But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution.
If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie? I'm confused now...thinking... Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <djvir...@gmail.com> wrote: > On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић <umpir...@gmail.com>wrote: > >> Sounds nice. >> >> Zend_Auth in authenticate() do >> >> $this->getStorage()->write($result->getIdentity()); >> >> so, you cannot controll what is written in Zend_Auth_Storage, you can >> opnly control how it's written. >> > > You can actually write whatever you want into the storage: > > Zend_Auth::getInstance()->getStorage()->write($data); > > > >> >> How did you inject password into play? >> >> I think storing md5($email . $pass) in cookie where pass is already >> encrypted is secure enough. >> >> Maybe a stupid question, but, what is 2-way encryption? >> > > 2-way encryption allows you to reverse the encryption to get the original. > So, if the username/pass was "username/password", then encrypted it would be > something like "4df03dca/c922aldf" (example). That's what you would store in > the cookie, and then when the front controller plugin uses it would decrypt > it back to "username/password" and attempt to authenticate it. MD5 is not > encryption, it's a hash, and is only 1-way (you cannot get the original from > an MD5 hash alone). > > >> >> Regards, >> Saša Stamenković >> >> >> >> On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <djvir...@gmail.com>wrote: >> >>> In one of my apps I stored the user's username and password (using 2-way >>> encryption) in their cookie, and only validated it when Zend_Auth reported >>> there was no identity (because the session expired, or the browser was >>> closed and re-opened). You can add more security by also storing a one-time >>> use token that must match in the database. The code to handle this was >>> placed in an early-running front controller plugin. >>> >>> The nice thing about this is you can make the cookie last for 6 months or >>> longer, and it will still work. >>> >>> -- >>> Hector >>> >>> >>> >>> On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <umpir...@gmail.com>wrote: >>> >>>> @Jurian Nice idea, but since Zend_Auth stores only identity, I don't >>>> think that information is enought to reauthenticate from cookie. >>>> >>>> @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration >>>> time, and session expiration is not per user setting, but per server >>>> setting. >>>> >>>> Regards, >>>> Saša Stamenković >>>> >>>> >>>> >>>> On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman < >>>> subscr...@juriansluiman.nl> wrote: >>>> >>>>> You could write a Zend_Auth_Storage_Cookie which enables you to place >>>>> the >>>>> authentication in a cookie. Be careful to look at the possible >>>>> exploits. Just >>>>> a plain cookie without server-side validation is not safe. Still, the >>>>> storage >>>>> adapter for auth is the most simple one. >>>>> -- >>>>> Jurian Sluiman >>>>> CTO Soflomo V.O.F. >>>>> http://soflomo.com >>>>> >>>>> On Friday 26 Mar 2010 14:50:41 umpirsky wrote: >>>>> > I'm thinking, how to implement remember me in cookie zend style. I'm >>>>> using >>>>> > Zend_Auth with Db_Table adapter. >>>>> > >>>>> > Maybe we can contribute some component for this. I heard that Cake >>>>> PHP >>>>> > already have one. >>>>> > >>>>> > Regards, >>>>> > Saša Stamenković. >>>>> >>>> >>>> >>> >> >
