Ticket #679 (closed Feature Request: fixed)

Opened 5 months ago

Last modified 5 months ago

Auth: Remove database object from user object in session

Reported by: neovive Owned by: Shadowhand
Priority: major Milestone: 2.2
Component: Modules:Auth Version: SVN HEAD
Keywords: auth user security Cc:

Description

The Auth module currently saves the entire user object in the session after a successful login, which contains database information that even includes a full text version of the password in the embedded Database_Mysql_Driver Object (the password is removed from the main Database Object only). There doesn't seem to be a need to include any DB connection information (including username), in the browser session.

Suggestion: Create a user_session subclass for data storage that contains the database fields from the user table (user_id, username, name, roles - array, etc.). It could contain a has() method to retrieve the role from the local array instead of from the database.

Change History

Changed 5 months ago by Shadowhand

  • status changed from new to assigned

Fixed by r3021.

Changed 5 months ago by Shadowhand

  • status changed from assigned to closed
  • resolution set to fixed
Note: See TracTickets for help on using tickets.