Feature Request #2311
Signed Cookies
| Status: | Closed | Start date: | 11/04/2009 | |
|---|---|---|---|---|
| Priority: | Immediate | Due date: | ||
| Assignee: |  Isaiah DeRose-Wilson |
% Done: | 0% |
|
| Category: | Helpers | |||
| Target version: | 2.4 | |||
| Resolution: | fixed | Points: |
Description
At the moment the auto login feature of auth uses cookies so people can be automatically logged in. These cookies are not protected and if stolen, can result in the comprise of someones account. I've patched the cookie helper to add support for signed cookies.
However, I have not figured out how to adapt the sessions library.
Patch included.
Associated revisions
Added signed cookies (ported from Kohana3), thanks Mathew! refs #2311
Corrected comment about the cookie.httponly setting. Refs #2311
History
Updated by Mathew Davies over 2 years ago
- File signed-cookies-improved.diff added
Improved patch, fixed sessions bug.
Updated by Mathew Davies over 2 years ago
Side note, it may be wise to remove the cookie method from the input library as it sends back the hashed string with value and may cause more API breakage than you'd originally of liked.
You could even just re-route it to use cookie::get instead.
Updated by Isaiah DeRose-Wilson over 2 years ago
- Status changed from New to Assigned
- Assignee set to Isaiah DeRose-Wilson
- 11 changed from 2.3.4 to SVN HEAD
Updated by Isaiah DeRose-Wilson over 2 years ago
The input class needs to be updated to use cookie::get() instead of using $_COOKIE directly. With signed cookies you can't use the cookie helper to create the cookie and than access it using $_COOKIE. If you want signed cookies you have to use the cookie helper for everything. If you don't want to use signed cookies you have to use the $_COOKIE global directly.
Updated by Isaiah DeRose-Wilson over 2 years ago
- Status changed from Assigned to Closed
- Resolution set to fixed
Updated the Input::cookie() function to use cookie::get() instead of $_COOKIE