Hi!

First of all thanx dexcell for this library! I really think we need something like this!

Then it comes my question:

- Why did you choose to encrypt the password with md5? Since md5 is known for all the vulnerabilites, don’t you think it’s better to use sha1 for all the encryption tasks?

Thanks!

wow, what an awesome lib! Been thinking about creating something like for a while and I’m glad to see it has already been done

okay while im sitting here planning how im going to add dx auth, I see a session problem. I have a site that has over 36k unique vistors and over 250k pageviews. When someone logs in and later closes his/her browser without manually loging out, the row in the ci_session still exists (correct me if i’m wrong). With a site that has 36k+ vistors a day, this can create an overhead on the database real fast. One way I see to solve this problem would be to create a cron script that deletes the rows that has no activity in the last 30 minutes, skipping the ones that have remember me optioned checked. Is this the only approach or is there something I’m missing ... or am I completely wrong about this? Thanks

BeingDefined - 06 January 2009 02:59 AM

I see a session problem.

I don’t think this is unique to this library:
http://codeigniter.com/forums/viewthread/83360/

I’m not using this library so I could be wrong.

Hi, Dexcell !
First of all - great work with the lib !
I’m new (but very excited) to the framework and I happened to need (and use) your lib in my first app with which I’m also learning CI.

So out of the nutshell I came across an issue when using your lib.
The problem:
- after calling the DX_Auth::logout() function the is_logged_in() one still returns true. and should you happen to load a view that renders itself logged-in conditionally it would display the “You have been logged out” message and still render itself as if the users is still logged in.

The reason:
- after calling session::sess_destroy() from the DX_Auth::logout() routine, the session::userdata(‘DX_logged_in’) call still returns true because the session::sess_destroy() method doesn’t invalidate the session user data.

So it’s really a framework bug (the session class doesn’t even allow you to delete user data) but I wanted first to double check this here before making a bud report and second - it will be much quicker for you to patch your lib than to wait for a framework patch to be issued.

Solution:
- add this at the end of the DX_Auth::logout() method:

Now the logout views will render correctly.

Regards

I have a question: how long should I set the sess_expiration for in CI config? By default it is 2 hours, but I would like the user to stay logged in for 2 weeks. Does the auto-login feature re-validate a session? Or do I need to set the sess_expiration variable to 1209600 seconds?

My other question is: is it normal to have tens of thousands of entries in the ci_sessions table? I see CI is creating multiple sessions for the same IP address instead of modifying the existing session. Is this related to the DX Auth library? Or is there some way to fix this?

Hello everyone.

Everything is nice with this library. but came to one problem, and didn’t find an answer in the user guide.
I have craeted a field in user_profile table, called ‘threads_per_page’.

But when I try to echo it:

I get error:
Fatal error: Call to undefined method DX_Auth::get_profile_field() in /var/www/vhos…...

Any ideas? thanks !

Hi hugle.
The get_profile_field is in a model (not in the library) file.
So:

Thanks, dexcell for the library.  I love it!  The documentation is especially great.  I finally finished reading this whole thread and have two recommendations and a problem:

-The releases might start to get confusing to us (whether or not we have the latest version, what version we’re running, etc).  Hosting the releases with code.google.com/hosting/ (or some other code repository) might make it easier to reference.
-It seems that a lot of people on the thread had a problem with the “captcha” directory not being in their htaccess file (me included).  Adding this to the “installation” page of the user guide might help!
-So here’s my problem:  I got it working perfectly on my dev machine (windows).  I uploaded it to my linux server and made sure to change the permissions and owners.  When creating an account, the password field of the record is empty.  Same thing happens when changing the password.  Any ideas what’s wrong and how I can fix it?  Thanks!

After more investigation, I found out what my problem is but still don’t know how to solve it.  I found out that crypt() is returning an empty string (line 1169 of libraries/DX_Auth.php; it should say $new_pass = crypt($this->_encode($new_pass));).  It does that only when there’s no salt passed to the crypt function.

I found a similar issue at http://article.gmane.org/gmane.comp.apache.apr.devel/13802 .  Any ideas of what I can do to fix it?