Welcome Guest, Not a member yet? Register   Sign In
Community Auth Add User Registration Error
#1

I am not sure if this is an "issue". Currently I think there is no way to distinguish between if the login user is registered or not and failed login attempt by mismatched username/password.

So the community auth will treat them as the same, and try to count the invalid login attempt.

I wonder if we could add the support for this, or if there is an existing solution. please correct me if I was wrong.

Thank you so much in advance.
Reply
#2

(This post was last modified: 01-16-2017, 08:33 PM by skunkbad.)

If an unregistered user is attempting to login, Community Auth will never tell them that there is no email or username matching their attempt. This is by design, and in most authentication libraries considered normal, as it is pretty standard practice to reveal as little information as possible during a failed login attempt. Somebody can obviously use Community Auth's user recovery feature, but even that limits the amount of recovery requests before locking the recovery page, the theory being that you don't want somebody just hammering away at that so they can figure out the email addresses of your users.

Community Auth is years in the making, and every feature considered and reconsidered. Unless I'm wrong about what you're attempting to do, you're making a uninformed observation as to what is desirable.

Other things to know is that if the login is locked, the recovery is locked. If recovery is locked, the login is locked.
Reply
#3

   
[attachment=776]
(01-16-2017, 08:31 PM)skunkbad Wrote: If an unregistered user is attempting to login, Community Auth will never tell them that there is no email or username matching their attempt. This is by design, and in most authentication libraries considered normal, as it is pretty standard practice to reveal as little information as possible during a failed login attempt. Somebody can obviously use Community Auth's user recovery feature, but even that limits the amount of recovery requests before locking the recovery page, the theory being that you don't want somebody just hammering away at that so they can figure out the email addresses of your users.

Community Auth is years in the making, and every feature considered and reconsidered. Unless I'm wrong about what you're attempting to do, you're making a uninformed observation as to what is desirable.

Other things to know is that if the login is locked, the recovery is locked. If recovery is locked, the login is locked.

I was saying that it would be nice to distinguish them (its not a bug, but a feature request), I attached the facebook login screen shot if tying the wrong user account, it would be much clear what the user did wrong. I think its very common for people typing one or two wrong letters if typing too fast. It can be made either on username or password. However, when users saw invalid username or password error, the first intuition he may come to his mind is typing the wrong password. (he might keep trying different password combination, because he might have so many passwords on different website, he couldn't figure which one is for which site.)

Plus displaying different login errors won't affect current logic at all, everything remains the same, still N attempt failed login before being locked. It just tell the regular users who may have many account/password, like me, you used the wrong username, it is not registered, or the password doesn't match with the record, please retry with caution (u only have 5 chances), or recover the password.

At last, if the user is not registered in the database, what do we want to recover for? why not return false at the beginning, and display with the different error message, no need to proceed the same routine check.

This is just my personal option, again, this is not a bug. Smile
For me, its would be first thing to meet with the regular subscribed user experience, before thinking of the security hole.
If someone works for a company(not self employed), maybe the company had it own NGFW firewall device, these security issues can be left to it. It would be easier to prevent from much more brute login attempt. Smile
Reply
#4

@allenxiao7, It seems you're arguing convenience is greater than security and/or more lax security from the Auth library could/should be left to something else (if the particular server has a particular thing).

Ultimately that's poor security in either circumstance and as @skunkbad pointed out, Community Auth has implemented generally accepted security practices.
Reply
#5

(01-17-2017, 02:13 PM)allenxiao7 Wrote: I was saying that it would be nice to distinguish them (its not a bug, but a feature request), I attached the facebook login screen shot if tying the wrong user account, it would be much clear what the user did wrong. I think its very common for people typing one or two wrong letters if typing too fast. It can be made either on username or password. However, when users saw invalid username or password error, the first intuition he may come to his mind is typing the wrong password. (he might keep trying different password combination, because he might have so many passwords on different website, he couldn't figure which one is for which site.)

Plus displaying different login errors won't affect current logic at all, everything remains the same, still N attempt failed login before being locked. It just tell the regular users who may have many account/password, like me, you used the wrong username, it is not registered, or the password doesn't match with the record, please retry with caution (u only have 5 chances), or recover the password.

At last, if the user is not registered in the database, what do we want to recover for? why not return false at the beginning, and display with the different error message, no need to proceed the same routine check.

