If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work.
The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened. -- Hector On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <[email protected]>wrote: > But I want to keep session storage, and existing auth mechanism. What for > should I implement cookie storage then? And writing to storage outside of > Zend_Auth does not looks like smart solution. > > If you can get back original from cookie, isn't it security risk. isn't it > better to store hash in cookie, and if no identitiy, regenerate hash and > compare it with one from cookie? > > I'm confused now...thinking... > > Regards, > Saša Stamenković > > > > On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[email protected]> wrote: > >> On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[email protected]>wrote: >> >>> Sounds nice. >>> >>> Zend_Auth in authenticate() do >>> >>> $this->getStorage()->write($result->getIdentity()); >>> >>> so, you cannot controll what is written in Zend_Auth_Storage, you can >>> opnly control how it's written. >>> >> >> You can actually write whatever you want into the storage: >> >> Zend_Auth::getInstance()->getStorage()->write($data); >> >> >> >>> >>> How did you inject password into play? >>> >>> I think storing md5($email . $pass) in cookie where pass is already >>> encrypted is secure enough. >>> >>> Maybe a stupid question, but, what is 2-way encryption? >>> >> >> 2-way encryption allows you to reverse the encryption to get the original. >> So, if the username/pass was "username/password", then encrypted it would be >> something like "4df03dca/c922aldf" (example). That's what you would store in >> the cookie, and then when the front controller plugin uses it would decrypt >> it back to "username/password" and attempt to authenticate it. MD5 is not >> encryption, it's a hash, and is only 1-way (you cannot get the original from >> an MD5 hash alone). >> >> >>> >>> Regards, >>> Saša Stamenković >>> >>> >>> >>> On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[email protected]>wrote: >>> >>>> In one of my apps I stored the user's username and password (using 2-way >>>> encryption) in their cookie, and only validated it when Zend_Auth reported >>>> there was no identity (because the session expired, or the browser was >>>> closed and re-opened). You can add more security by also storing a one-time >>>> use token that must match in the database. The code to handle this was >>>> placed in an early-running front controller plugin. >>>> >>>> The nice thing about this is you can make the cookie last for 6 months >>>> or longer, and it will still work. >>>> >>>> -- >>>> Hector >>>> >>>> >>>> >>>> On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић >>>> <[email protected]>wrote: >>>> >>>>> @Jurian Nice idea, but since Zend_Auth stores only identity, I don't >>>>> think that information is enought to reauthenticate from cookie. >>>>> >>>>> @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration >>>>> time, and session expiration is not per user setting, but per server >>>>> setting. >>>>> >>>>> Regards, >>>>> Saša Stamenković >>>>> >>>>> >>>>> >>>>> On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman < >>>>> [email protected]> wrote: >>>>> >>>>>> You could write a Zend_Auth_Storage_Cookie which enables you to place >>>>>> the >>>>>> authentication in a cookie. Be careful to look at the possible >>>>>> exploits. Just >>>>>> a plain cookie without server-side validation is not safe. Still, the >>>>>> storage >>>>>> adapter for auth is the most simple one. >>>>>> -- >>>>>> Jurian Sluiman >>>>>> CTO Soflomo V.O.F. >>>>>> http://soflomo.com >>>>>> >>>>>> On Friday 26 Mar 2010 14:50:41 umpirsky wrote: >>>>>> > I'm thinking, how to implement remember me in cookie zend style. I'm >>>>>> using >>>>>> > Zend_Auth with Db_Table adapter. >>>>>> > >>>>>> > Maybe we can contribute some component for this. I heard that Cake >>>>>> PHP >>>>>> > already have one. >>>>>> > >>>>>> > Regards, >>>>>> > Saša Stamenković. >>>>>> >>>>> >>>>> >>>> >>> >> >
