Pragmatism in the real world

New Tutorial: Getting Started with Zend Auth

Having promised that I’d look into a tutorial for Zend_Auth ages and ages ago, I’ve finally managed to get one together

Note that this tutorial only covers Zend_Auth; Zend_Acl will have to be the topic for another one at some point in the future!

As always, if you have any comments (especially corrections!) then please let me know. Who knows? Maybe we won’t need 30 revisions to catch all the typos this time!

Update
That didn’t take long! David found some typos within 15 mins!

10 thoughts on “New Tutorial: Getting Started with Zend Auth

  1. Rob,

    Thanks for the tutorial. I am having a little trouble getting it to work though:

    Fatal error: Uncaught exception 'Zend_Session_Exception' with message 'Unwritable session.save_path: ' in /webservices/sites/default/test/zend/zend_auth/library/Zend/Session.php:212

    Do you know, or have a good guess, how to fix this error? I am using Zend Framework 0.9.1

    Thanks,
    Jeff

  2. Jeff,

    That's a PHP issue. In php.ini, the session.save_path setting should be set to a directory that the webserver has write access to.

    Regards,

    Rob…

  3. As far as I can tell, the default Zend_Auth storage method doesn't encrypt the data in any way does it? What if the session data is stolen off the server? (Like a shared session.save_path on a shared host)

    Also, I don't see anywhere in Zend_Session where it regenerates the session ID. That makes it open to session hijacking.

    Unless I'm wrong, I think these issues should be mentioned. People shouldn't rely 100% on what the Zend Framework supplies them and assume that it's safe just because it's from Zend.

  4. Kyle,

    You are correct regarding session data encryption.

    Zend_Session has a regenerateId() function however. To use it, just put Zend_Session::regenerateId() into your bootstrap and it'll regenerate the session id every time for you. See the manual for further details.

    At some point I should really work out what the performance and bandwidth costs are for regenerating the session id every request.

    Regards,

    Rob…

  5. Hi,

    Yeah, I noticed regenerateId() later on while looking through it properly. However, it only seems to be automatically called with rememberUntil (i.e. log me in for 2 days rather than just this browser session). Can you see it being used automatically elsewhere?

    To prevent session fixation I would have expected Zend_Auth to do it whenever a user logs in, not only when an expiry date is set.

    To prevent session hijacking it would have been nice to have Zend_Auth regenerate an id whenever it is used (or maybe every 5 times or something if it's a big performance hit).

    It just seems that if you're going to have a wrapper for authenticating users then it should do everything that's needed and not require you to put stuff elsewhere.

    Since I'm going to alter the session storage to add a secret key + hash, expire, timeout, ip changes, etc, I'll make it regenerate ID's too (or maybe make my own auth class from scratch so I can know 100% what's going on, I don't like being fuzzy with security). So none of this is really a problem for me but Zend could have made it more secure from the start (unless, once again, I've missed something).

  6. Actually, this is at the top of Zend_Session:

    'use_only_cookies' => 'on'

    I guess that prevents session fixation then.

  7. i was having a lot of trouble with the session save path in v.09. when i set it with:
    ini_set('session.save_path','/home/[site]/tmp/');
    it worked fine.

  8. Same issue with the save path here. session_start works fine without an error. I can set a variable and see that the /tmp/sess_* file is updated. If I remove that code and try to use Zend_Session it says "Unwritable session.save_path"

  9. It seems that the internal session functionality sets the save_path to be the system default if it is not explicitly set in the php.ini file, but does not change the ini potions.

    When Zend_Session::setOptions attempts to
    $savePath = ini_get('session.save_path');
    an empty string is returned.

    Like forrest, I had to add an ini_set() in my code.

Comments are closed.