Zend Authentication

[crwork]

I'm about to adapt some software that uses Zend for purposes of user authentication.

 

On the home page of the existing Zend site, even if you've logged off, closed all browsers, then come back to the home page without logging on, the code still thinks the user has been authenticated. The following statement is true in index.php:

 

if (Zend_Auth::getInstance()->hasIdentity()) {...

 

I've done some research on user authentication via Zend (which I'm new to), but I seem to missing a basic point. When Zend authenticates a user, where is that information going? To the session? Cookies? It feels like a black box to me. I've looked in the Zend code, but it's a serious labyrinth. I can't pinpoint where the user authentication is going.

[shlumph]

even if you've logged off, closed all browsers, then come back to the home page without logging on, the code still thinks the user has been authenticated

That's not good! Lol. I'd look into the logout script. Make sure the identity is cleared via Zend_Auth::getInstance()->clearIdentity() and even destroy the session as well if it's necessary; Zend_Session::destroy()

 

When Zend authenticates a user, where is that information going? To the session? Cookies?

Depends on the storage set for Zend_Auth, the default is Zend_Auth_Storage_Session.

[crwork]

That's not good! Lol. I'd look into the logout script. Make sure the identity is cleared via Zend_Auth::getInstance()->clearIdentity() and even destroy the session as well if it's necessary; Zend_Session::destroy()

 

 

Depends on the storage set for Zend_Auth, the default is Zend_Auth_Storage_Session.

 

Ok, thanks shlumph.

[hell_yeah]

In order to remove an identity from persistent storage, you need to call the following method during your logout routine

 

Zend_Auth::getInstance()->clearIdentity();