Thread

Hi Gromozeka

What you think about encrypting password with $config[‘encryption_key’] + userpassword together for Total Security?

Adding an extra-string to user password increases length of ecrypted password and you’ll have to change your database allocating more space for password storing. It’s cons.

And what about pros? Does it really increase security?

it’s good if user use simple password for example “qwerty” 😊

Take a look:

I’ve created two user accounts with the same password “qwerty”. For the 1st account encrypted password is “$2a$08$C4NHB7EijY4PTFL4MqwzEOrUPW3wqr.BJcpSkUBPrnOn2opn6Am4e”. For the 2nd one it’s “$2a$08$dfcX.ScKGcA7utdMj53k1uGPCRKJo7ooQE7Zy68pcnYugDBe6z2de”. The same password generates different records in db for different users.

How may adding a salt increase security here?

Gromozeka,
Great library and i use it with success. But i have a big problem, if user don’t activate ‘accept cookie’ in its browser, you can’t access your page, you have a redirect to login_form with no message.
I don’t understand why, ‘cause cookies are stored in database ! So… where is the problem ?

Would it be easy enough to implement on the registration form a Forename and Surname field that these values are stored to the user details table and stored in the session?

Also, the user details table, is it easy enough to change the table name to members, as I already have a table called members and I’ve referenced that pretty much in a few other models etc. so I don’t want to go through all of those changing it. Is there a way to easily change all of the references to user details table?

Regards,

Jamie

This looks to be pretty good stuff, Gromozeka, especially given the auth lib forum thread I believe you worked off of.  I’m looking to migrate to it from FreakAuth Light in the near future, probably building a groups/roles bit to sit on top of it.  I have a tiny nit to pick though, and a more substantial issue to raise.  The minor thing is simply that I notice you’ve used “authentication” and “authorization” somewhat interchangeably, but they’re different things.  Authentication concerns who you are, while authorization is about what you have access to.  From what you’ve said, Tank Auth is for authentication and specifically NOT about authorization (roles, access control lists, etc).

The more serious issue was rather surprising to me, given that one of your goals was increased security—passwords should never be emailed.  Period.  It’s an easy enough fix in your lib—simply comment out/remove the relevant lines from the html and email views—so it’s not a show stopper as far as I’m concerned, but the error is significant enough to warrant raising it here.  I seriously recommend that you re-think that as part of the standard install.  It’s almost like you’ve got a good foundation and solid walls, but there’s a screen door flapping open on the back porch. 😊

If you use $data in more than one method, it should be declared as a class member, right?

I’m not sure :(

Yes, right now your $data var is local to the __construct() function, and not visible anywhere outside of it.  If you want it visible by other functions, you’ll need to do something more like this:

class Welcome extends Controller
{
    private $data = NULL;

    function __construct()
    {
        parent::__construct();

        $this->load->library('tank_auth');
                if (!$this->tank_auth->is_logged_in()) {
            redirect('/auth/login/');
        } else {
            $this->data = array();
            $this->data['user_id']    = $this->tank_auth->get_user_id();
            $this->data['username']    = $this->tank_auth->get_username();
        }
    }

    function index()
    {
        $this->load->view('welcome', $this->data);
    }
}

My own response of thread #169

Hourra ! I have solved my problem.
So, if user deactivate ‘accept cookie’ in its browser, you never access your page throw login and password. The cause is the management of the cookie with ‘native’ CI_Session library. It always store cookies on client system and can access cookie_data in database.

The goal is to store complete cookie in database directly if there is no cookie on the client system.

To solve the problem, follow instruction here :
http://codeigniter.com/wiki/DB_Session/revision/7536/

And search/replace ‘session_data’ by ‘user_data’ in the db_session.php.

That’s done, it works fine !

Sorry, i edit my post… Well, in fact, i haven’t deleted cookies before test this solution. And, it don’t works.

Back to zero, i’m searching where is the matter…

This looks to be pretty good stuff, Gromozeka, especially given the auth lib forum thread I believe you worked off of.  I’m looking to migrate to it from FreakAuth Light in the near future, probably building a groups/roles bit to sit on top of it.  I have a tiny nit to pick though, and a more substantial issue to raise.  The minor thing is simply that I notice you’ve used “authentication” and “authorization” somewhat interchangeably, but they’re different things.  Authentication concerns who you are, while authorization is about what you have access to.  From what you’ve said, Tank Auth is for authentication and specifically NOT about authorization (roles, access control lists, etc).

The more serious issue was rather surprising to me, given that one of your goals was increased security—passwords should never be emailed.  Period.  It’s an easy enough fix in your lib—simply comment out/remove the relevant lines from the html and email views—so it’s not a show stopper as far as I’m concerned, but the error is significant enough to warrant raising it here.  I seriously recommend that you re-think that as part of the standard install.  It’s almost like you’ve got a good foundation and solid walls, but there’s a screen door flapping open on the back porch. 😊

Thank you for feedback.

I agree on all your points. Calling Tank Auth as authorization library may confuse some users as well as sending user password in emails reduces security.

Both issues are fixed. I changed library description a little bit and commented out password in view-files for emails. The code remained the same so I left the version number unchanged.

hi..

i got this error..p

Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'session_id`, `ip_address`, `user_agent`, `last_activity`) VALUES ('b479e9b2b84b4' at line 1

INSERT INTO ` (`session_id`, `ip_address`, `user_agent`, `last_activity`) VALUES ('b479e9b2b84b4b9577eeda8da8a8b01d', '0.0.0.0', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1', 1258803624)

hii..

how to if i want to register user without any email activation..

hi just make in config of tank_auth it will not send any activation to user.

$config['email_activation'] = FALSE;

but i have check that after making it false still sending email i hope if it is a bug then please fix it.

what is the folder structure for tank auth ? in index function it redirects redirect(’/auth/login/’) i can’t find such structure in tan_auth download and i keep getting error.

An Error Was Encountered

Unable to load the requested class: tank_auth

can anyone pls help me ? Thanks

it will take you site root and auth controller and login function of auth controller.

if you remove first / it will also fine

redirect(’auth/login/’)

i have tested tank_auth with multi lang site where url is

http://localhost/ci_site/en/auth/

in index function it will redirect to you

http://localhost/ci_site/auth/login

it will give you error. its better to remove / from redirect and its working fine