This is just my personal option, again, this is not a bug. Smile
For me, its would be first thing to meet with the regular subscribed user experience, before thinking of the security hole.
If someone works for a company(not self employed), maybe the company had it own NGFW firewall device, these security issues can be left to it. It would be easier to prevent from much more brute login attempt. Smile


The real solution is this:

You make your own custom auth model, and set it up per documentation;

https://community-auth.com/documentation...cation-php

During a login attempt, the user is queried for in the get_auth_data method, which is where you could set a view variable or config item to check later. If the user doesn't exist, something like:


PHP Code:
$this->load->vars('user_exists'FALSE); 


would allow you to use:


PHP Code:
isset( $user_exists 


in your view. If a login attempt fails and $user_exists is not set, then you know the password was wrong. Simple logic, and a simple solution. (and a solution that doesn't change Community Auth).

The ability to use your own auth model is powerful, and the reason why Community Auth has that feature. All kinds of stuff you can do with it...
Reply
#6

(This post was last modified: 01-17-2017, 07:33 PM by allenxiao7.)

(01-17-2017, 03:51 PM)skunkbad Wrote:
(01-17-2017, 02:13 PM)allenxiao7 Wrote: I was saying that it would be nice to distinguish them (its not a bug, but a feature request), I attached the facebook login screen shot if tying the wrong user account, it would be much clear what the user did wrong. I think its very common for people typing one or two wrong letters if typing too fast. It can be made either on username or password. However, when users saw invalid username or password error, the first intuition he may come to his mind is typing the wrong password. (he might keep trying different password combination, because he might have so many passwords on different website, he couldn't figure which one is for which site.)

Plus displaying different login errors won't affect current logic at all, everything remains the same, still N attempt failed login before being locked. It just tell the regular users who may have many account/password, like me, you used the wrong username, it is not registered, or the password doesn't match with the record, please retry with caution (u only have 5 chances), or recover the password.

At last, if the user is not registered in the database, what do we want to recover for? why not return false at the beginning, and display with the different error message, no need to proceed the same routine check.

This is just my personal option, again, this is not a bug. Smile
For me, its would be first thing to meet with the regular subscribed user experience, before thinking of the security hole.
If someone works for a company(not self employed), maybe the company had it own NGFW firewall device, these security issues can be left to it. It would be easier to prevent from much more brute login attempt. Smile


The real solution is this:

You make your own custom auth model, and set it up per documentation;

https://community-auth.com/documentation...cation-php

During a login attempt, the user is queried for in the get_auth_data method, which is where you could set a view variable or config item to check later. If the user doesn't exist, something like:


PHP Code:
$this->load->vars('user_exists'FALSE); 


would allow you to use:


PHP Code:
isset( $user_exists 


in your view. If a login attempt fails and $user_exists is not set, then you know the password was wrong. Simple logic, and a simple solution. (and a solution that doesn't change Community Auth).

The ability to use your own auth model is powerful, and the reason why Community Auth has that feature. All kinds of stuff you can do with it...

Thank you so much. This will also helps too. as long as there is an existing solution, it should be sufficient, I am not an expert at web development, thats why I am asking for a help. Smile
Reply
#7

(This post was last modified: 01-17-2017, 07:45 PM by allenxiao7.)

(01-17-2017, 02:55 PM)enlivenapp Wrote: @allenxiao7, It seems you're arguing convenience is greater than security and/or more lax security from the Auth library could/should be left to something else (if the particular server has a particular thing).

Ultimately that's poor security in either circumstance and as @skunkbad pointed out, Community Auth has implemented generally accepted security practices.

@enlivenapp, well, first of all, I am not arguing with Brain, I am asking him.

Now, I AM arguing, with you. Basically if you want to talk about security, I am a little background behind it. Auth is a third party plugin for a great use, no doubt, in my opinion, no need to focus on security issue too much, because the real security vulnerability is on other backend essentials, for example, Apache, NGINX, PHP, MYSQL, BASH, and even OS(Windows, Linux), or at least Codeigniter!!! Think about it, if you are using a poor risky version of either of these mentioned, and you are expecting Auth would be the last defense?

All I was saying in my second reply is Auth can do his part/role well, putting a minimum security concern is good, but not that important, it should be covered by something else. In my opinion, if Auth can be portable easily and stable, thats it. (If you are asking addin to do the core stuff, that's a bad idea. Trust me, if a hacker wants to hack your server, Auth should not be the first choice. I am not sure you heard about Microsoft Super/Patch Tuesday, I am dealing with so many vulnerabilities everyday, If a developer can do a bug-free program, then there aren't so many bugs every minute, network security industry will be bankrupted. like Palo Alto, Checkpoint... ) BTW, I am a big fan of Community Auth, I mentioned in my last thread, its easily installed, and I am using it on CI 3.1.2 with my multiple projects on the same server. So far, its working great.

