Re: [fw-general] Remember me Zend_Auth cookie
You may find this usefull: http://jaspan.com/improved_persistent_login_cookie_best_practice On Fri, Mar 26, 2010 at 2:50 PM, umpirsky umpir...@gmail.com wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković. -- View this message in context: http://n4.nabble.com/Remember-me-Zend-Auth-cookie-tp1692215p1692215.html Sent from the Zend Framework mailing list archive at Nabble.com.
[fw-general] Remember me Zend_Auth cookie
I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković. -- View this message in context: http://n4.nabble.com/Remember-me-Zend-Auth-cookie-tp1692215p1692215.html Sent from the Zend Framework mailing list archive at Nabble.com.
Re: [fw-general] Remember me Zend_Auth cookie
You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.
Re: [fw-general] Remember me Zend_Auth cookie
@Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie. @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting. Regards, Saša Stamenković On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman subscr...@juriansluiman.nlwrote: You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.
Re: [fw-general] Remember me Zend_Auth cookie
In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work. -- Hector On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић umpir...@gmail.comwrote: @Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie. @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting. Regards, Saša Stamenković On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman subscr...@juriansluiman.nl wrote: You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.
Re: [fw-general] Remember me Zend_Auth cookie
Sounds nice. Zend_Auth in authenticate() do $this-getStorage()-write($result-getIdentity()); so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written. How did you inject password into play? I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough. Maybe a stupid question, but, what is 2-way encryption? Regards, Saša Stamenković On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen djvir...@gmail.com wrote: In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work. -- Hector On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић umpir...@gmail.comwrote: @Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie. @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting. Regards, Saša Stamenković On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman subscr...@juriansluiman.nl wrote: You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.
Re: [fw-general] Remember me Zend_Auth cookie
But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution. If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie? I'm confused now...thinking... Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen djvir...@gmail.com wrote: On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић umpir...@gmail.comwrote: Sounds nice. Zend_Auth in authenticate() do $this-getStorage()-write($result-getIdentity()); so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written. You can actually write whatever you want into the storage: Zend_Auth::getInstance()-getStorage()-write($data); How did you inject password into play? I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough. Maybe a stupid question, but, what is 2-way encryption? 2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was username/password, then encrypted it would be something like 4df03dca/c922aldf (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to username/password and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone). Regards, Saša Stamenković On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen djvir...@gmail.comwrote: In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work. -- Hector On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић umpir...@gmail.comwrote: @Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie. @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting. Regards, Saša Stamenković On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman subscr...@juriansluiman.nl wrote: You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.
Re: [fw-general] Remember me Zend_Auth cookie
If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work. The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened. -- Hector On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић umpir...@gmail.comwrote: But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution. If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie? I'm confused now...thinking... Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen djvir...@gmail.com wrote: On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић umpir...@gmail.comwrote: Sounds nice. Zend_Auth in authenticate() do $this-getStorage()-write($result-getIdentity()); so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written. You can actually write whatever you want into the storage: Zend_Auth::getInstance()-getStorage()-write($data); How did you inject password into play? I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough. Maybe a stupid question, but, what is 2-way encryption? 2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was username/password, then encrypted it would be something like 4df03dca/c922aldf (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to username/password and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone). Regards, Saša Stamenković On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen djvir...@gmail.comwrote: In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work. -- Hector On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић umpir...@gmail.comwrote: @Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie. @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting. Regards, Saša Stamenković On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman subscr...@juriansluiman.nl wrote: You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.
Re: [fw-general] Remember me Zend_Auth cookie
You can do a simple query $this-_db-quoteInto('md5(CONCAT(email, password)) = ?', $hash) and authenticate it if there are results, right? Sure, because it's faster, and you don't want all that data in clients cookie. Still thinking... Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen djvir...@gmail.com wrote: If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work. The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened. -- Hector On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић umpir...@gmail.comwrote: But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution. If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie? I'm confused now...thinking... Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen djvir...@gmail.comwrote: On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић umpir...@gmail.comwrote: Sounds nice. Zend_Auth in authenticate() do $this-getStorage()-write($result-getIdentity()); so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written. You can actually write whatever you want into the storage: Zend_Auth::getInstance()-getStorage()-write($data); How did you inject password into play? I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough. Maybe a stupid question, but, what is 2-way encryption? 2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was username/password, then encrypted it would be something like 4df03dca/c922aldf (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to username/password and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone). Regards, Saša Stamenković On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen djvir...@gmail.comwrote: In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work. -- Hector On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић umpir...@gmail.comwrote: @Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie. @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting. Regards, Saša Stamenković On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman subscr...@juriansluiman.nl wrote: You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.
