Comments on: How to avoid Identity Theft in Zend Framework with Zend Auth

By: Elwin

Elwin — Mon, 28 Feb 2011 22:05:56 +0000

Is there no option to see where the user came from the last visited page? If so can you not use that value to validate if it is still the same user or someone that stole the cookie?

By: Elwin

Elwin — Mon, 28 Feb 2011 17:05:00 +0000

Is there no option to see where the user came from the last visited page? If so can you not use that value to validate if it is still the same user or someone that stole the cookie?

By: Comment éviter le vol d'identité dans vos applications Zend Framework avec le composant Zend_Auth | Itanea le Blog

Thu, 20 Jan 2011 12:18:05 +0000

[...] du traducteur : Cet article est une traduction de l’article How to avoid Identity Theft in Zend Framework with Zend Auth paru le 04 mars 2010 sur PHP Tutorials, écrit par Andrei Gabreanu. Je le remercie au passage de [...]

By: Andrei Gabreanu

Andrei Gabreanu — Sun, 13 Jun 2010 00:41:58 +0000

Nice ideea with the Zend Session validator! I actually overlooked it! Thanks for the ideea.

Regarding the user agents, yes of course, you are right. This plugin was never intended to be of a large scale use (ex a public website ) rather than a portion of an app where you *know* who will access it and with what user agents etc . Prolly should have said that somewhere in the post

By: Andrei Gabreanu

Andrei Gabreanu — Sun, 13 Jun 2010 00:40:07 +0000

Agree. It is more of a convenience way to check something like, lets say for example an admin page where you *know* who will access thus you don't mind the user agents changing.

By: Pieter

Pieter — Sun, 13 Jun 2010 00:38:15 +0000

Nice post. Just a small hint; you can actually do everything you're trying to do with Zend_Session already. Just add the necessary validators (in your case user_agent and ip validator) to Zend_Session using Zend_Session::registerValidator().
I must warn you though; validating on user_agent is probably not a smart thing to do as more and more browsers tend to change their user agent string during a session (e.g. IE8).

By: Andrei Gabreanu

Andrei Gabreanu — Sat, 12 Jun 2010 19:41:00 +0000

Nice ideea with the Zend Session validator! I actually overlooked it! Thanks for the ideea.

By: Andrei Gabreanu

Andrei Gabreanu — Sat, 12 Jun 2010 19:40:00 +0000

Agree. It is more of a convenience way to check something like, lets say for example an admin page where you *know* who will access thus you don’t mind the user agents changing.

By: Pieter

Pieter — Sat, 12 Jun 2010 19:38:00 +0000

Nice post. Just a small hint; you can actually do everything you’re trying to do with Zend_Session already. Just add the necessary validators (in your case user_agent and ip validator) to Zend_Session using Zend_Session::registerValidator().
I must warn you though; validating on user_agent is probably not a smart thing to do as more and more browsers tend to change their user agent string during a session (e.g. IE8).

By: Michiel Brandenburg

Michiel Brandenburg — Thu, 10 Jun 2010 03:33:23 +0000

Nice post, mind u turning on the useragent check will be more trouble than it's worth. Ajax calls from the same browser being used can report different useragents, on top of that the useragent can be configured by the user. Also take note that you might have to check for the presence of X-Forwarded-For headers (these can be faked) but it might indicate that the user is behind a proxy and the ip might not be trusted.