Thread

I’m concerned about security, namely users changing their user id.

How does a user change their ID? It should be an auto-increment field in the db.

If you aren’t on an ssl, someone could be listening in on your logins and hijack enough information to possibly read from the session data or steal the cookie altogether. If they can manage to do that, it wouldn’t matter whether or not the query falls back on the password entered into the database…So, there’s nothing to worry about! Even on ssl, attacks are still possible. If you are worried about injections, Tank Auth is on lockdown, so-to-speak.

I’m concerned about security, namely users changing their user id.

How does a user change their ID? It should be an auto-increment field in the db.

No I mean changing via an input or cache. I’m not sure but I believe not comparing passwords is insecure.

Howdy all.  First, many thanks for tank auth.  I’m having a problem with error messaging on the login_form page.  If I do not enter anything in the email and password fields, I get errors about entering them.  If I enter an unregistered email address with a password, I get the error “Incorrect login” (next to the email input field).  But if I enter a registered email address with the wrong password, I get no error.  login_form simply reloads with the email address in the email field and the password field is empty but no error message is displayed.

Does anyone know where I can specify this error message or why it isn’t being displayed?  This is an important enough use case to be contained within the tank auth core.

Thanks!

EDIT—I also noticed that there’s a similar issue with register_form.  If I try to register with an email address that is already registered, I get the same behavior as described above, i.e., page reloads without an error message displayed.

I would double-check your CSS/HTML. Tank-Auth will display an error message in your described scenario. Make sure you didn’t delete the error handler on accident, inside the form, if you were customizing it. You can locate all these messages in application/language/english(or whatever)/tank_auth_lang.php

I would double-check your CSS/HTML. Tank-Auth will display an error message in your described scenario. Make sure you didn’t delete the error handler on accident, inside the form, if you were customizing it. You can locate all these messages in application/language/english(or whatever)/tank_auth_lang.php

Thanks for the sanity check—with your help, I figured out the issue.  On the log in page, I left out:

<?php echo isset($errors[$password['name']])?$errors[$password['name']]:''; ?>

and a similar omission on the registration page.  Thanks a bunch!

If anyone has messed with the roles add on that is talked about step by step in this thread then I have a question. When it echos out it adds the percent sign. How do I remove it because each user can only have 1 role at a time.

Is there a chance to create Roles to use TankAuth with a regular Frontend Login and a Backend for Admin Use?

Thanks

It is now hosted on GitHub:
https://github.com/ilkon/Tank-Auth
Fork away! 😊

Has anyone integrated TankAuth into any kind of forums package?

I’m looking to add forums to my site, and the site is already deeply coded around TankAuth.

Just curious before I attempt to roll my own XD

Is there a chance to create Roles to use TankAuth with a regular Frontend Login and a Backend for Admin Use?

Thanks

i have added a small role system, check it here https://bitbucket.org/mtsandeep/tank-auth-with-roles/src

No documentation yet,
There is a role table, and 2 role (admin and user) you can add more roles and specify a default role for registrations.
Now its like the first user to register will be given the admin role and all other will be in user role.

I have performed the following steps
1 - Download Tank Auth latest version from http://konyukhov.com/soft/tank_auth/
2 - Download Codeigniter V2.0.3 from http://codeigniter.com/
3 - Added all files and restore database schema as well as database configuration
4 - Disable Captcha and send activation emails by setting variable to FALSE
4 - First user is register successfully (checked from user table)

But Problem while
1 - Registering another user with different info that is

Username already exists. Please choose another username.

2 - On login with first registered user and get following error page

A Database Error Occurred

You must use the "set" method to update an entry.

Filename: C:\xampp\htdocs\tanktest\system\database\DB_active_rec.php

Line Number: 1268

But on refresh this error page get following message

Hi, admin1! You are logged in now. Logout

I have tried “code with roles Tank Auth” from https://bitbucket.org/mtsandeep/tank-auth-with-roles/src and get same problem. Please guide me, what is wrong with my configuration? keep this thing in view that i am using latest version of both codeigniter and Tank Auth.

