Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unnecessary code in Login/Controller logme() #1402

Closed
halfdan opened this issue May 30, 2010 · 3 comments
Closed

Unnecessary code in Login/Controller logme() #1402

halfdan opened this issue May 30, 2010 · 3 comments
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Milestone

Comments

@halfdan
Copy link
Member

halfdan commented May 30, 2010

In core/plugins/Login/Controller.php there is a function called logme() - it allow a user to do a formless login. I found that the following code is completely unnecessary:

$authenticated = $this->authenticateAndRedirect($login, $password, $urlToRedirect);
if($authenticated === false)
{
    echo Piwik_Translate('Login_LoginPasswordNotCorrect');
}

If the login is successful "authenticateAndRedirect" just redirects to $_REQUEST['url'] and exits. Otherwise the authenticate method prints an error to the user. authenticateAndRedirect does never return (it actually does not return anything at all), and even if it would $authenticate would be NULL.

logme as function name is not very descriptive. I can't think of a better name right now, but it should be changed.

@halfdan
Copy link
Member Author

halfdan commented May 30, 2010

Another thought: Shouldn't logme() use tokenAuth to authenticate a user instead of the md5 hashed password? The password hash is definitely better to brute-force than the tokenAuth.

@robocoder
Copy link
Contributor

I agree with removing the unreachable if{} block.

It's debateable whether switching to token_auth is more/less secure overall, but I agree it might be better against a dictionary attack. It's a compat buster, so I'll defer to Matthieu.

@robocoder
Copy link
Contributor

(In [2258]) fixes #1402 - remove unreachable if{} block; switching to token_auth is a wontfix as token_auth is intended for the API; logme() is a formless login which mirrors the form login, i.e., piwik_auth cookie and server-side session

@halfdan halfdan added this to the Piwik 0.6.3 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug For errors / faults / flaws / inconsistencies etc.
Projects
None yet
Development

No branches or pull requests

2 participants