Security issue

mcjennis · #1 (**permalink**) 08-14-2007, 05:18 PM

Hi everybody,
I have a big question for you:
in PHP native in order to check an user authentication we were used to perform an action like this:
if($_SESSION["auth"]) echo "authenticated";
else exit();

but using ZF in order to check the privilege, we have to call Zend_Auth::getInstance()
that creates a session cookie, even if the vistor isn't authenticated, haven't we?
After that we have a cookie for session!

Please let me know if I am right and or show me a workaround.

thank you
cheers Fabrizio

Elemental · #2 (**permalink**) 08-14-2007, 09:01 PM

yes and no.

Zend_Auth::getInstance() actually creates a session name space. I believe the default is 'Default'. Once a user authenticates that namespace recieves an identity. So to check if a user is authenticated you do the following:

Code:

//get an instance of the auth object which is bound to the session namespace 'Default'
$auth = Zend_Auth::getInstance()  
if ($auth->hasIdentity()) {
   echo "Authenticated!";
} else {
   echo "Not Authenticated!";
}

Here's a good tutorial for getting started with Zend_Auth

What I prefer is to actually create my own session namespace in my bootstrap:

Code:

$session = new Zend_Session_Namespace('Default');
Zend_Registry::set('session', $session);

This allows me to use session based features without an authenticated user. Then I setup the auth object to use that session.

Code:

$auth = Zend_Auth::getInstance()  
$auth->setStorage(new Zend_Auth_Storage_Session('Default'));

It seems redundant as I used 'Default' for my namespace, you can call it what ever you want. The reason I prefer this method is to avoid creating multiple sessions. This way I create a session and when the authentication takes place it uses the same existing session vs. creating a new authenticated session. That and I get to play with more Zend gewdness.

mcjennis · #3 (**permalink**) 08-17-2007, 08:39 AM

I get your point,
but actually my question was realted to the security issues that an instance of auth session could bring to your application.

In my opinion (after have checked the source code of Zend_Auth::getInstance()), in order to check if a session exists ZF creates it executing a call to new Zend_Session_Namespace('Auth')!
So, if it didn't exist before, after checking it will exist, and a cookie auth will be created! It will be empty but in facts it will be created!

Someone maliciuos user that tries to hack our application bypassing the login usin some tecnique of coockie poisoning could find an auth cookie instancieted, even if our purpose was just to check the privileges not to gain them!

Addinctionally I think your idea to set authenticated data in the same session coockie 'Defualt' could be a wrong idea, because of the fact I've just explained.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode