3

I am pretty new to the Zend framework and looking to build an application with pretty tight password security. I have been trying to follow the user guides in relation to password salting but haven't had any luck so far. I have setup my database and table adapter (As described in the documentation on the Zend Framework site but it didn't seem to finish the example (or I am not following well enough!) I have started with:

$authAdapter = new Zend_Auth_Adapter_DbTable($dbAdapter, 
            'users', 
            'username',
'password',                                         "MD5(CONCAT('".Zend_Registry::get('staticSalt')."', ?, password_salt))"
    );

But from here, what is done with the password salt? I just need an example and I'll be away! Does anyone have an example or point me in the right direction??

Many thanks!

Justin
  • 172
  • 2
  • 15
Geoffrey
  • 39
  • 3
  • Thewre is this little icon beneath the voting option on the left of each answer. It is to mark a reply as "the correct answer". This helps finding posts that have been answered and, if you feel like answering, finding those who need an answer. Both the answers where pretty good. You might want to "accept" one of them. It would be a nice thing to do. – Andresch Serj Dec 22 '11 at 13:55

2 Answers2

2

Excelent example for an secure login with Zend Framework (altough using salts)

Login example with Zend Framework

opHASnoNAME
  • 20,224
  • 26
  • 98
  • 143
1

Authentication method:

/**
 * Authenticate user with specified identity and credential
 *
 * most used case is authenticate user inline in script
 *
 * @param string $identity
 * @param string $credential
 * @return Zend_Auth_Result
 */
public function authenticate ($identity, $credential)
{
    $auth = Zend_Auth::getInstance();
    $adapter = $this->getAdapter();
    $adapter->setIdentity($identity)
            ->setCredential(self::passwordHash($credential));

    $config = Singular_Runtime::extract('config');
    $isActiveCol = $config->resources->auth->columns->is_active;
    $isActiveAllowVal = $config->resources->auth->is_active->allow_value;

    /**
     * @see APPLICATION_PATH/configs/application.ini -> resources.auth
     */
    if (null != $isActiveCol && null != $isActiveAllowVal) {
        $adapter->getDbSelect()->where("{$isActiveCol} = ?", $isActiveAllowVal);
    }

    Singular_Event::dispatch('beforeAuth', array(
        'auth' => $auth, 'adapter' => $adapter
    ));

    $result = $auth->authenticate($adapter);

    if ($result->isValid()) {
        $auth->getStorage()->write($adapter->getResultRowObject());

        Singular_Event::dispatch('afterAuth', array(
            'auth' => $auth, 'adapter' => $adapter
        ));
    }

    return $result;
}

And password hash generation method:

/**
 * Password hash generator
 *
 * @static
 * @param  string $password
 * @return string
 */
public static function passwordHash ($password)
{
    $password = strtolower($password);

    return md5(
        str_repeat(
            md5($password) . strrev($password) . sha1($password),
            strlen($password)
        )
    );
}
Jason Plank
  • 2,336
  • 5
  • 31
  • 40
Fatalist
  • 361
  • 3
  • 5