The problem with that query is that it will be very slow because it can't use indexes. The database would need to MD5 each row before it returned the matches.
-- Hector On Fri, Mar 26, 2010 at 9:45 AM, Саша Стаменковић <[email protected]>wrote: > You can do a simple query > > $this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash) > > and authenticate it if there are results, right? > > Sure, because it's faster, and you don't want all that data in clients > cookie. > > Still thinking... > > Regards, > Saša Stamenković > > > > On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen <[email protected]> wrote: > >> If you create the hash server-side and compare it to the cookie's hash, >> how do you know which user to generate a hash for? You would either have to >> do all of your users, or use some type of identifier. I suppose if you >> stored the username in plain text and the password in a hash, it could work. >> >> The reason why you'd want both session-based authentication and >> cookie-based is that the session one is much faster (no need to re-authorize >> for each request). The cookie one is used only when the browser is closed >> and reopened. >> >> -- >> Hector >> >> >> >> On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <[email protected]>wrote: >> >>> But I want to keep session storage, and existing auth mechanism. What for >>> should I implement cookie storage then? And writing to storage outside of >>> Zend_Auth does not looks like smart solution. >>> >>> If you can get back original from cookie, isn't it security risk. isn't >>> it better to store hash in cookie, and if no identitiy, regenerate hash and >>> compare it with one from cookie? >>> >>> I'm confused now...thinking... >>> >>> Regards, >>> Saša Stamenković >>> >>> >>> >>> On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <[email protected]>wrote: >>> >>>> On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић >>>> <[email protected]>wrote: >>>> >>>>> Sounds nice. >>>>> >>>>> Zend_Auth in authenticate() do >>>>> >>>>> $this->getStorage()->write($result->getIdentity()); >>>>> >>>>> so, you cannot controll what is written in Zend_Auth_Storage, you can >>>>> opnly control how it's written. >>>>> >>>> >>>> You can actually write whatever you want into the storage: >>>> >>>> Zend_Auth::getInstance()->getStorage()->write($data); >>>> >>>> >>>> >>>>> >>>>> How did you inject password into play? >>>>> >>>>> I think storing md5($email . $pass) in cookie where pass is already >>>>> encrypted is secure enough. >>>>> >>>>> Maybe a stupid question, but, what is 2-way encryption? >>>>> >>>> >>>> 2-way encryption allows you to reverse the encryption to get the >>>> original. So, if the username/pass was "username/password", then encrypted >>>> it would be something like "4df03dca/c922aldf" (example). That's what you >>>> would store in the cookie, and then when the front controller plugin uses >>>> it >>>> would decrypt it back to "username/password" and attempt to authenticate >>>> it. >>>> MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the >>>> original from an MD5 hash alone). >>>> >>>> >>>>> >>>>> Regards, >>>>> Saša Stamenković >>>>> >>>>> >>>>> >>>>> On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <[email protected]>wrote: >>>>> >>>>>> In one of my apps I stored the user's username and password (using >>>>>> 2-way encryption) in their cookie, and only validated it when Zend_Auth >>>>>> reported there was no identity (because the session expired, or the >>>>>> browser >>>>>> was closed and re-opened). You can add more security by also storing a >>>>>> one-time use token that must match in the database. The code to handle >>>>>> this >>>>>> was placed in an early-running front controller plugin. >>>>>> >>>>>> The nice thing about this is you can make the cookie last for 6 months >>>>>> or longer, and it will still work. >>>>>> >>>>>> -- >>>>>> Hector >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> @Jurian Nice idea, but since Zend_Auth stores only identity, I don't >>>>>>> think that information is enought to reauthenticate from cookie. >>>>>>> >>>>>>> @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration >>>>>>> time, and session expiration is not per user setting, but per server >>>>>>> setting. >>>>>>> >>>>>>> Regards, >>>>>>> Saša Stamenković >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman < >>>>>>> [email protected]> wrote: >>>>>>> >>>>>>>> You could write a Zend_Auth_Storage_Cookie which enables you to >>>>>>>> place the >>>>>>>> authentication in a cookie. Be careful to look at the possible >>>>>>>> exploits. Just >>>>>>>> a plain cookie without server-side validation is not safe. Still, >>>>>>>> the storage >>>>>>>> adapter for auth is the most simple one. >>>>>>>> -- >>>>>>>> Jurian Sluiman >>>>>>>> CTO Soflomo V.O.F. >>>>>>>> http://soflomo.com >>>>>>>> >>>>>>>> On Friday 26 Mar 2010 14:50:41 umpirsky wrote: >>>>>>>> > I'm thinking, how to implement remember me in cookie zend style. >>>>>>>> I'm using >>>>>>>> > Zend_Auth with Db_Table adapter. >>>>>>>> > >>>>>>>> > Maybe we can contribute some component for this. I heard that Cake >>>>>>>> PHP >>>>>>>> > already have one. >>>>>>>> > >>>>>>>> > Regards, >>>>>>>> > Saša Stamenković. >>>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >
