Development

#2347 (remember me filter does not work properly in an unsecure module/action)

You must first sign up to be able to contribute.

Ticket #2347 (new defect)

Opened 1 year ago

Last modified 2 months ago

remember me filter does not work properly in an unsecure module/action

Reported by: FrankStelzer Assigned to: fabien
Priority: minor Milestone:
Component: sfGuardPlugin Version: 1.0.0
Keywords: Cc: Kris.Wallsmith
Qualification: Unreviewed

Description

The documentation says, that one has to add the sfGuardBasicSecurityFilter in such way, when one want to use the remember me filter: 

    security:
      class: sfGuardBasicSecurityFilter

However the problem is, that the according config handler generates this code: 

// does this action require security?
if ($actionInstance->isSecure())
{
// register the security filter (here the sfGuardBasicSecurityFilter)
}

Ok, this would work fine only in secured actions. But what about the fact, that the user should always be loged in the complete application and not only in the secured actions.

So i think the sfGuardBasicSecurityFilter should be decoupled from the normal sfBasicSecurityFilter and should be called outside the security filter (optional: rename it to sfGuardRememberMeFilter).

Attachments

sfGuardRememberMeFilter.class.php (1.4 kB) - added by edlucas on 11/01/07 18:19:44.
sfRememberMeFilter that should work on paths where is_secure=false

Change History

10/07/07 19:45:06 changed by Vladimir.Udilov

See also #1793

10/08/07 09:31:17 changed by FrankStelzer

Oh damn! I searched some time ago for this problem in trac, but found anything. Seems, that i better should have look again, when i created this ticket. Sorry, for this doublet, #1793 is actually the same problem.

I leave the resolution open, because the other ticket is already closed.

11/01/07 18:19:44 changed by edlucas

  • attachment sfGuardRememberMeFilter.class.php added.

sfRememberMeFilter that should work on paths where is_secure=false

11/01/07 18:25:50 changed by edlucas

I've attached a filter class that basically does exactly what you describe, Frank. It inherits from sfFilter rather than sfBaseSecurityFilter so that it does not redirect to the login page.

I am using it myself, and have added it to filter.yml just before the security filter is called.

Does this solve the problem or have I missed something?

(follow-up: ↓ 5 ) 11/15/07 23:45:29 changed by FrankStelzer

Your filter looks good edlucas! I will use it in my project, when i will have time for it. That means, you do not use the security filter of the sfGuardPlugin, at all?

I will give feedback, if your filter does what i want!

(in reply to: ↑ 4 ) 11/16/07 01:33:24 changed by edlucas

The sfGuardBasicSecurityFilter is still essential for secure pages, but for public pages, the RememberMeFilter? should be all you need. I looked at merging the two, but the security filter is only fired on pages where is_secure=true, so it's probably less invasive to keep them separate.

I'm using it myself, so I would be very interested to know if it has any bugs/features. Good luck

06/13/08 18:57:16 changed by Kris.Wallsmith

  • cc set to Kris.Wallsmith.

Just to chime in -- I always decouple the remember me functionality from the security filter for these same reasons. A returning user with this cookie should be signed in as soon as hitting the home page, so the home page could say "Welcome back, John Doe!" for example.

What is the prospect of this being implemented?

08/19/08 10:41:37 changed by FrankStelzer

I found another good solution here: blog entry

So my propsel is to add the additional sfGuardRememberMeFilter to the plugin and the users can choose, if they want to activate this second filter.