User Profile
- User
- Dieter_be
- Location
- Wetteren, Belgium
- Time Zone
- (GMT 1): Austria, Belgium, Cameroon, France, Germany, Italy, Spain
- URL
- www.jhsjatoo.org
Recent Articles
dAuth v0.3 models
User, Host, LoginAttempt models for dAuth v0.3
- Published by Dieter_be 11/15/06 - 09:13
- 14354 views
- 6 comments
dAuth v0.3 helper
helper for dAuth v0.3
- Published by Dieter_be 11/15/06 - 09:09
- 10134 views
- 0 comments
dAuth v0.3 component
the component for dAuth v0.3
- Published by Dieter_be 11/15/06 - 09:07
- 10745 views
- 9 comments
dAuth v0.3 views controller and javascript
the login, register, userinfo and change_password views; the usersController, and d_auth, sha1 javascripts for dAuth v0.3
- Published by Dieter_be 11/15/06 - 09:02
- 11824 views
- 13 comments
introduction to dAuth v0.3
This article introduces dAuth V0.3: the authentication (not authorisation) system with a focus on security, using techniques such as challenge-response, customizable multiple-stage password hashing, brute force (hammering) detection etc.
- Published by Dieter_be 11/11/06 - 12:23
- 39300 views
- 68 comments
> opposed to Core Tree's moveUp and moveDown)
note that you can very easily do this with cake's treebehavior also.
See http://book.cakephp.org/view/521/Modifying-data
Just like the source code and documentation itself, the database of issues along with their comments was a valuable resource both for the community, but especially for the developers (at least, it should be).
Losing it means losing something very valuable.
For the users convenience, we create a dummy, random string of the same length as the password, so that the user doesn't notice his password has changed as he tries to submit the form.
This is bad design because this is a hint for sniffers: if they sniff your traffic they can know the length of the password. They still don't know the password itself so it's not a security leak but still this is not good practice... yet another reason why we should use https.
Read more about why i recommend https and about me not longer having time for cake/dauth on my blog:
http://dieter.plaetinck.be/bye_cakephp_bye_dauth_hello_drupal
I don't have the time right now to check this, but I sure believe it behaves like that because I didn't explicitly program anything to encounter it. So you could hack the javascript to send an empty hash or something for an empty password so the serverside code can detect this and act accordingly (form validation)
I would like to announce that it seems like in the forseeable future, I will no longer have the time to maintain dAuth. At the end of this comment you'll see the current list with bugs, most of them are not critical but it's good to take a look at it anyway and patch dAuth yourself.
Jordy: I think it's a known - but very rare bug - somebody once blogged about it (the title was "cakephp: always make sure you set your image paths correctly" or something like that)
bugfix #1 for v0.3: users_controller.php line 80/81: change allowCleartext to allowClearText
bugfix #2 for v0.3: don't change the id of the password in the views, or make a little change to the helper to make it
bugfix #3 for v0.3: remove default '0000-00-00 00:00:00' from sql of models.
bugfix #4 for v0.3: change 'host_id' => ' = '.$data['Host']['id'] to 'host_id' => '= '.$data['Host']['id'] (remove the space before the equals sign)
bugfix #5 for v0.3: don't allow registration with empty password. (patch the d_auth javascript)