Redux Authentication 1.4a (24th July 2008)

[eluser]trice22[/eluser]
Hello,

just discovered this library—Looks great! Thanks a bunch.

I didn't have time to read through all of the previous ten pages of discussion so I'm danger to say something futile/known now.
As far as I can see from a quick look at he code (and please correct me) you're sending a new password via email if the old one's forgotten, right? If so—I'd like to suggest to change the "forgot-password"-logic a bit.
The approach Michael Wales explained in his blog entry (which seems to be gone now: http://ellislab.com/forums/viewthread/59178/ ) made the most sense to me. As far as I remember what he suggested was:
You forget your password -> request new one -> get link with unique (re–) activation code and link via email -> follow link during next e.g. 48 hours -> reset password and set new one.
Like this now password needs to be sent via email, copy pasted etc. and the user does not have to handle/change a password that he didn't chose himself.

That's just my five cents.

Thanks again—I'll certainly give this one a spin.
—trice

[eluser]Popcorn[/eluser]
Hi,

Glad you like the library

If you are talking about how the user does not have a choice about changing the generated password then you should check out this feature request

Version 1.3 will include a change password function that will allow the user to just do that.

As it stands the logic for the forgotten password is :

Request New Password -> Verify Yourself with Email -> Answer Your Secret Question -> Send New Password.

Hope that helped.

-Mathew

[eluser]thesf[/eluser]
Hey dudes, I'm extremely new to CI and have taken a liking to it very quickly. I've started building myself an app and decided on using redux_auth. Unfortunately, I've hit a bump and can't quite seem to figure it out. I may be missing something completely so any help is appreciated. The problem I have is this...

When logging in the user controller first checks to make sure that the validation rules have been satisfied and then it checks the email and password against the database in redux_auth->login. I've been testing my redux_auth implementation and at this point if the input validates but does not match any database user records then then conditional statement seems to do nothing?

Code:

if($this->validation->run()) // Validation Passed
        {
            $login = $this->redux_auth->login
            (
                $this->input->post('email'),
                $this->input->post('password')
            );
            
            $var = ($login) ? redirect('') : 'false';
        }
        else // Validation Failed

The line starting with $var will redirect if the redux_auth->login returns true but does nothing if it returns false and I am presented with a blank page because the views are only loaded if the initial validation failed. This can't be right can it? Or am I missing something important here?

Thanks,
Ash

[eluser]trice22[/eluser]
Thanks for your fast reply.
What I meant was, that the system wouldn't create a password at all for you, in case you click the "forgot password"–link (or similar). You would have to rather first identify yourself (provide e.g. your email address), then you'd get a link with a unique and encrypted id (let's say "http://www.domain.com/user/reset/SGDwq4e67tfagsrkasfh/") sent by email and following this link, you'd be able to just set a new password within a certain period of time.

I'm far from being an expert on security, but I found this idea very convenient and appealing from a user experience point of view. If you get an automatically created password, you'll have to probably either save it somewhere besides your head or change it (at least I'm having trouble remembering more than two of those kind of auto–generated strings)—the first option is a security risk, the latter one extra step for the user to go. In probably any case you'll copy the password at some point into your clipboard, which again might eventually be a security issue.

I personally find these "secret questions" pretty annoying (no offense), since the ready options rarely provide me with a question I'd like to answer in an online form (or at least honestly answer to, which means I'll forget my fake answer during the next split second) and you can after all never be sure how (like in how many words, case, etc.) a user might answer a question one day or the other.
A unique link on the other hand is as secure or insecure as sending a new password straight after providing an email address (like many applications handle it atm.) but let's the user set a new password as he/she wishes to, which has never been sent via email.

Don't get me wrong—I believe that you're providing a good and secure solution inside a great library, I'm just making a suggestion from a personal perspective.

@michael Wales—if you're around, could you maybe elaborate a bit, what you were writing about? Unfortunately your older posts seem to have not survived the redesign/move of your blog.

—trice

P.S.: When are you expecting 1.3 to be out?

[eluser]Popcorn[/eluser]
thesf : That was an example controller / method. You can handle the result the way in which you are happy with. The current example controller is not completed properly anyway, but was released early to give developers a guideline on how it should fit together.

Also, if you can not login, make sure you are not applying a md5 to the validation rules. If you need any more support, be sure to private message me.

trice22 : Thank you for the suggestion on using a simpler method, but the most important aspect of the library was security. I do not think I would be happy to reduce a step in the forgotten password stage for the sake of saving a matter of seconds.

Yes, I agree those secret questions can be annoying, but with Redux, you can choose how you want to implement this feature. Example : You could create a preselect list of questions for the user to answer, or allow them to create their own question.

I understand your viewpoint, but at the end of the day it is not my responsibilty if a user forgets the answer to the question.

I'd be more inclined to take your route on a more personal project, but seeing how this library is being used by everyone I really want it to be secure as it can be.

Version 1.3.

There are not many issues left on the bug tracker for me to go and fix. After the majority are done I will test the code and release it right after. I expect it will be some time in the next 2 weeks, probably week 1 but I can never be too sure.

[eluser]thesf[/eluser]
Thanks Popcorn. Sorry, didn't realise the controller was meant just as an example. Anyway thanks, loving the library so far, good work.

[eluser]trice22[/eluser]
I see your point and it's definitely the best way to provide the most secure solution to start with. I guess I'll just decide depending on the situation, which solution I'm going to use.
If I find some time to actually implement "mine", I'll provide some code here.

Thanks again for a great contribution and keep up the good work, I'm looking forward to 1.3.
—trice

[eluser]Pascal Kriete[/eluser]
This is quite nice. I've been working on integrating it in a php 4 project. It required a few code changes, but is going smoothly.

I do want to comment on this line:

Code:

$password_enc = sha1(sha1($this->salt . $hash . $password));

It's safer if you only hash it once. The initial string of salt + hash + password is random in both length and characters. The first sha1 gives you a fixed length and reduced character set. By hashing this again you're actually increasing the probability of collisions.

Other than that though - great job. Really like this library.

[eluser]Popcorn[/eluser]
inparo : Thank you for the suggestion and I will incorporate the patch into 1.3

Glad you are liking it.

-Mathew

[eluser]MCrittenden[/eluser]
Just wanted to say thanks for this. All of the other auth libs I found were either way too complex (modification seemed a little intimidating) or way too simple. This fits right in the middle. Thanks again.