Thread

Ok, what is with the DX_salt value in the config file? I thought that it was used on user salts - but I guess not as I don’t see it ANYWHERE in any of the files. So why is it even there? And why isn’t a site-wide salt like that used?

/*
|--------------------------------------------------------------------------
| Password salt
|--------------------------------------------------------------------------
|
| You can add major salt to be hashed with password. 
| For example, you can get salt from here: <a href="https://www.grc.com/passwords.htm">https://www.grc.com/passwords.htm</a>
|
| Note: 
|
| Keep in mind that if you change the salt value after user registered, 
| user that previously registered cannot login anymore.
|
*/

$config['DX_salt'] = '';

::BUG::

There is a bug with the default password of “hello” for the two user accounts. Depending on what OS and PHP version you have the computed crypt() and md5() hash string will be different. I just installed the system on a C2Q running WinXP and PHP 5.2.8 and it came up with a different hash so I couldn’t loginto the admin account. So I dug though the system code and found out how the system makes password hashes and created a function that will generate a password for the admin account.

function change_password($username='admin', $new_password='hello') {
        
        //Load user lib
        $this->load->model('dx_auth/users', 'users');
        
        //Try to get the user -if found
        if (($row = $this->users->get_user_by_username($username)) && $row->num_rows()) {
            
            $encode_pw        = $this->dx_auth->_encode($new_password);
            $crypt_pw        = crypt($encode_pw);
            
            print 'You gave the password: <b>'. $new_password. '</b>
';
            print 'Password hash for database row: <b>'. $crypt_pw. '</b>
';
            
            /* How Register() checks the password…
            $hash            = crypt($encode_pw, $crypt_pw); //from row created above
            
            if ($hash === $crypt_pw) {
                print 'They match.';
            }
            */
            
        } else {
            print 'Username not found';
        }
        
    }

If you pass this function a username and a temp password (like “hello”) it will make a hash that works on your system and then you can insert that into the database row instead of the default hash in the SQL file.

Then delete this function (or mark as private) so that it can’t be run any longer).

Great lib.

How do I change the registration email so that it does not send the password?  Right now it includes the password in the clear within the mail.

Thanks.

Great lib.

How do I change the registration email so that it does not send the password?  Right now it includes the password in the clear within the mail.

Thanks.

On your config folder you have dx_auth.php

Change the line that says

config['DX_email_details'] = TRUE;

to FALSE. i’m not sure if the name of the variable is correct, but it looks something like that..

Hope it helps

hi im trying to use the this library but facing this problem i tried to login its give me the following error

A Database Error Occurred
Error Number: 1064

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE `ip_address` = '127.0.0.1'' at line 2

SELECT 1 WHERE `ip_address` = '127.0.0.1'

table name is missing in the query.

Did you get this sorted

I’ve been looking at lots of different auth systems and pretty sure I’m going to go with this one.  The docs is what won it over for me, really nice.

I had found this review:
http://stackoverflow.com/questions/346980/what-code-igniter-authentication-library-is-best
(3rd answer)
Which was really informative.
I was wondering though, how many of these issues have been resolved? :

  1*  Only lets users ‘reset’ a lost password (rather than letting them pick a new one upon reactivation)
  2* Homebrew pseudo-event model - good intention, but misses the mark
  3* Two password fields in the user table, bad style
  4* Uses two separate user tables (one for ‘temp’ users - ambiguous and redundant)
  5* Uses potentially unsafe md5 hashing
  6* Failed login attempts only stored by IP, not by username - unsafe!
  7* Autologin key not hashed in the database - practically as unsafe as storing passwords in cleartext!
  8* Role system is a complete mess: is_admin function with hard-coded role names, is_role a complete mess, check_uri_permissions is a mess, the whole permissions table is a bad idea (a URI can change and render pages unprotected; permissions should always be stored exactly where the sensitive logic is). Dealbreaker!
  9* Includes a native (poor) CAPTCHA
  10* reCAPTCHA function interface is messy

It’s not going to make a difference on my using DX Auth, but it would be nice if some were resolved.

On 1:
I’m not sure how password resets work, but I hate sending a random plain text one via email.  Sending a special link in the email with a one time or one day use link to reset the password on the site seems to work best.

