Comments on: New Tutorial: Getting Started with Zend Auth http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/ Developing PHP software in the Real World, by Rob Allen Thu, 11 Mar 2010 20:06:04 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Greg http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-9566 Greg Wed, 25 Apr 2007 18:58:45 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-9566 It seems that the internal session functionality sets the save_path to be the system default if it is not explicitly set in the php.ini file, but does not change the ini potions. When Zend_Session::setOptions attempts to $savePath = ini_get('session.save_path'); an empty string is returned. Like forrest, I had to add an ini_set() in my code. It seems that the internal session functionality sets the save_path to be the system default if it is not explicitly set in the php.ini file, but does not change the ini potions.

When Zend_Session::setOptions attempts to
$savePath = ini_get('session.save_path');
an empty string is returned.

Like forrest, I had to add an ini_set() in my code.

]]> By: Greg http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-9565 Greg Wed, 25 Apr 2007 18:45:05 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-9565 Same issue with the save path here. session_start works fine without an error. I can set a variable and see that the /tmp/sess_* file is updated. If I remove that code and try to use Zend_Session it says "Unwritable session.save_path" Same issue with the save path here. session_start works fine without an error. I can set a variable and see that the /tmp/sess_* file is updated. If I remove that code and try to use Zend_Session it says "Unwritable session.save_path"

]]> By: forrest http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-9564 forrest Wed, 25 Apr 2007 18:30:22 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-9564 i was having a lot of trouble with the session save path in v.09. when i set it with: ini_set('session.save_path','/home/[site]/tmp/'); it worked fine. i was having a lot of trouble with the session save path in v.09. when i set it with:
ini_set('session.save_path','/home/[site]/tmp/');
it worked fine.

]]> By: Kyle http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-9229 Kyle Mon, 09 Apr 2007 12:21:11 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-9229 Actually, this is at the top of Zend_Session: 'use_only_cookies' => 'on' I guess that prevents session fixation then. Actually, this is at the top of Zend_Session:

'use_only_cookies' => 'on'

I guess that prevents session fixation then.

]]> By: Kyle http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-9228 Kyle Mon, 09 Apr 2007 12:17:48 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-9228 Hi, Yeah, I noticed regenerateId() later on while looking through it properly. However, it only seems to be automatically called with rememberUntil (i.e. log me in for 2 days rather than just this browser session). Can you see it being used automatically elsewhere? To prevent session fixation I would have expected Zend_Auth to do it whenever a user logs in, not only when an expiry date is set. To prevent session hijacking it would have been nice to have Zend_Auth regenerate an id whenever it is used (or maybe every 5 times or something if it's a big performance hit). It just seems that if you're going to have a wrapper for authenticating users then it should do everything that's needed and not require you to put stuff elsewhere. Since I'm going to alter the session storage to add a secret key + hash, expire, timeout, ip changes, etc, I'll make it regenerate ID's too (or maybe make my own auth class from scratch so I can know 100% what's going on, I don't like being fuzzy with security). So none of this is really a problem for me but Zend could have made it more secure from the start (unless, once again, I've missed something). Hi,

Yeah, I noticed regenerateId() later on while looking through it properly. However, it only seems to be automatically called with rememberUntil (i.e. log me in for 2 days rather than just this browser session). Can you see it being used automatically elsewhere?

To prevent session fixation I would have expected Zend_Auth to do it whenever a user logs in, not only when an expiry date is set.

To prevent session hijacking it would have been nice to have Zend_Auth regenerate an id whenever it is used (or maybe every 5 times or something if it's a big performance hit).

It just seems that if you're going to have a wrapper for authenticating users then it should do everything that's needed and not require you to put stuff elsewhere.

Since I'm going to alter the session storage to add a secret key + hash, expire, timeout, ip changes, etc, I'll make it regenerate ID's too (or maybe make my own auth class from scratch so I can know 100% what's going on, I don't like being fuzzy with security). So none of this is really a problem for me but Zend could have made it more secure from the start (unless, once again, I've missed something).

]]> By: Rob... http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-9220 Rob... Mon, 09 Apr 2007 05:32:37 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-9220 Kyle, You are correct regarding session data encryption. Zend_Session has a regenerateId() function however. To use it, just put Zend_Session::regenerateId() into your bootstrap and it'll regenerate the session id every time for you. See <a href="http://framework.zend.com/manual/en/zend.session.globalsessionmanagement.html#zend.session.regenerateid" rel="nofollow">the manual</a> for further details. At some point I should really work out what the performance and bandwidth costs are for regenerating the session id every request. Regards, Rob... Kyle,

You are correct regarding session data encryption.

Zend_Session has a regenerateId() function however. To use it, just put Zend_Session::regenerateId() into your bootstrap and it'll regenerate the session id every time for you. See the manual for further details.

At some point I should really work out what the performance and bandwidth costs are for regenerating the session id every request.

Regards,

Rob...

]]> By: Kyle http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-9207 Kyle Sun, 08 Apr 2007 11:17:26 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-9207 As far as I can tell, the default Zend_Auth storage method doesn't encrypt the data in any way does it? What if the session data is stolen off the server? (Like a shared session.save_path on a shared host) Also, I don't see anywhere in Zend_Session where it regenerates the session ID. That makes it open to session hijacking. Unless I'm wrong, I think these issues should be mentioned. People shouldn't rely 100% on what the Zend Framework supplies them and assume that it's safe just because it's from Zend. As far as I can tell, the default Zend_Auth storage method doesn't encrypt the data in any way does it? What if the session data is stolen off the server? (Like a shared session.save_path on a shared host)

Also, I don't see anywhere in Zend_Session where it regenerates the session ID. That makes it open to session hijacking.

Unless I'm wrong, I think these issues should be mentioned. People shouldn't rely 100% on what the Zend Framework supplies them and assume that it's safe just because it's from Zend.

]]> By: Jeff http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-8976 Jeff Tue, 27 Mar 2007 16:02:24 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-8976 Rob, Thanks! That did the trick. -Jeff Rob,

Thanks! That did the trick.

-Jeff

]]> By: Rob... http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-8970 Rob... Tue, 27 Mar 2007 04:58:20 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-8970 Jeff, That's a PHP issue. In php.ini, the session.save_path setting should be set to a directory that the webserver has write access to. Regards, Rob... Jeff,

That's a PHP issue. In php.ini, the session.save_path setting should be set to a directory that the webserver has write access to.

Regards,

Rob...

]]> By: Jeff http://akrabat.com/php/new-tutorial-getting-started-with-zend-auth/#comment-8964 Jeff Mon, 26 Mar 2007 22:32:34 +0000 http://akrabat.com/2007/03/25/new-tutorial-getting-started-with-zend-auth/#comment-8964 Rob, Thanks for the tutorial. I am having a little trouble getting it to work though: Fatal error: Uncaught exception 'Zend_Session_Exception' with message 'Unwritable session.save_path: ' in /webservices/sites/default/test/zend/zend_auth/library/Zend/Session.php:212 Do you know, or have a good guess, how to fix this error? I am using Zend Framework 0.9.1 Thanks, Jeff Rob,

Thanks for the tutorial. I am having a little trouble getting it to work though:

Fatal error: Uncaught exception 'Zend_Session_Exception' with message 'Unwritable session.save_path: ' in /webservices/sites/default/test/zend/zend_auth/library/Zend/Session.php:212

Do you know, or have a good guess, how to fix this error? I am using Zend Framework 0.9.1

Thanks,
Jeff

]]>