Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Understanding Auth:: what is login_hash used for?
  • salmanesalmane
    I realize this is less of a FUEL question and more of a security one but it would be great to understand the Auth:: package.
    what is login_hash used for?
    thank you
  • sanjhonsanjhon
    Hi Jemlmer, Thanks for your valuable answer. Can I have table name of my own choice. Regarding checking the user_id, login_hash etc needed to checked in login Auth::check method am I right. It may be a silly question for your reputation. Little confusion in implementing as a beginner. Advance thanks..
  • Jelmer SchreuderJelmer Schreuder
    You'll have to write it yourself, so give it any name you like.
  • AndresAndres
    Hi guys! I have 2 questions... 1. Would you have to extend Auth::check()? 2. Could I use that hash to generate a token for "forgot my password reset"?
    2b. Do you guys have a recommendation on how to do "password resets"?
  • HarroHarro
    1. Only of you use a different method of checking. 2. I usually send out an email with a reset link and a random token in the link. That link asks for the username (which is not mentioned in the email) and the new password. After the reset the user is logged in with the new password and redirected to (usually) the homepage.
  • AndresAndres
    thanks WanWizard, 1. But if i'm checking another table for multiple hashes... Where would I put this logic? User_Model? I feel like that moves away from the Auth package. in my opinion, the auth package should have a way to keep multiple logins, maybe as a config setting... any thoughts? 2. What if the user forgets the username? What I was thinking was that an email with a link to a reset page + token, that asks for the email address again and a new password. This change should be done through the User model right? The Auth package requires the old password.
  • Jelmer SchreuderJelmer Schreuder
    1. New logic goes into the login driver, not into the base Auth class - that shouldn't be extended unless you really understand it. 2. There'll be a reset_password() method in Fuel 1.1 for the login driver.
  • HarroHarro
    1. That's why I said: only if you need a different method of checking. Which obviously you do. 2. If someone is able to capture the email, they can hijack the account as they would have both the link with the token and the email address. So you should ask for something not in the email, preferably something the hijacker can not know. Maybe store a verification question and answer? (like "what what the name of your first pet" => "godzilla" ). To use my own user database, I've added a new auth driver to replace simpleauth. All you have to do is make sure the required methods are there, add the ones you need extra, and replace the logic in perform_check() so it does your checks against your database colums. If you do this, you can continue to use the standard Auth methods, which will automatically use your custom driver.
  • MikeMike
    Jelmer Schreuder wrote on Sunday 8th of May 2011:
    ..., but as the default Auth drivers were kept simple (hence their names) that's not supported.
    I agree that an auth package should be simple, but isn't it standard that you can login form your phone, tabled and desktop at the same time nowadays? I would like to see a default auth package with multiple login and driver (facebook, twitter, oauth, oath2, etc.) And also have a choice to use username, email or both as login method.
  • Jelmer SchreuderJelmer Schreuder
    I would like to see a default auth package with multiple login and driver (facebook, twitter, oauth, oath2, etc.) And also have a choice to use username, email or both as login method.

    Feel free to write it and pull-request, sounds like an awesome package to include as a more complex option. This is a community project after all...
  • sanjhonsanjhon
    Hi Jelmer, What is the table to be created for the multiple login to work. Since I am a beginner, it would be a great help if you could share your thoughts with an example.
  • Jelmer SchreuderJelmer Schreuder
    The table should have the login_hash, the user_id, the login-time and possibly the user's IP and user agent. What you do after that is check if there's a row in your logins table for which the login_hash, user_id (and possibly IP, user_agent) match the current user's cookie. Also have it expire when the login-time is too long ago, or use an expire column that is set to the time the login will expire.
    Have your table periodicly run a cleanup query that deletes all expired rows, I have that done when a user logs in succesfully but you could put that in other places as well (just don't do it in the login-check method, that's needed way too often).
  • Jelmer SchreuderJelmer Schreuder
    You don't save the user's password in a cookie, not even hashed. This is why a this-login-only login hash is generated that is saved in the cookie instead of the password, and that's what is checked when checking for the login. Because each login generates a new login hash, this also prevents you from logging in from multiple locations (each new login would overwrite the previous one). To implement that you'd need an extra table with multiple login hashes per account, but as the default Auth drivers were kept simple (hence their names) that's not supported.
  • salmanesalmane
    Thank you Jelmer!
    :)
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion