Am Mittwoch, 20. April 2011 14:24:28 UTC+2 schrieb Johannes Schmitt: > > > - "loadByUsername()": Is this really intended to load a user by username? >> Or can username also be the ID ? Loading users by username will make the >> system instable if users have the possibility to change their usernames. >> >> > Yes, this can be anything. > > Ok
> > >> - putting the username into the rememberMe cookie has the same issues and >> even worse you put private/personal data into a cookie, a cookie should >> never contain any personal data. The username could also be a customer id or >> an email address and I don't want any cookie to contain such data. It should >> only contain a signed random id and all sensible data should be stored >> anywhere on the server. >> > > We have two flavors for remember-me. One which is simple to set-up and > which stores in a readable format the username, the user's class, and the > expire time in the cookie. The other implementation requires you to set-up a > token provider and only stores two random hashes in the cookie. The former > is mainly intended for private websites, the latter is for anything more > serious. > > Is there an example somewhere how to set up the "more serious" > > >> - performance: has anyone tested the performance of all the nice security >> features? I'm afraid it will slow down my application if I have to deal with >> 200 roles or so.. why do we need so much classes/objects? >> > > Can you give better examples? 200 roles seems always inefficient no matter > what the actual implementation is. > > Ah, I think I'm mixing roles with ACLs here.. coming from symfony 1 I have to get it in my mind that we now have ACLs.. in my symfony 1 user system I use the good old "credentials" for create/edit/view/delete permissions per object so.. I have tons of them.. what I rather would like to know is: How can I have other/additional "rights" ? (or is it called "access"?) - for example suppose I need to provide the right to "publish" an article or to "lock" a user. I guess I have to implement my own MaskBuilder for that object (maybe subclass the MaskBuilder and add the additional constants) ? An example would be helpful. > >> - what I miss is a way to prevent brute force attacks: block IPs or >> usernames on too many login attempts, hundrets of files.. but the most >> important feature the framework could provide to make applications much more >> secure is missing.. :-( >> > > It's possible. A typical use case is to return false from isAccountLocked() > if there were too many failed login attempts. > > > >> - also there is no way to define roles/rights in a bundle, I don't >> understand how you want to handle this when a user needs some roles or ACL >> rights to use a bundle >> > > I think you can have a look at the CommentBundle for how to do this. > Thank you for your help! I think some more docs with example use cases would help people a lot. Of course it doesn't make any sense to not use the security system.. and I know that I have to copy all classes into my brain to be able to use it properly.. and that still scares me a bit.. nice were the times with a single sfUser class.. ;-) regards, Matthias -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