I have performed the following steps
1 - Download Tank Auth latest version from http://konyukhov.com/soft/tank_auth/
2 - Download Codeigniter V2.0.3 from http://codeigniter.com/
3 - Added all files and restore database schema as well as database configuration
4 - Disable Captcha and send activation emails by setting variable to FALSE
4 - First user is register successfully (checked from user table)

can you show ur config.php and tank_auth.php ?

Ya sure. config.php (just commented lines removed to reduce code size)

<?php  if ( ! defined('BASEPATH')) exit('No direct script access allowed');
$config['base_url'] = '';
$config['index_page'] = 'index.php';
$config['uri_protocol'] = 'AUTO';
$config['url_suffix'] = '';
$config['language'] = 'english';
$config['charset'] = 'UTF-8';
$config['enable_hooks'] = FALSE;
$config['subclass_prefix'] = 'MY_';
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
$config['allow_get_array']  = TRUE;
$config['enable_query_strings'] = FALSE;
$config['controller_trigger'] = 'c';
$config['function_trigger']  = 'm';
$config['directory_trigger'] = 'd'; // experimental not currently in use
$config['log_threshold'] = 0;
$config['log_path'] = '';
$config['log_date_format'] = 'Y-m-d H:i:s';
$config['cache_path'] = '';
$config['encryption_key'] = '1234567890';
$config['sess_cookie_name']  = 'ci_session';
$config['sess_expiration']  = 7200;
$config['sess_expire_on_close'] = FALSE;
$config['sess_encrypt_cookie'] = FALSE;
$config['sess_use_database'] = TRUE;
$config['sess_table_name']  = 'ci_sessions';
$config['sess_match_ip']  = FALSE;
$config['sess_match_useragent'] = TRUE;
$config['sess_time_to_update'] = 300;
$config['cookie_prefix'] = "";
$config['cookie_domain'] = "";
$config['cookie_path']  = "/";
$config['cookie_secure'] = FALSE;
$config['global_xss_filtering'] = TRUE;
$config['csrf_protection'] = FALSE;
$config['csrf_token_name'] = 'csrf_test_name';
$config['csrf_cookie_name'] = 'csrf_cookie_name';
$config['csrf_expire'] = 7200;
$config['compress_output'] = FALSE;
$config['time_reference'] = 'local';
$config['rewrite_short_tags'] = FALSE;
$config['proxy_ips'] = '';

tank_auth.php

<?php if (!defined('BASEPATH')) exit('No direct script access allowed');

$config['website_name'] = 'Your project';
$config['webmaster_email'] = '[email protected]';

$config['phpass_hash_portable'] = FALSE;
$config['phpass_hash_strength'] = 8;

$config['allow_registration'] = TRUE;
$config['captcha_registration'] = FALSE; // edited as FALSE 
$config['email_activation'] = FALSE; // edited as FALSE 
$config['email_activation_expire'] = 60*60*24*2;
$config['email_account_details'] = FALSE; // edited as FALSE 
$config['use_username'] = TRUE;

$config['username_min_length'] = 4;
$config['username_max_length'] = 20;
$config['password_min_length'] = 4;
$config['password_max_length'] = 20;

$config['login_by_username'] = TRUE;
$config['login_by_email'] = TRUE;
$config['login_record_ip'] = TRUE;
$config['login_record_time'] = TRUE;
$config['login_count_attempts'] = FALSE; // edited as FALSE 
$config['login_max_attempts'] = 5;
$config['login_attempt_expire'] = 60*60*24;

$config['autologin_cookie_name'] = 'autologin';
$config['autologin_cookie_life'] = 60*60*24*31*2;

$config['forgot_password_expire'] = 60*15;

$config['captcha_path'] = 'captcha/';
$config['captcha_fonts_path'] = 'captcha/fonts/5.ttf';
$config['captcha_width'] = 200;
$config['captcha_height'] = 50;
$config['captcha_font_size'] = 14;
$config['captcha_grid'] = FALSE;
$config['captcha_expire'] = 180;
$config['captcha_case_sensitive'] = TRUE;

$config['use_recaptcha'] = FALSE;
$config['recaptcha_public_key'] = '';
$config['recaptcha_private_key'] = '';

$config['db_table_prefix'] = '';

i tried your same configuration. got no errors.

I think it may be your server configuration. try putting them to an online demo. it may work