Page 1 of 2

Zend Framework Auth

Posted: Mon Jul 07, 2008 7:42 pm
by nutkenz
I'm trying to keep a user logged in for as long as the browser remains open, but I'm not having much luck, even with rememberMe() set to a week...

Code: Select all

 
require_once('Zend'.DS.'Auth.php');
require_once('Zend'.DS.'Auth'.DS.'Storage'.DS.'Session.php');
require_once('Zend'.DS.'Auth'.DS.'Adapter'.DS.'DbTable.php');
 
$auth = Zend_Auth::getInstance();
Zend_Session::rememberMe(60*60*24*7);
$session = new Zend_Auth_Storage_Session("user");
$auth->setStorage($session);
 
$authDb = new Zend_Auth_Adapter_DbTable($db,'users','login','pass');
 
if (!empty($_REQUEST["auth_login"]))
{
    $login = $_REQUEST["auth_login"];
    $pass = $_REQUEST["auth_pass"];
}
elseif ($auth->hasIdentity())
{
    $login = $auth->getIdentity()->login;
    $pass = $auth->getIdentity()->pass;
}
else // No login attempted
{
    $login = $pass = null;
}
 
if (!empty($login) && !empty($pass))
{
    $authDb->setIdentity($login)->setCredential($pass);
    $result = $authDb->authenticate();
    
    if (!$result->isValid())
    {
        foreach ($result->getMessages() as $message)
        {
            $msg["error"]->add(trl($message));
        }
        // Invalidate existing data
        //$_SESSION["user"] = "";
        $auth->clearIdentity();
    }
    else // Logged in
    {
        //$_SESSION["user"] = get_object_vars($authDb->getResultRowObject());
        //$data = get_object_vars($authDb->getResultRowObject());
        $auth->getStorage()->write($authDb->getResultRowObject());
    }
}
 

Re: Zend Framework Auth

Posted: Mon Jul 07, 2008 8:28 pm
by Eran
Your code looks to be doing everything right as far as authentication goes. Maybe you have a problem with cookies? (session ids are kept in cookies)

Also, take notice that it is unrecommended to store the password in the session (and neither is storing it in clear text in the database).
You can prevent the result object from storing the password by passing a couple of arguments to the getResultRowObject method

Code: Select all

 
$authDb->getResultRowObject(null,'pass');
 

Re: Zend Framework Auth

Posted: Mon Jul 07, 2008 8:31 pm
by nutkenz
Though how would I check it again when the user loads another page? If I don't include the password, I can't do this:
$pass = $auth->getIdentity()->pass;

Re: Zend Framework Auth

Posted: Mon Jul 07, 2008 9:07 pm
by Eran
That's the whole point of storing the identity in the session - if the user has identity, he has already been authenticated. Of course you need to watch out for the usual attacks such as identity theft and cross-site scripting, but storing the password in the session is even worse - it allows an attacker than gains control of it to authenticate himself as the user he stole the password from.

On each page you simply need to check:

Code: Select all

 
if($auth -> hasIdentity() === false) {
   // redirect to login
}
 

Re: Zend Framework Auth

Posted: Tue Jul 08, 2008 4:08 am
by nutkenz
You're right, I was still too focused on the way I did it previously (using cookies with hashed username+pass). I'll check if I'll stay logged in when I'm not re-authenticating on every page load.

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 11:38 am
by nutkenz
Unfortunately, I'm still being logged out if I don't reload the page every x hours... I would like to keep the session active for as long as I don't close my browser. Even if the PC goes in standby mode, as long as IE or FF has the tab open, it should not log me out. Is there another setting I forgot about? Any ideas?

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 11:57 am
by nutkenz
I've done some more testing... Is it possible that having multiple tabs open is causing me to be logged out? Could this be a side-effect of calling RememberMe() which triggers regenerateId()?

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 2:03 pm
by Eran
If you are logging in from different tabs then yes. If not, rememberMe() is only called once per login so that shouldn't the problem

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 2:15 pm
by nutkenz
Is there a way to stay logged in for as long as the browser is open regardless of the amount of tabs I'm using?

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 2:21 pm
by Eran
If you are only logging in one, that shouldn't be a problem - the session applies to all the tabs of the browser. Don't perform separate logins in different tabs, simply refresh the browser after logging in in another tab.

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 4:10 pm
by nutkenz
I'm not, I'm logged in as the same user in all tabs, yet I'm still being logged out (what appears to be randomly)

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 4:24 pm
by Eran
Have you changed your code so rememberMe() is called only when a login is authenticated (and not on every page view)?

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 5:26 pm
by Benjamin
Are you storing the sessions in the database or as files? I would guess they are being destroyed on the server side by the garbage collection routine. Storing them (the sessions) in the database can avoid this problem.

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 5:33 pm
by Eran
Storing the sessions in the database kind of defeats the purpose, no? The whole idea is have some limited persistence without hitting the database with queries.

Re: Zend Framework Auth

Posted: Wed Jul 09, 2008 5:39 pm
by Benjamin
Deciding where to store sessions is really dependent on specific requirements. If timeouts or multiple servers are involved, writing them to the file system doesn't really work. If heavy traffic is involved, witting them to the database becomes impractical. At that point you can start looking into alternative solutions such as memcache.