> - "loadByUsername()": Is this really intended to load a user by username? > Or can username also be the ID ? Loading users by username will make the > system instable if users have the possibility to change their usernames. > > Yes, this can be anything.
> - putting the username into the rememberMe cookie has the same issues and > even worse you put private/personal data into a cookie, a cookie should > never contain any personal data. The username could also be a customer id or > an email address and I don't want any cookie to contain such data. It should > only contain a signed random id and all sensible data should be stored > anywhere on the server. > We have two flavors for remember-me. One which is simple to set-up and which stores in a readable format the username, the user's class, and the expire time in the cookie. The other implementation requires you to set-up a token provider and only stores two random hashes in the cookie. The former is mainly intended for private websites, the latter is for anything more serious. > - performance: has anyone tested the performance of all the nice security > features? I'm afraid it will slow down my application if I have to deal with > 200 roles or so.. why do we need so much classes/objects? > Can you give better examples? 200 roles seems always inefficient no matter what the actual implementation is. > - what I miss is a way to prevent brute force attacks: block IPs or > usernames on too many login attempts, hundrets of files.. but the most > important feature the framework could provide to make applications much more > secure is missing.. :-( > It's possible. A typical use case is to return false from isAccountLocked() if there were too many failed login attempts. > - also there is no way to define roles/rights in a bundle, I don't > understand how you want to handle this when a user needs some roles or ACL > rights to use a bundle > I think you can have a look at the CommentBundle for how to do this. -- If you want to report a vulnerability issue on symfony, please send it to security at symfony-project.com You received this message because you are subscribed to the Google Groups "symfony developers" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/symfony-devs?hl=en
