suggest a _forward instead of a
> _redirect, but even that was a guess. I didn't yet try if a _redirect would
> break my application to.
> But now I have verified it, and it works equally well with a redirect as
> with a _forward. Even if I redirect to a complete different website.
>
> *Anyway, clearIdentity should be enough* within normal application flow.
>
> It may go wrong if you login someone automatically based on session data
> outside the reach of Zend_Auth. If you logout and then get logged in
> automatically based on derived session data, not encapsulated within
> Zend_Auth, then you are doing something wrong.
>
> clearIdentity() does the job. If it doesn't, something got out of control
> somewhere.
>
> I think you should be looking at how identity checking is done. Is it
> actually being performed for each access to your application?
>
> Regards,
>
> Bart McLeod
>
> Op 5-3-2010 14:21, Gina-Marie Rollock schreef:
>
> I have the following in my logout action:
>
>
>
> Zend_Session::destroy(true);
>
>
>
> after I clear my identity. Will that help?
>
>
>
> *From:* Bart McLeod [mailto:[email protected] <[email protected]>]
> *Sent:* Friday, March 05, 2010 4:06 AM
> *To:* Cameron
> *Cc:* Jake McGraw; Hector Virgen; Zend Framework - General
> *Subject:* Re: [fw-general] Zend_Auth::getInstance()->clearIdentity()
> doesn't seem to log me out?
>
>
>
> Hi Cameron,
>
> Just some ideas. I assume you are using latest from trunk.
>
> If I try in my system to logout, I can logout. So nothing is wrong with the
> framework I think. So we are looking at a problem in your logic somewhere.
>
> The first thing I thought was there could be something with redirecting the
> way you do. May you should be forwarding to your default action instead, so
> that the clearance of the identity can take effect before you redirect.
>
> I do this in my logout action:
> public function logoutAction()
> {
> Globals::logout();
> $this->_forward('index');
> }
>
> You can see that I do not redirect, but I forward. In this case to the
> default action of the login controller.
>
> Globals does the following:
> public static function logout()
> {
> $auth = Zend_Auth::getInstance();
> Zend_Registry::get('log')->info('Trying to clear identity');
> $auth->clearIdentity();
> }
>
> Since there is not much of a difference with your code, I think it must be
> the redirect.
>
> If that is not the issue, then I start to think of caching. Do you return
> cached content before you check the identity? In that case, logging out
> won't help once pages are cached. Just a thought.
>
> Regards,
>
> Bart McLeod
>
>
>
>
> Cameron schreef:
>
> I'm logged in because I can still access the entire application, something
> I can't do until I'm authorized. As for cookies, I dunno... there's nothing
> in the application that manually writes anything to a cookie, so it could
> only be Zend or general PHP session related...
>
> On Fri, Mar 5, 2010 at 12:54 PM, Jake McGraw <[email protected]> wrote:
>
> On Thu, Mar 4, 2010 at 11:39 PM, Hector Virgen <[email protected]> wrote:
> > Anything in your cookies causing you to stay logged in?
> >
> > --
> > Hector
> >
> >
> > On Thu, Mar 4, 2010 at 7:30 PM, Cameron <[email protected]> wrote:
> >>
> >> Hi guys, I'm really not sure where I'm going with this one, it seems
> like
> >> I must be doing something completely wrong, but I'm not really sure
> where to
> >> even start looking.
> >>
> >> Here's my logout action:
> >>
> >> public function logoutAction() {
> >> Zend_Auth::getInstance()->clearIdentity();
> >> $this->_helper->redirector('/');
> >> }
> >>
> >> Pretty simple, right? The redirect certainly works, but for some reason,
> >> I'm still logged in! I've even tried $_SESSION = ''; to brute force the
> >> session to be deleted, but there i am, still logged in. Anyone got any
> ideas
> >> on this one?
>
> How are you confirming that you're still logged in? Perhaps that's the
> issue?
>
> - jake
>
> >
> >
>
>
>
>
>
> --
>
> Bart McLeod
> *Space Web*
> Middenlaan 47
> 6865 VN Heveadorp
> The Netherlands
> *t* +31(0)26 3392952
> *m* 06 51 51 89 71
> *...@* [email protected]
> www.spaceweb.nl
>
> [image: zce logo][image: zce PHP 5 logo][image: zce Zend Framework logo]
>
> *Bart McLeod is a Zend Certified Engineer.*
>
> Click to verify! <http://www.zend.com/zce.php?c=ZEND004591&r=218204904>
>
>
>
>
> --
> Bart McLeod
> *Space Web*
> Middenlaan 47
> 6865 VN Heveadorp
> The Netherlands
> *t* +31(0)26 3392952
> *m* 06 51 51 89 71
> *...@* [email protected]
> www.spaceweb.nl [image: zce logo][image: zce PHP 5 logo] [image: zce Zend
> Framework logo]
>
> *Bart McLeod is a Zend Certified Engineer.*
>
> Click to verify! <http://www.zend.com/zce.php?c=ZEND004591&r=218204904>
>
<<image/gif>>
<<zce_logo.gif>>
<<image/gif>>
<<image/gif>>
<<zf-zce-logo.gif>>
<<php5-zce-logo-new.gif>>
<<logo_230.gif>>
<<image/gif>>
