Comments on: Logging in users via Zend_Auth without Sessions in PHP / Zend Framework http://marcuswelz.com/2009/01/03/logging-in-users-via-zend_auth-without-sessions-in-php-zend-framework/ working hard at avoiding to write code Wed, 28 Jul 2010 15:33:48 +0000 hourly 1 http://wordpress.org/?v=3.0 By: marcus http://marcuswelz.com/2009/01/03/logging-in-users-via-zend_auth-without-sessions-in-php-zend-framework/comment-page-1/#comment-1439 marcus Wed, 06 May 2009 00:06:13 +0000 http://metaversedeveloper.com/?p=274#comment-1439 Thanks for pointing that out, Cliff, I appreciate it. I've updated the code. As one might imagine, the base64 encoding was an untested last-minute change that I am not using in my production code because of the overhead. Keeping the identity (say, just a username) in clear text also allows for some neat features, such as the ability to read it out via Javascript and update otherwise static HTML with a seemingly dynamic header. I'll save that for another post. Thanks for pointing that out, Cliff, I appreciate it. I've updated the code.

As one might imagine, the base64 encoding was an untested last-minute change that I am not using in my production code because of the overhead.

Keeping the identity (say, just a username) in clear text also allows for some neat features, such as the ability to read it out via Javascript and update otherwise static HTML with a seemingly dynamic header. I'll save that for another post.

]]> By: Cliff http://marcuswelz.com/2009/01/03/logging-in-users-via-zend_auth-without-sessions-in-php-zend-framework/comment-page-1/#comment-1224 Cliff Tue, 28 Apr 2009 12:31:03 +0000 http://metaversedeveloper.com/?p=274#comment-1224 Just a heads up. In line 189 (writing the cookie): you base64_encode() the $contents _after_ you've created the MD5 hash. In line 166 (reading the cookie): you don't base64_decode() the $contents before performing the MD5 to compare against the checksum held in the cookie. Line 166-167 should be: if (md5(base64_decode($contents) . $now . $this->_secret) == $checksum) { $this->_cached = $contents; } ~ Cliff Just a heads up.

In line 189 (writing the cookie): you base64_encode() the $contents _after_ you've created the MD5 hash.

In line 166 (reading the cookie): you don't base64_decode() the $contents before performing the MD5 to compare against the checksum held in the cookie.

Line 166-167 should be:
if (md5(base64_decode($contents) . $now . $this->_secret) == $checksum) {
$this->_cached = $contents;
}

~ Cliff

]]>