You are right, storing user Id can speed up, but that becomes
complicated....
Regards,
Saša Stamenković
On Fri, Mar 26, 2010 at 5:47 PM, Hector Virgen <djvir...@gmail.com> wrote:
> The problem with that query is that it will be very slow because it can't
> use indexes. The database would need to MD5 each row before it returned the
> matches.
>
> --
> Hector
>
>
>
> On Fri, Mar 26, 2010 at 9:45 AM, Саша Стаменковић <umpir...@gmail.com>wrote:
>
>> You can do a simple query
>>
>> $this->_db->quoteInto('md5(CONCAT(email, password)) = ?', $hash)
>>
>> and authenticate it if there are results, right?
>>
>> Sure, because it's faster, and you don't want all that data in clients
>> cookie.
>>
>> Still thinking...
>>
>> Regards,
>> Saša Stamenković
>>
>>
>>
>> On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen <djvir...@gmail.com>wrote:
>>
>>> If you create the hash server-side and compare it to the cookie's hash,
>>> how do you know which user to generate a hash for? You would either have to
>>> do all of your users, or use some type of identifier. I suppose if you
>>> stored the username in plain text and the password in a hash, it could work.
>>>
>>> The reason why you'd want both session-based authentication and
>>> cookie-based is that the session one is much faster (no need to re-authorize
>>> for each request). The cookie one is used only when the browser is closed
>>> and reopened.
>>>
>>> --
>>> Hector
>>>
>>>
>>>
>>> On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић <umpir...@gmail.com>wrote:
>>>
>>>> But I want to keep session storage, and existing auth mechanism. What
>>>> for should I implement cookie storage then? And writing to storage outside
>>>> of Zend_Auth does not looks like smart solution.
>>>>
>>>> If you can get back original from cookie, isn't it security risk. isn't
>>>> it better to store hash in cookie, and if no identitiy, regenerate hash and
>>>> compare it with one from cookie?
>>>>
>>>> I'm confused now...thinking...
>>>>
>>>> Regards,
>>>> Saša Stamenković
>>>>
>>>>
>>>>
>>>> On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen <djvir...@gmail.com>wrote:
>>>>
>>>>> On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић
>>>>> <umpir...@gmail.com>wrote:
>>>>>
>>>>>> Sounds nice.
>>>>>>
>>>>>> Zend_Auth in authenticate() do
>>>>>>
>>>>>> $this->getStorage()->write($result->getIdentity());
>>>>>>
>>>>>> so, you cannot controll what is written in Zend_Auth_Storage, you can
>>>>>> opnly control how it's written.
>>>>>>
>>>>>
>>>>> You can actually write whatever you want into the storage:
>>>>>
>>>>> Zend_Auth::getInstance()->getStorage()->write($data);
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> How did you inject password into play?
>>>>>>
>>>>>> I think storing md5($email . $pass) in cookie where pass is already
>>>>>> encrypted is secure enough.
>>>>>>
>>>>>> Maybe a stupid question, but, what is 2-way encryption?
>>>>>>
>>>>>
>>>>> 2-way encryption allows you to reverse the encryption to get the
>>>>> original. So, if the username/pass was "username/password", then encrypted
>>>>> it would be something like "4df03dca/c922aldf" (example). That's what you
>>>>> would store in the cookie, and then when the front controller plugin uses
>>>>> it
>>>>> would decrypt it back to "username/password" and attempt to authenticate
>>>>> it.
>>>>> MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the
>>>>> original from an MD5 hash alone).
>>>>>
>>>>>
>>>>>>
>>>>>> Regards,
>>>>>> Saša Stamenković
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen <djvir...@gmail.com>wrote:
>>>>>>
>>>>>>> In one of my apps I stored the user's username and password (using
>>>>>>> 2-way encryption) in their cookie, and only validated it when Zend_Auth
>>>>>>> reported there was no identity (because the session expired, or the
>>>>>>> browser
>>>>>>> was closed and re-opened). You can add more security by also storing a
>>>>>>> one-time use token that must match in the database. The code to handle
>>>>>>> this
>>>>>>> was placed in an early-running front controller plugin.
>>>>>>>
>>>>>>> The nice thing about this is you can make the cookie last for 6
>>>>>>> months or longer, and it will still work.
>>>>>>>
>>>>>>> --
>>>>>>> Hector
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић <
>>>>>>> umpir...@gmail.com> wrote:
>>>>>>>
>>>>>>>> @Jurian Nice idea, but since Zend_Auth stores only identity, I don't
>>>>>>>> think that information is enought to reauthenticate from cookie.
>>>>>>>>
>>>>>>>> @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration
>>>>>>>> time, and session expiration is not per user setting, but per server
>>>>>>>> setting.
>>>>>>>>
>>>>>>>> Regards,
>>>>>>>> Saša Stamenković
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman <
>>>>>>>> subscr...@juriansluiman.nl> wrote:
>>>>>>>>
>>>>>>>>> You could write a Zend_Auth_Storage_Cookie which enables you to
>>>>>>>>> place the
>>>>>>>>> authentication in a cookie. Be careful to look at the possible
>>>>>>>>> exploits. Just
>>>>>>>>> a plain cookie without server-side validation is not safe. Still,
>>>>>>>>> the storage
>>>>>>>>> adapter for auth is the most simple one.
>>>>>>>>> --
>>>>>>>>> Jurian Sluiman
>>>>>>>>> CTO Soflomo V.O.F.
>>>>>>>>> http://soflomo.com
>>>>>>>>>
>>>>>>>>> On Friday 26 Mar 2010 14:50:41 umpirsky wrote:
>>>>>>>>> > I'm thinking, how to implement remember me in cookie zend style.
>>>>>>>>> I'm using
>>>>>>>>> > Zend_Auth with Db_Table adapter.
>>>>>>>>> >
>>>>>>>>> > Maybe we can contribute some component for this. I heard that
>>>>>>>>> Cake PHP
>>>>>>>>> > already have one.
>>>>>>>>> >
>>>>>>>>> > Regards,
>>>>>>>>> > Saša Stamenković.
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>
>>>
>>
>
