[dev] Authentication session data cleaned by Kronolith
SSRI
ssri_abo at u-paris2.fr
Tue Jun 25 12:31:08 UTC 2013
>>>> Again: you must not write directly to $_SESSION. This is how it
>>>> works correctly:
>>>>
>>>> In __construct(), write away the information you receive from
>>>> your custom authentication backend, and what else you want to
>>>> store in the session:
>>>>
>>>> public function __construct(array $params = array())
>>>> {
>>>> parent::__construct($params);
>>>> $this->_credentials['userId'] = 'username';
>>>> $this->_credentials['credentials'] = array(
>>>> 'password' => 'password',
>>>> 'transparent' => true,
>>>> 'arbitrary_stuff' => 'xyz',
>>>> );
>>>> }
>>>>
>>>> Implement transparent() or _authenticate() at your will. Then, in
>>>> validateAuth():
>>>>
>>>> public function validateAuth()
>>>> {
>>>> return $GLOBALS['registry']->getAuthCredential('sessionid') == 'xyz'
>>>> }
>>>>
>>>
>>> Login works but I get an "Invalid Token!" error.
>>
>> Where? When? How?
>
These two changes solved the problem :
_ moving the session information writing (
$this->_credentials['credentials']['...'] = ... ) from __construct
inside transparent()
_ inside validateAuth, write
$GLOBALS['registry']->getAuthCredential('') informations inside a
$_SESSION so that it can be read and tested by a function of the
custom driver.
More information about the dev
mailing list