I could care less about 2-5.

6 is really simple to fix and would be nice
7 is somewhat important

I don’t know about 8.

And 9-10 aren’t very important.

About the temp user table, if someone signs up and hasn’t activated yet, if someone else registers does it check their username and password against the temp table as well as the main one?

Any reason a second table was used rather than just putting a key in the main table for activated or not?

Thanks,
  Adam

dexcell must be pretty busy as he hasn’t posted here for over a month….

I was just implementing Redux Auth, when I saw this and I think this library works
better for me.

I’ll post any cool tricks I use which might be handy, as well as posting my questions 😊

I have a menu that is called after $this->dx_auth->logout();

It calls $this->ci->dx_auth->is_logged_in();

But when the user logs out, the is_logged_in() seems to still return true because the menu’s don’t change unless I hit refresh.

What can I do to fix that?

I made sure to select use DB for sessions, but that doesn’t affect it.

I know the cookies don’t reflect changes till next page refresh, so it could be that, but I don’t know.

Help 😊

thanks

I have a menu that is called after $this->dx_auth->logout();

It calls $this->ci->dx_auth->is_logged_in();

But when the user logs out, the is_logged_in() seems to still return true because the menu’s don’t change unless I hit refresh.

What can I do to fix that?

I made sure to select use DB for sessions, but that doesn’t affect it.

I know the cookies don’t reflect changes till next page refresh, so it could be that, but I don’t know.

Help 😊

thanks

I had this issue when I installed the base codeigniter+dx_auth.  The reason why its happening is that the session record in the database was not deleted after you logout.

The quick and dirty fix I did was to change the system/libraries/Session.php (line 30):

  var $sess_use_database = TRUE;

By default it is set to FALSE and hence the session library skipped the deletion of the session row.

I really hate modifying the default library code as it could mess up future upgrade but this did the trick for me.  Perhaps someone more well-versed in php/codeigniter could find where the original issue is.

I have a menu that is called after $this->dx_auth->logout();

It calls $this->ci->dx_auth->is_logged_in();

But when the user logs out, the is_logged_in() seems to still return true because the menu’s don’t change unless I hit refresh.

What can I do to fix that?

I made sure to select use DB for sessions, but that doesn’t affect it.

I know the cookies don’t reflect changes till next page refresh, so it could be that, but I don’t know.

Help 😊

thanks

Hi.
You probably get the ‘logged in menu’ because it was generated before you logged the user out.

Try to this:
$this->dx_auth->logout();
header(‘Location: /’); // here you will get your page refreshed after logout.

Good luck!

Nuu,
I tried that,  though it was already set in the config file.  Didn’t make a difference either way.

hugle,
I call the menu function right after I call the logout().  But I suppose it doesn’t update till next load because of something with cookies.  I should try that natural session plug-in.

header(‘Location: ./’); took care of it well enough though.

Thanks!

Umm, this might be a silly question… but, how do I use this to protect my pages?

I mean, am I supposed to check if user is logged in at the beginning of every function?

I saw the uri permissions page,  but it doesn’t effect anything.  Is there a model or library I can auto load or put in my constructors that will redirect anyone to the login page or some specified page if their uri permissions don’t match?

I checked the docs, but I must have missed it… heh.

Let’s say the user level gives access to all function within a given controller, then you only have to put something like this in the constructor

$this->dx_auth->check_uri_permissions();

Otherwise, say the level gives access to “controller/function_a/”, but not to “controller/function_b/” you will have to put that same line (or a similar available to check for permissions) inside every function of that said controller.

Hope I got your point good and that it helps. Good luck!

Thanks.

Also, with the uri permissions, if I have something like:

$route[‘main’] = ‘auth/login’;

Would I put
/main/
or
/auth/login/
or both?

Thanks.

Also, with the uri permissions, if I have something like:

$route[‘main’] = ‘auth/login’;

Would I put
/main/
or
/auth/login/
or both?

I am not sure I get your point. Are you refering to the route config file? Actually, in mine, I have $route[‘default_controller’] which is set to ‘auth’. So when the user go to http://www.my-site.com, it first land onthat login controller (which redirects to login form, or main page if user is already logged in)