Currently I have enabled LDAP support on my CI, because Auth has a its own user table, so each LDAP users need also register first. But they don't know they need, that's why its better to warn them, rather than let them confused and try different passwords, and then get locked...
Reply
#8

Guys, please no arguing. I have to scan the forum for stuff related to Community Auth, so I can provide support, and if you guys keep going back and forth, it just means I've got to keep checking if somebody needs support. Please, consider the thread closed!
Reply
#9

(01-17-2017, 07:19 PM)allenxiao7 Wrote:
(01-17-2017, 02:55 PM)enlivenapp Wrote: @allenxiao7, It seems you're arguing convenience is greater than security and/or more lax security from the Auth library could/should be left to something else (if the particular server has a particular thing).

Ultimately that's poor security in either circumstance and as @skunkbad pointed out, Community Auth has implemented generally accepted security practices.

@enlivenapp, well, first of all, I am not arguing with Brain, I am asking him.

Now, I AM arguing, with you. Basically if you want to talk about security, I am a little background behind it. Auth is a third party plugin for a great use, no doubt, in my opinion, no need to focus on security issue too much, because the real security vulnerability is on other backend essentials, for example, Apache, NGINX, PHP, MYSQL, BASH, and even OS(Windows, Linux), or at least Codeigniter!!! Think about it, if you are using a poor risky version of either of these mentioned, and you are expecting Auth would be the last defense?

All I was saying in my second reply is Auth can do his part/role well, putting a minimum security concern is good, but not that important, it should be covered by something else. In my opinion, if Auth can be portable easily and stable, thats it. (If you are asking addin to do the core stuff, that's a bad idea. Trust me, if a hacker wants to hack your server, Auth should not be the first choice. I am not sure you heard about Microsoft Super/Patch Tuesday, I am dealing with so many vulnerabilities everyday, If a developer can do a bug-free program, then there aren't so many bugs every minute, network security industry will be bankrupted. like Palo Alto, Checkpoint... ) BTW, I am a big fan of Community Auth, I mentioned in my last thread, its easily installed, and I am using it on CI 3.1.2 with my multiple projects on the same server. So far, its working great.

Currently I have enabled LDAP support on my CI, because Auth has a its own user table, so each LDAP users need also register first. But they don't know they need, that's why its better to warn them, rather than let them confused and try different passwords, and then get locked...

First, I'm not going to belabor my points except to point out what I meant and then leave it as @skunkbad has requested.

I didn't accuse you of arguing with Brian or anyone else...  I said: It *seems* you are arguing [the point] of  convenience > security...  etc...

Going on a long tirade restating the same thing you did before doesn't further your argument.

Lastly, seemingly expecting a programmer to soften security because "if a hacker really wants in...."(paraphrased) is just silly.  Each of us should provide the highest level of security possible for each library/script/bit-of-code we put out in the world regardless of what else is out there to deal with threats while offering the general accepted industry standard.

unsubbed...
Reply
#10

Quote: I said: It *seems* you are arguing [the point] of  convenience > security...
That is exactly why I want to argue with you. You still missed the point, and try to make my point in general, like I said in Addin, "putting a minimum security concern is good, but not that important, it should be covered by something else", and you re-phrased my point was "convenience is > security", it confused others to mis-understand my point. If I said the one replied my thread doesn't understand the network security basics is equivalent to anyone replied my thread doesn't. DON'T you think it sounds crazy and SILLY?

Quote:"if a hacker really wants in...."(paraphrased) is just silly.
I am stating the fact, its up to you how you feel, if I used CVE-2014-6271 to pwned your shell, who would care your other software you installed on your server is securer. I am already in root!!


Quote:Lastly, seemingly expecting a programmer to soften security because ...  Each of us should provide the highest level of security possible for each library/script/bit-of-code we put out in the world regardless of what else is out there to deal with threats while offering the general accepted industry standard.
I didn't even wanted to quote this (but for others reading your statement), because it is again a fundamental misunderstanding, it IS(not seems) you have a bad habit to always exaggerate others' sentences, to make a specific circumstance in general.  If you want to scale how securer the web server should be, then OS > Apache/NGINX > Codeigniter > Addin, In the real world, each department in an organization need cooperate or back up each other. Each one need focus different aspect first, for Addin, I think user experience is more important than security, that is my point. For example, I saw Brain spent lots of time perfecting his codes, and even wrote a good comprehensive usage on the web site; supposed if one spent one hour and couldn't install his addin, then I bet most of them would just give up, and google some other addin to use.

Quote:unsubbed...
lol, You are welcome!
Reply




Theme © iAndrew 2016 - Forum software by © MyBB