Opened 4 years ago

Closed 4 years ago

#1402 closed Bug (fixed)

Unnecessary code in Login/Controller logme()

Reported by: halfdan Owned by:
Priority: low Milestone: Piwik 0.6.3
Component: Core Keywords:
Cc: Sensitive: no

Description

In core/plugins/Login/Controller.php there is a function called logme() - it allow a user to do a formless login. I found that the following code is completely unnecessary:

$authenticated = $this->authenticateAndRedirect($login, $password, $urlToRedirect);
if($authenticated === false)
{
	echo Piwik_Translate('Login_LoginPasswordNotCorrect');
}

If the login is successful "authenticateAndRedirect" just redirects to $_REQUESTurl? and exits. Otherwise the authenticate method prints an error to the user. authenticateAndRedirect does never return (it actually does not return anything at all), and even if it would $authenticate would be NULL.

logme as function name is not very descriptive. I can't think of a better name right now, but it should be changed.

Change History (3)

comment:1 Changed 4 years ago by halfdan

Another thought: Shouldn't logme() use tokenAuth to authenticate a user instead of the md5 hashed password? The password hash is definitely better to brute-force than the tokenAuth.

comment:2 Changed 4 years ago by vipsoft (robocoder)

I agree with removing the unreachable if{} block.

It's debateable whether switching to token_auth is more/less secure overall, but I agree it might be better against a dictionary attack. It's a compat buster, so I'll defer to Matthieu.

comment:3 Changed 4 years ago by vipsoft (robocoder)

  • Resolution set to fixed
  • Status changed from new to closed

(In [2258]) fixes #1402 - remove unreachable if{} block; switching to token_auth is a wontfix as token_auth is intended for the API; logme() is a formless login which mirrors the form login, i.e., piwik_auth cookie and server-side session

Note: See TracTickets for help on using tickets.