You can do a simple query
$this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash)
and authenticate it if there are results, right?
Sure, because it's faster, and you don't want all that data in clients
cookie.
Still thinking...
Regards,
Saša Stamenković
On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen <[email protected]> wrote:
> If you create the hash server-side and compare it to the cookie's hash, how
> do you know which user to generate a hash for? You would either have to do
> all of your users, or use some type of identifier. I suppose if you stored
> the username in plain text and the password in a hash, it could work.
>
> The reason why you'd want both session-based authentication and
> cookie-based is that the session one is much faster (no need to re-authorize
> for each request). The cookie one is used only when the browser is closed
> and reopened.
>
> --
> Hector
>
>
>
> On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <[email protected]>wrote:
>
>> But I want to keep session storage, and existing auth mechanism. What for
>> should I implement cookie storage then? And writing to storage outside of
>> Zend_Auth does not looks like smart solution.
>>
>> If you can get back original from cookie, isn't it security risk. isn't it
>> better to store hash in cookie, and if no identitiy, regenerate hash and
>> compare it with one from cookie?
>>
>> I'm confused now...thinking...
>>
>> Regards,
>> Saša Stamenković
>>
>>
>>
>> On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[email protected]>wrote:
>>
>>> On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <[email protected]>wrote:
>>>
>>>> Sounds nice.
>>>>
>>>> Zend_Auth in authenticate() do
>>>>
>>>> $this->getStorage()->write($result->getIdentity());
>>>>
>>>> so, you cannot controll what is written in Zend_Auth_Storage, you can
>>>> opnly control how it's written.
>>>>
>>>
>>> You can actually write whatever you want into the storage:
>>>
>>> Zend_Auth::getInstance()->getStorage()->write($data);
>>>
>>>
>>>
>>>>
>>>> How did you inject password into play?
>>>>
>>>> I think storing md5($email . $pass) in cookie where pass is already
>>>> encrypted is secure enough.
>>>>
>>>> Maybe a stupid question, but, what is 2-way encryption?
>>>>
>>>
>>> 2-way encryption allows you to reverse the encryption to get the
>>> original. So, if the username/pass was "username/password", then encrypted
>>> it would be something like "4df03dca/c922aldf" (example). That's what you
>>> would store in the cookie, and then when the front controller plugin uses it
>>> would decrypt it back to "username/password" and attempt to authenticate it.
>>> MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the
>>> original from an MD5 hash alone).
>>>
>>>
>>>>
>>>> Regards,
>>>> Saša Stamenković
>>>>
>>>>
>>>>
>>>> On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[email protected]>wrote:
>>>>
>>>>> In one of my apps I stored the user's username and password (using
>>>>> 2-way encryption) in their cookie, and only validated it when Zend_Auth
>>>>> reported there was no identity (because the session expired, or the
>>>>> browser
>>>>> was closed and re-opened). You can add more security by also storing a
>>>>> one-time use token that must match in the database. The code to handle
>>>>> this
>>>>> was placed in an early-running front controller plugin.
>>>>>
>>>>> The nice thing about this is you can make the cookie last for 6 months
>>>>> or longer, and it will still work.
>>>>>
>>>>> --
>>>>> Hector
>>>>>
>>>>>
>>>>>
>>>>> On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић
>>>>> <[email protected]>wrote:
>>>>>
>>>>>> @Jurian Nice idea, but since Zend_Auth stores only identity, I don't
>>>>>> think that information is enought to reauthenticate from cookie.
>>>>>>
>>>>>> @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration
>>>>>> time, and session expiration is not per user setting, but per server
>>>>>> setting.
>>>>>>
>>>>>> Regards,
>>>>>> Saša Stamenković
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <
>>>>>> [email protected]> wrote:
>>>>>>
>>>>>>> You could write a Zend_Auth_Storage_Cookie which enables you to place
>>>>>>> the
>>>>>>> authentication in a cookie. Be careful to look at the possible
>>>>>>> exploits. Just
>>>>>>> a plain cookie without server-side validation is not safe. Still, the
>>>>>>> storage
>>>>>>> adapter for auth is the most simple one.
>>>>>>> --
>>>>>>> Jurian Sluiman
>>>>>>> CTO Soflomo V.O.F.
>>>>>>> http://soflomo.com
>>>>>>>
>>>>>>> On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
>>>>>>> > I'm thinking, how to implement remember me in cookie zend style.
>>>>>>> I'm using
>>>>>>> > Zend_Auth with Db_Table adapter.
>>>>>>> >
>>>>>>> > Maybe we can contribute some component for this. I heard that Cake
>>>>>>> PHP
>>>>>>> > already have one.
>>>>>>> >
>>>>>>> > Regards,
>>>>>>> > Saša Stamenković.
>>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
