You may find this usefull:
http://jaspan.com/improved_persistent_login_cookie_best_practice
On Fri, Mar 26, 2010 at 2:50 PM, umpirsky wrote:
>
> I'm thinking, how to implement remember me in cookie zend style. I'm using
> Zend_Auth with Db_Table adapter.
>
> Maybe we can contribute some component
You are right, storing user Id can speed up, but that becomes
complicated
Regards,
Saša Stamenković
On Fri, Mar 26, 2010 at 5:47 PM, Hector Virgen wrote:
> The problem with that query is that it will be very slow because it can't
> use indexes. The database would need to MD5 each row befor
The problem with that query is that it will be very slow because it can't
use indexes. The database would need to MD5 each row before it returned the
matches.
--
Hector
On Fri, Mar 26, 2010 at 9:45 AM, Саша Стаменковић wrote:
> You can do a simple query
>
> $this->_db->quoteInto('md5(CONCAT(ema
You can do a simple query
$this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash)
and authenticate it if there are results, right?
Sure, because it's faster, and you don't want all that data in clients
cookie.
Still thinking...
Regards,
Saša Stamenković
On Fri, Mar 26, 2010 at 5:36
If you create the hash server-side and compare it to the cookie's hash, how
do you know which user to generate a hash for? You would either have to do
all of your users, or use some type of identifier. I suppose if you stored
the username in plain text and the password in a hash, it could work.
Th
But I want to keep session storage, and existing auth mechanism. What for
should I implement cookie storage then? And writing to storage outside of
Zend_Auth does not looks like smart solution.
If you can get back original from cookie, isn't it security risk. isn't it
better to store hash in cooki
On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић wrote:
> Sounds nice.
>
> Zend_Auth in authenticate() do
>
> $this->getStorage()->write($result->getIdentity());
>
> so, you cannot controll what is written in Zend_Auth_Storage, you can opnly
> control how it's written.
>
You can actually write w
Sounds nice.
Zend_Auth in authenticate() do
$this->getStorage()->write($result->getIdentity());
so, you cannot controll what is written in Zend_Auth_Storage, you can opnly
control how it's written.
How did you inject password into play?
I think storing md5($email . $pass) in cookie where pass
In one of my apps I stored the user's username and password (using 2-way
encryption) in their cookie, and only validated it when Zend_Auth reported
there was no identity (because the session expired, or the browser was
closed and re-opened). You can add more security by also storing a one-time
use
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think
that information is enought to reauthenticate from cookie.
@Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time,
and session expiration is not per user setting, but per server setting.
Regards,
Saša Sta
You could write a Zend_Auth_Storage_Cookie which enables you to place the
authentication in a cookie. Be careful to look at the possible exploits. Just
a plain cookie without server-side validation is not safe. Still, the storage
adapter for auth is the most simple one.
--
Jurian Sluiman
CTO So
I'm thinking, how to implement remember me in cookie zend style. I'm using
Zend_Auth with Db_Table adapter.
Maybe we can contribute some component for this. I heard that Cake PHP
already have one.
Regards,
Saša Stamenković.
--
View this message in context:
http://n4.nabble.com/Remember-me-Zend
12 matches
Mail list logo
