Default UserIdentity component

gjb · March 9, 2010, 12:14am

The default UserIdentity component has a slight security weakness in that it distinguishes between an incorrect username and an incorrect password:




if(!isset($users[$this->username]))

	$this->errorCode=self::ERROR_USERNAME_INVALID;

else if($users[$this->username]!==$this->password)

	$this->errorCode=self::ERROR_PASSWORD_INVALID;

I appreciate that this is unlikely to be used as is for real world applications, but shouldn’t this generate a more generic “incorrect username or password” error if either is invalid?

Y11 · March 9, 2010, 12:32am

Hi, I think for illustration and basic usage the standard class is pretty much okay. If you want that additional security, simply create your prefered version of the UserIdentity class (maybe with constant ERROR_CREDENTIALS_INVALID).

mdomba · March 9, 2010, 7:39am

I agree with Y!!.. for the sake of learning this is really OK, but for the real world you can change it as you wish…

Here is a thread on this forum about that:

http://www.yiiframework.com/forum/index.php?/topic/7307-useridentity-error-messages/page__fromsearch__1