crwork Posted October 26, 2012 Share Posted October 26, 2012 I'm about to adapt some software that uses Zend for purposes of user authentication. On the home page of the existing Zend site, even if you've logged off, closed all browsers, then come back to the home page without logging on, the code still thinks the user has been authenticated. The following statement is true in index.php: if (Zend_Auth::getInstance()->hasIdentity()) {... I've done some research on user authentication via Zend (which I'm new to), but I seem to missing a basic point. When Zend authenticates a user, where is that information going? To the session? Cookies? It feels like a black box to me. I've looked in the Zend code, but it's a serious labyrinth. I can't pinpoint where the user authentication is going. Quote Link to comment https://forums.phpfreaks.com/topic/269943-zend-authentication/ Share on other sites More sharing options...
shlumph Posted October 26, 2012 Share Posted October 26, 2012 even if you've logged off, closed all browsers, then come back to the home page without logging on, the code still thinks the user has been authenticated That's not good! Lol. I'd look into the logout script. Make sure the identity is cleared via Zend_Auth::getInstance()->clearIdentity() and even destroy the session as well if it's necessary; Zend_Session::destroy() When Zend authenticates a user, where is that information going? To the session? Cookies? Depends on the storage set for Zend_Auth, the default is Zend_Auth_Storage_Session. Quote Link to comment https://forums.phpfreaks.com/topic/269943-zend-authentication/#findComment-1387992 Share on other sites More sharing options...
crwork Posted October 30, 2012 Author Share Posted October 30, 2012 That's not good! Lol. I'd look into the logout script. Make sure the identity is cleared via Zend_Auth::getInstance()->clearIdentity() and even destroy the session as well if it's necessary; Zend_Session::destroy() Depends on the storage set for Zend_Auth, the default is Zend_Auth_Storage_Session. Ok, thanks shlumph. Quote Link to comment https://forums.phpfreaks.com/topic/269943-zend-authentication/#findComment-1388773 Share on other sites More sharing options...
hell_yeah Posted November 4, 2012 Share Posted November 4, 2012 In order to remove an identity from persistent storage, you need to call the following method during your logout routine Zend_Auth::getInstance()->clearIdentity(); Quote Link to comment https://forums.phpfreaks.com/topic/269943-zend-authentication/#findComment-1390072 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.