Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived Libraries & Helpers Ion Auth - Lightweight Auth System based on Redux Auth 2
Ion Auth - Lightweight Auth System based on Redux Auth 2
  • El Forum
    Guest
  •  
#481
07-21-2010, 07:56 PM

[eluser]Ben Edmunds[/eluser]
Hey guys,

Just wanted to let you know that I've updated the docs with all of the suggestions I could remember or find on this thread.

Please let me know if you find anymore errors, omissions, or have any suggestions.

http://benedmunds.com/ion_auth/


Thanks!
  • El Forum
    Guest
  •  
#482
07-21-2010, 08:03 PM

[eluser]dtechplus[/eluser]
Well done Ben.
  • El Forum
    Guest
  •  
#483
07-21-2010, 11:16 PM

[eluser]hugle[/eluser]
[quote author="Ben Edmunds" date="1279781818"]Hey guys,

Just wanted to let you know that I've updated the docs with all of the suggestions I could remember or find on this thread.

Please let me know if you find anymore errors, omissions, or have any suggestions.

http://benedmunds.com/ion_auth/


Thanks![/quote]

Nice Ben!
already used your docs Smile
  • El Forum
    Guest
  •  
#484
07-24-2010, 07:09 AM

[eluser]Roobiz[/eluser]
Hi guys, very nice lib Ben but I find a little issue.

When you try to update only a field like "email" in user table there is a DB issue.

First "must use db->set()" because trying to make an db->update without any set (l.823).
And then "unknow column user_id on table users" because just update users table (l.835).

So I've made this little fix if it could be help someone Smile :

Code:
if (!empty($this->columns))
{
    // have to update?
    $makeUpdate = FALSE;

    foreach ($this->columns as $field)
    {
        if (is_array($data) && isset($data[$field]))
        {
            $makeUpdate = TRUE;
            $this->db->set($field, $data[$field]);
            unset($data[$field]);
        }
    }

    if($makeUpdate)
    {
        $this->db->where($this->meta_join, $id);
        $this->db->update($this->tables['meta']);
    }
}
  • El Forum
    Guest
  •  
#485
07-25-2010, 08:31 PM

[eluser]basementDUDE[/eluser]
ben, just 5 mins reading your documentation. I decide to switch from dx_auth to your ion.
It was very clear, I love it.
  • El Forum
    Guest
  •  
#486
07-26-2010, 02:31 AM

[eluser]maltzurra[/eluser]
Interesting library, good job. But to be honest, there are some pieces of code I don't like at all.

Like the way "remember me" cookies are being stored. I would NOT recommend to store your password in cookies. Even when it's sha1() encrypted. Concat fields, use salts, tokens... Whatever you prefer, but storing password in a file this way, it is just so risky.

Great job anyway Smile
  • El Forum
    Guest
  •  
#487
07-26-2010, 07:25 AM

[eluser]Roobiz[/eluser]
[quote author="maltzurra" date="1280151085"]Interesting library, good job. But to be honest, there are some pieces of code I don't like at all.

Like the way "remember me" cookies are being stored. I would NOT recommend to store your password in cookies. Even when it's sha1() encrypted. Concat fields, use salts, tokens... Whatever you prefer, but storing password in a file this way, it is just so risky.

Great job anyway Smile[/quote]

For me $rmbcode = sha1(sha1(password + salt));

Well it's not very good but not too bad at all... The way to reverse a sha1 is not very easy so...
  • El Forum
    Guest
  •  
#488
07-27-2010, 02:37 AM

[eluser]maltzurra[/eluser]
These days modern browsers remember passwords for you, so I don't think it's a bad idea to rely on them, specially if your app contains _VERY_ sensitive data. Anyway, Drupal's persistent login aproach does minimise impact a lot. It works this way:

Quote:- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2]

- The login cookie contains the user's username, a series identifier, and a token. The series and token are unguessable random numbers from a suitably large space. All three are stored together in a database table.

- When a non-logged-in user visits the site and presents a login cookie, the username, series, and token are looked up in the database.

- If the triplet is present, the user is considered authenticated. The used token is removed from the database. A new token is generated, stored in database with the username and the same series identifier, and a new login cookie containing all three is issued to the user.

- If the username and series are present but the token does not match, a theft is assumed. The user receives a strongly worded warning and all of the user's remembered sessions are deleted.

- If the username and series are not present, the login cookie is ignored.


http://jaspan.com/improved_persistent_lo...t_practice
  • El Forum
    Guest
  •  
#489
07-27-2010, 08:39 PM

[eluser]Ben Edmunds[/eluser]
maltzurra,

I don't store the password in a cookie dude. I'm just storing an sha1 of the password as the remember me salt in a cookie.
  • El Forum
    Guest
  •  
#490
07-28-2010, 05:20 AM

[eluser]maltzurra[/eluser]
Hey Ben,

I noticed you are not storing the password, but you are storing a sha1(password) which is, in these days, far from ideal imho. It's not that hard to get the password once you know the encrypted value. Just a matter of time.

It was just a personal recommendation as I feel a kind of obsession with security Smile




Theme © iAndrew 2016 - Forum software by © MyBB