Ion Auth - Lightweight Auth System based on Redux Auth 2

[eluser]joytopia[/eluser]
Welcome, Ben,
when there will be some changes in the English language file, please let me know and I will translate them.

Remember me
Yesterday I upgraded Ion Auth and tested the remember me function on three browsers at the same time. Just imagine: a user has a desktop computer at work, a notebook at home and a PDA or phone on the road.

As the function is user based, it cannot work properly for this purpose.
Wouldn't it be better to make it session based?

I'm not so deep inside, but wouldn't it be the simplest way to extend the CI session class and set the session cookie expire individually?

What do you think?

Best regards
Bernd

[eluser]joytopia[/eluser]
Issue with remember me and extra where

When I ran ION AUTH on three browsers, suddenly I got errors on one browser:

Code:

A PHP Error was encountered

Severity: Notice

Message: Undefined property: Ion_auth_model::$ion_auth

Filename: models/ion_auth_model.php

Line Number: 838

Code:

A PHP Error was encountered

Severity: Notice

Message: Trying to get property of non-object

Filename: models/ion_auth_model.php

Line Number: 838

Code:

Ein Datenbankfehler ist aufgetreten

Error Number: 1064

Fehler in der SQL-Syntax. Bitte die korrekte Syntax im Handbuch nachschlagen bei 'id` = '8'' in Zeile 1

UPDATE `users` SET `last_login` = 1270227046 WHERE ` IS NULL AND `id` = '8'

I found out, that it must have something to do with the extra_where function in the library.

So I changed it for the moment:

Code:

public function extra_where()
    {
        $where =& func_get_args();
        
        //$this->_extra_where = count($where) == 1 ? $where[0] : array($where[0] => $where[1]);
        $this->_extra_where = $where[0] ;
    }

Afterwards it worked properly, even when I changed it back again.

I could not reproduce that error, but I think it is an issue with extra_where and remember me.

Best regards
Bernd

[eluser]Ben Edmunds[/eluser]
Bernd,

I just pushed a change to Ion Auth "remember me" functionality so the salt generated for the remember me cookie will be unique to the user but not random so that you can login and be remembered on as many browsers/computers as you want to.

Please let me know if you have any more issues.


Thanks!

[eluser]joytopia[/eluser]
Ben,

thanks for your fast reply!

Am I right, the cookie corresponds to the user's password? Someone who gets the cookie, can login as long as the user does not change the password?

I am wondering, if this is less or even more secure than the random value.

For mobil applications it may be more secure, because I can change my password at home, where nobody can see this. Outside I stay logged in. If my phone is stolen, I have to change my password as soon as possible. Correct?

Best regards
Bernd

[eluser]joytopia[/eluser]
It's not an issue, only a little mistake in the comment:

library:

Code:

/**
* update_user
*
* @return void
* @author Phil Sturgeon
**/
public function delete_user($id)

should be

Code:

/**
* delete_user
*
* @return void
* @author Phil Sturgeon
**/
public function delete_user($id)

[eluser]Ben Edmunds[/eluser]
Bernd,

It's not necessarily more or less secure than it was before since the password is already based off a random salt but it is more secure than saving the sessions individually specifically for the use case you described.

The only time you might have an issue with the case you described would be if you changed your password and did not login with "remember me" in which case you're remember_code would not be reset.


So I just pushed a change to reset the remember_code when the password is changed so it will force all remembered instances of the user to re-login whenever the user's password is changed.

Thanks,

[eluser]Ben Edmunds[/eluser]
Bernd,

Thanks! I just pushed the fix for that comment.

[eluser]joytopia[/eluser]
Ben,

at the moment the cookies $identity and $remember_code are not set.
It has something to do with the db->update in private function remember_user($id).

When I take away the if statement, the cookies are set:

Line 933 ion_auth_model.php:

Code:

$this->db->update($this->tables['users'], array('remember_code' => $salt), array('id' => $id));
        
        //if ($this->db->affected_rows() == 1)
        if (true)
        {            
            $identity = array('name'   => 'identity',
                 ...

Best regards
Bernd

[eluser]Ben Edmunds[/eluser]
Bernd,

I just tested it in PyroCMS and it is working.

Maybe try clearing your cookies or logging out and the try again.



Thanks,

[eluser]joytopia[/eluser]
Ben,

now I can repruduce the issue:
When the session cookie expires(or when I delete the session cookie), the error messages come up.