Zend Framework Auth

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Zend Framework Auth

Post by nutkenz »

I'm trying to keep a user logged in for as long as the browser remains open, but I'm not having much luck, even with rememberMe() set to a week...

Code: Select all

 
require_once('Zend'.DS.'Auth.php');
require_once('Zend'.DS.'Auth'.DS.'Storage'.DS.'Session.php');
require_once('Zend'.DS.'Auth'.DS.'Adapter'.DS.'DbTable.php');
 
$auth = Zend_Auth::getInstance();
Zend_Session::rememberMe(60*60*24*7);
$session = new Zend_Auth_Storage_Session("user");
$auth->setStorage($session);
 
$authDb = new Zend_Auth_Adapter_DbTable($db,'users','login','pass');
 
if (!empty($_REQUEST["auth_login"]))
{
    $login = $_REQUEST["auth_login"];
    $pass = $_REQUEST["auth_pass"];
}
elseif ($auth->hasIdentity())
{
    $login = $auth->getIdentity()->login;
    $pass = $auth->getIdentity()->pass;
}
else // No login attempted
{
    $login = $pass = null;
}
 
if (!empty($login) && !empty($pass))
{
    $authDb->setIdentity($login)->setCredential($pass);
    $result = $authDb->authenticate();
    
    if (!$result->isValid())
    {
        foreach ($result->getMessages() as $message)
        {
            $msg["error"]->add(trl($message));
        }
        // Invalidate existing data
        //$_SESSION["user"] = "";
        $auth->clearIdentity();
    }
    else // Logged in
    {
        //$_SESSION["user"] = get_object_vars($authDb->getResultRowObject());
        //$data = get_object_vars($authDb->getResultRowObject());
        $auth->getStorage()->write($authDb->getResultRowObject());
    }
}
 
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Zend Framework Auth

Post by Eran »

Your code looks to be doing everything right as far as authentication goes. Maybe you have a problem with cookies? (session ids are kept in cookies)

Also, take notice that it is unrecommended to store the password in the session (and neither is storing it in clear text in the database).
You can prevent the result object from storing the password by passing a couple of arguments to the getResultRowObject method

Code: Select all

 
$authDb->getResultRowObject(null,'pass');
 
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Re: Zend Framework Auth

Post by nutkenz »

Though how would I check it again when the user loads another page? If I don't include the password, I can't do this:
$pass = $auth->getIdentity()->pass;
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Zend Framework Auth

Post by Eran »

That's the whole point of storing the identity in the session - if the user has identity, he has already been authenticated. Of course you need to watch out for the usual attacks such as identity theft and cross-site scripting, but storing the password in the session is even worse - it allows an attacker than gains control of it to authenticate himself as the user he stole the password from.

On each page you simply need to check:

Code: Select all

 
if($auth -> hasIdentity() === false) {
   // redirect to login
}
 
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Re: Zend Framework Auth

Post by nutkenz »

You're right, I was still too focused on the way I did it previously (using cookies with hashed username+pass). I'll check if I'll stay logged in when I'm not re-authenticating on every page load.
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Re: Zend Framework Auth

Post by nutkenz »

Unfortunately, I'm still being logged out if I don't reload the page every x hours... I would like to keep the session active for as long as I don't close my browser. Even if the PC goes in standby mode, as long as IE or FF has the tab open, it should not log me out. Is there another setting I forgot about? Any ideas?
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Re: Zend Framework Auth

Post by nutkenz »

I've done some more testing... Is it possible that having multiple tabs open is causing me to be logged out? Could this be a side-effect of calling RememberMe() which triggers regenerateId()?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Zend Framework Auth

Post by Eran »

If you are logging in from different tabs then yes. If not, rememberMe() is only called once per login so that shouldn't the problem
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Re: Zend Framework Auth

Post by nutkenz »

Is there a way to stay logged in for as long as the browser is open regardless of the amount of tabs I'm using?
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Zend Framework Auth

Post by Eran »

If you are only logging in one, that shouldn't be a problem - the session applies to all the tabs of the browser. Don't perform separate logins in different tabs, simply refresh the browser after logging in in another tab.
nutkenz
Forum Contributor
Posts: 155
Joined: Tue Jul 19, 2005 12:25 pm

Re: Zend Framework Auth

Post by nutkenz »

I'm not, I'm logged in as the same user in all tabs, yet I'm still being logged out (what appears to be randomly)
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Zend Framework Auth

Post by Eran »

Have you changed your code so rememberMe() is called only when a login is authenticated (and not on every page view)?
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Zend Framework Auth

Post by Benjamin »

Are you storing the sessions in the database or as files? I would guess they are being destroyed on the server side by the garbage collection routine. Storing them (the sessions) in the database can avoid this problem.
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Zend Framework Auth

Post by Eran »

Storing the sessions in the database kind of defeats the purpose, no? The whole idea is have some limited persistence without hitting the database with queries.
User avatar
Benjamin
Site Administrator
Posts: 6935
Joined: Sun May 19, 2002 10:24 pm

Re: Zend Framework Auth

Post by Benjamin »

Deciding where to store sessions is really dependent on specific requirements. If timeouts or multiple servers are involved, writing them to the file system doesn't really work. If heavy traffic is involved, witting them to the database becomes impractical. At that point you can start looking into alternative solutions such as memcache.
Post Reply