Donate
/** * Runs before every request to this controller. It sets some template * variables which are used throughout the application. * * @return void */ public function before() { parent::before(); /** * 1. check if user logged in * 2. if not check if remembered cookie is set and login if possible * 3. user not logged in */ if(Auth::check()) { $this->current_user = Model_User::find_by_username(Auth::get_screen_name()); $this->logged_in = true; } elseif($user = static::is_remembered()) { if (Auth::check()) { $this->current_user = $user; $this->logged_in = true; } } else { $this->current_user = null; $this->logged_in = Auth::check() ? true : false; } View::set_global('current_user', $this->current_user); View::set_global('logged_in', $this->current_user); $this->template->header = View::forge('home/header'); $this->template->footer = View::forge('home/footer'); } /** * Check if remember me is set and valid */ protected static function is_remembered() { \Config::load('simpleauth', true); $encoded_val = Cookie::get(Config::get('simpleauth.remember_me.cookie_name')); if ($encoded_val) { $val = base64_decode($encoded_val); list($saltedpasswordhash, $cookie_pass, $login_hash) = explode(':', $val); $user = Model_User::find_by_remember_me($cookie_pass); $dbpasshash = sha1(sha1($user->password).sha1(Config::get('simpleauth.salt'))); if ($user) { // set auth session variables \Session::set('username', $user->username); \Session::set('login_hash', $login_hash); \Session::instance()->rotate(); $user->last_login = time(); $user->save(); return $user; } else { return false; } } return false; }
Why would guest login prevent this from working? I don't see any code here that wouldn't work because of it.But setting current user and making Auth::instance()->check() work afterwards made me realize that Auth::instance()->check() would not work because of the guest user. I have set it do false in SimpleAuth configuration and then it worked.
Can you look at is_remembered() static function, if I handle user authentication from cookie in the right manner. Especially the section where I set Auth's session variables. It works but I am still in doubts if I handle everything right.
There's a few things very wrong here:
- Don't put a user's password in a cookie, I don't care how many times you (re-)hash it. Just don't. A password is something very personal you should consider to be a great secret never to be shared or hinted at. You only use a user's password (or whatever relates to it, or part of it) to check when logging in, don't ever transmit it and don't use it for anything else.
- I can steal your session by just stealing your cookie, I would be able to do everything once I have the cookie. This will even tell me the user's hashed password and the user's current login hash.
- This won't rotate the user's login-hash, thus keeping it valid as long as the cookie keeps using it. Enlarging the problem from my previous point. You should force a re-login when creating something like this, not re-using an old login.
- This is logic that should be in the auth driver, not in a controller.
- $dbpasshash seems useless, even causing errors when the cookie's data is wrong. Remember me functionality is very dangerous, you need to do a lot more research to understand how to implement it safely.
. I will go and read couple of articles on how to safely implement remember me function... But I really don't want to write my own driver just to add this. I am not sure if I even know how to write my own driver. Documentation on this is non-existent and I am probably gonna introduce even more bad things... Is it really so bad if this logic is in my base controller?
I wish someone has done this already, made it safe and right and ready to use. I know there is Sentry auth package, which does remember me and everything, but this doesn't use Fuel's native Auth, which makes me ask why... confusing! Anyway I don't want to use Sentry since I want to add Ninja Auth's social login as well and this works on top of Fuel's native Auth!
Remember me is something so standard today, that really should be in the core of Fuels native Auth! It looks like you're new here. If you want to get involved, click one of these buttons!
