Yii Framework Forum: Default UserIdentity component - Yii Framework Forum

Jump to content

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

Default UserIdentity component Rate Topic: -----

#1 User is offline   gjb 

  • Newbie
  • Yii
  • Group: Members
  • Posts: 15
  • Joined: 08-March 10

Posted 08 March 2010 - 07:14 PM

The default UserIdentity component has a slight security weakness in that it distinguishes between an incorrect username and an incorrect password:

if(!isset($users[$this->username]))
	$this->errorCode=self::ERROR_USERNAME_INVALID;
else if($users[$this->username]!==$this->password)
	$this->errorCode=self::ERROR_PASSWORD_INVALID;

I appreciate that this is unlikely to be used as is for real world applications, but shouldn't this generate a more generic "incorrect username or password" error if either is invalid?
0

#2 User is offline   Y!! 

  • Advanced Member
  • Yii
  • Group: Yii Dev Team
  • Posts: 978
  • Joined: 18-June 09

Posted 08 March 2010 - 07:32 PM

Hi, I think for illustration and basic usage the standard class is pretty much okay. If you want that additional security, simply create your prefered version of the UserIdentity class (maybe with constant ERROR_CREDENTIALS_INVALID).
0

#3 User is online   Maurizio Domba Cerin 

  • Yii - Yesss It Is !!!
  • Yii
  • Group: Yii Dev Team
  • Posts: 4,358
  • Joined: 12-October 09
  • Location:Croatia

Posted 09 March 2010 - 02:39 AM

I agree with Y!!... for the sake of learning this is really OK, but for the real world you can change it as you wish...

Here is a thread on this forum about that:

http://www.yiiframew...__fromsearch__1
Find more about me.... btw. Do you know your WAN IP?
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users