You are right, storing user Id can speed up, but that becomes complicated....
Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:47 PM, Hector Virgen <djvir...@gmail.com> wrote: > The problem with that query is that it will be very slow because it can't > use indexes. The database would need to MD5 each row before it returned the > matches. > > -- > Hector > > > > On Fri, Mar 26, 2010 at 9:45 AM, Саша Стаменковић <umpir...@gmail.com>wrote: > >> You can do a simple query >> >> $this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash) >> >> and authenticate it if there are results, right? >> >> Sure, because it's faster, and you don't want all that data in clients >> cookie. >> >> Still thinking... >> >> Regards, >> Saša Stamenković >> >> >> >> On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen <djvir...@gmail.com>wrote: >> >>> If you create the hash server-side and compare it to the cookie's hash, >>> how do you know which user to generate a hash for? You would either have to >>> do all of your users, or use some type of identifier. I suppose if you >>> stored the username in plain text and the password in a hash, it could work. >>> >>> The reason why you'd want both session-based authentication and >>> cookie-based is that the session one is much faster (no need to re-authorize >>> for each request). The cookie one is used only when the browser is closed >>> and reopened. >>> >>> -- >>> Hector >>> >>> >>> >>> On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <umpir...@gmail.com>wrote: >>> >>>> But I want to keep session storage, and existing auth mechanism. What >>>> for should I implement cookie storage then? And writing to storage outside >>>> of Zend_Auth does not looks like smart solution. >>>> >>>> If you can get back original from cookie, isn't it security risk. isn't >>>> it better to store hash in cookie, and if no identitiy, regenerate hash and >>>> compare it with one from cookie? >>>> >>>> I'm confused now...thinking... >>>> >>>> Regards, >>>> Saša Stamenković >>>> >>>> >>>> >>>> On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <djvir...@gmail.com>wrote: >>>> >>>>> On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић >>>>> <umpir...@gmail.com>wrote: >>>>> >>>>>> Sounds nice. >>>>>> >>>>>> Zend_Auth in authenticate() do >>>>>> >>>>>> $this->getStorage()->write($result->getIdentity()); >>>>>> >>>>>> so, you cannot controll what is written in Zend_Auth_Storage, you can >>>>>> opnly control how it's written. >>>>>> >>>>> >>>>> You can actually write whatever you want into the storage: >>>>> >>>>> Zend_Auth::getInstance()->getStorage()->write($data); >>>>> >>>>> >>>>> >>>>>> >>>>>> How did you inject password into play? >>>>>> >>>>>> I think storing md5($email . $pass) in cookie where pass is already >>>>>> encrypted is secure enough. >>>>>> >>>>>> Maybe a stupid question, but, what is 2-way encryption? >>>>>> >>>>> >>>>> 2-way encryption allows you to reverse the encryption to get the >>>>> original. So, if the username/pass was "username/password", then encrypted >>>>> it would be something like "4df03dca/c922aldf" (example). That's what you >>>>> would store in the cookie, and then when the front controller plugin uses >>>>> it >>>>> would decrypt it back to "username/password" and attempt to authenticate >>>>> it. >>>>> MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the >>>>> original from an MD5 hash alone). >>>>> >>>>> >>>>>> >>>>>> Regards, >>>>>> Saša Stamenković >>>>>> >>>>>> >>>>>> >>>>>> On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <djvir...@gmail.com>wrote: >>>>>> >>>>>>> In one of my apps I stored the user's username and password (using >>>>>>> 2-way encryption) in their cookie, and only validated it when Zend_Auth >>>>>>> reported there was no identity (because the session expired, or the >>>>>>> browser >>>>>>> was closed and re-opened). You can add more security by also storing a >>>>>>> one-time use token that must match in the database. The code to handle >>>>>>> this >>>>>>> was placed in an early-running front controller plugin. >>>>>>> >>>>>>> The nice thing about this is you can make the cookie last for 6 >>>>>>> months or longer, and it will still work. >>>>>>> >>>>>>> -- >>>>>>> Hector >>>>>>> >>>>>>> >>>>>>> >>>>>>> On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић < >>>>>>> umpir...@gmail.com> wrote: >>>>>>> >>>>>>>> @Jurian Nice idea, but since Zend_Auth stores only identity, I don't >>>>>>>> think that information is enought to reauthenticate from cookie. >>>>>>>> >>>>>>>> @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration >>>>>>>> time, and session expiration is not per user setting, but per server >>>>>>>> setting. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Saša Stamenković >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman < >>>>>>>> subscr...@juriansluiman.nl> wrote: >>>>>>>> >>>>>>>>> You could write a Zend_Auth_Storage_Cookie which enables you to >>>>>>>>> place the >>>>>>>>> authentication in a cookie. Be careful to look at the possible >>>>>>>>> exploits. Just >>>>>>>>> a plain cookie without server-side validation is not safe. Still, >>>>>>>>> the storage >>>>>>>>> adapter for auth is the most simple one. >>>>>>>>> -- >>>>>>>>> Jurian Sluiman >>>>>>>>> CTO Soflomo V.O.F. >>>>>>>>> http://soflomo.com >>>>>>>>> >>>>>>>>> On Friday 26 Mar 2010 14:50:41 umpirsky wrote: >>>>>>>>> > I'm thinking, how to implement remember me in cookie zend style. >>>>>>>>> I'm using >>>>>>>>> > Zend_Auth with Db_Table adapter. >>>>>>>>> > >>>>>>>>> > Maybe we can contribute some component for this. I heard that >>>>>>>>> Cake PHP >>>>>>>>> > already have one. >>>>>>>>> > >>>>>>>>> > Regards, >>>>>>>>> > Saša Stamenković. >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>> >>> >> >