Ion Auth - Lightweight Auth System based on Redux Auth 2 |
[eluser]Ben Edmunds[/eluser]
Hey guys, Just wanted to let you know that I've updated the docs with all of the suggestions I could remember or find on this thread. Please let me know if you find anymore errors, omissions, or have any suggestions. http://benedmunds.com/ion_auth/ Thanks!
[eluser]hugle[/eluser]
[quote author="Ben Edmunds" date="1279781818"]Hey guys, Just wanted to let you know that I've updated the docs with all of the suggestions I could remember or find on this thread. Please let me know if you find anymore errors, omissions, or have any suggestions. http://benedmunds.com/ion_auth/ Thanks![/quote] Nice Ben! already used your docs
[eluser]Roobiz[/eluser]
Hi guys, very nice lib Ben but I find a little issue. When you try to update only a field like "email" in user table there is a DB issue. First "must use db->set()" because trying to make an db->update without any set (l.823). And then "unknow column user_id on table users" because just update users table (l.835). So I've made this little fix if it could be help someone : Code: if (!empty($this->columns))
[eluser]basementDUDE[/eluser]
ben, just 5 mins reading your documentation. I decide to switch from dx_auth to your ion. It was very clear, I love it.
[eluser]maltzurra[/eluser]
Interesting library, good job. But to be honest, there are some pieces of code I don't like at all. Like the way "remember me" cookies are being stored. I would NOT recommend to store your password in cookies. Even when it's sha1() encrypted. Concat fields, use salts, tokens... Whatever you prefer, but storing password in a file this way, it is just so risky. Great job anyway
[eluser]Roobiz[/eluser]
[quote author="maltzurra" date="1280151085"]Interesting library, good job. But to be honest, there are some pieces of code I don't like at all. Like the way "remember me" cookies are being stored. I would NOT recommend to store your password in cookies. Even when it's sha1() encrypted. Concat fields, use salts, tokens... Whatever you prefer, but storing password in a file this way, it is just so risky. Great job anyway [/quote] For me $rmbcode = sha1(sha1(password + salt)); Well it's not very good but not too bad at all... The way to reverse a sha1 is not very easy so...
[eluser]maltzurra[/eluser]
These days modern browsers remember passwords for you, so I don't think it's a bad idea to rely on them, specially if your app contains _VERY_ sensitive data. Anyway, Drupal's persistent login aproach does minimise impact a lot. It works this way: Quote:- When the user successfully logs in with Remember Me checked, a login cookie is issued in addition to the standard session management cookie.[2] http://jaspan.com/improved_persistent_lo...t_practice
[eluser]Ben Edmunds[/eluser]
maltzurra, I don't store the password in a cookie dude. I'm just storing an sha1 of the password as the remember me salt in a cookie.
[eluser]maltzurra[/eluser]
Hey Ben, I noticed you are not storing the password, but you are storing a sha1(password) which is, in these days, far from ideal imho. It's not that hard to get the password once you know the encrypted value. Just a matter of time. It was just a personal recommendation as I feel a kind of obsession with security |
Welcome Guest, Not a member yet? Register Sign In |