Re: [fw-general] Remember me Zend_Auth cookie
You are right, storing user Id can speed up, but that becomes complicated Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:47 PM, Hector Virgen djvir...@gmail.com wrote: The problem with that query is that it will be very slow because it can't use indexes. The database would need to MD5 each row before it returned the matches. -- Hector On Fri, Mar 26, 2010 at 9:45 AM, Саша Стаменковић umpir...@gmail.comwrote: You can do a simple query $this-_db-quoteInto('md5(CONCAT(email, password)) = ?', $hash) and authenticate it if there are results, right? Sure, because it's faster, and you don't want all that data in clients cookie. Still thinking... Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:36 PM, Hector Virgen djvir...@gmail.comwrote: If you create the hash server-side and compare it to the cookie's hash, how do you know which user to generate a hash for? You would either have to do all of your users, or use some type of identifier. I suppose if you stored the username in plain text and the password in a hash, it could work. The reason why you'd want both session-based authentication and cookie-based is that the session one is much faster (no need to re-authorize for each request). The cookie one is used only when the browser is closed and reopened. -- Hector On Fri, Mar 26, 2010 at 9:32 AM, Саша Стаменковић umpir...@gmail.comwrote: But I want to keep session storage, and existing auth mechanism. What for should I implement cookie storage then? And writing to storage outside of Zend_Auth does not looks like smart solution. If you can get back original from cookie, isn't it security risk. isn't it better to store hash in cookie, and if no identitiy, regenerate hash and compare it with one from cookie? I'm confused now...thinking... Regards, Saša Stamenković On Fri, Mar 26, 2010 at 5:17 PM, Hector Virgen djvir...@gmail.comwrote: On Fri, Mar 26, 2010 at 8:49 AM, Саша Стаменковић umpir...@gmail.comwrote: Sounds nice. Zend_Auth in authenticate() do $this-getStorage()-write($result-getIdentity()); so, you cannot controll what is written in Zend_Auth_Storage, you can opnly control how it's written. You can actually write whatever you want into the storage: Zend_Auth::getInstance()-getStorage()-write($data); How did you inject password into play? I think storing md5($email . $pass) in cookie where pass is already encrypted is secure enough. Maybe a stupid question, but, what is 2-way encryption? 2-way encryption allows you to reverse the encryption to get the original. So, if the username/pass was username/password, then encrypted it would be something like 4df03dca/c922aldf (example). That's what you would store in the cookie, and then when the front controller plugin uses it would decrypt it back to username/password and attempt to authenticate it. MD5 is not encryption, it's a hash, and is only 1-way (you cannot get the original from an MD5 hash alone). Regards, Saša Stamenković On Fri, Mar 26, 2010 at 4:30 PM, Hector Virgen djvir...@gmail.comwrote: In one of my apps I stored the user's username and password (using 2-way encryption) in their cookie, and only validated it when Zend_Auth reported there was no identity (because the session expired, or the browser was closed and re-opened). You can add more security by also storing a one-time use token that must match in the database. The code to handle this was placed in an early-running front controller plugin. The nice thing about this is you can make the cookie last for 6 months or longer, and it will still work. -- Hector On Fri, Mar 26, 2010 at 7:17 AM, Саша Стаменковић umpir...@gmail.com wrote: @Jurian Nice idea, but since Zend_Auth stores only identity, I don't think that information is enought to reauthenticate from cookie. @Dmitry Yes, but Zend_Session::rememberMe() sets session expiration time, and session expiration is not per user setting, but per server setting. Regards, Saša Stamenković On Fri, Mar 26, 2010 at 3:10 PM, Jurian Sluiman subscr...@juriansluiman.nl wrote: You could write a Zend_Auth_Storage_Cookie which enables you to place the authentication in a cookie. Be careful to look at the possible exploits. Just a plain cookie without server-side validation is not safe. Still, the storage adapter for auth is the most simple one. -- Jurian Sluiman CTO Soflomo V.O.F. http://soflomo.com On Friday 26 Mar 2010 14:50:41 umpirsky wrote: I'm thinking, how to implement remember me in cookie zend style. I'm using Zend_Auth with Db_Table adapter. Maybe we can contribute some component for this. I heard that Cake PHP already have one. Regards, Saša Stamenković.