search

benedmunds / CodeIgniter-Ion-Auth

Simple and Lightweight Auth System for CodeIgniter
http://benedmunds.com/ion_auth/
MIT License
2.34k stars 1.14k forks source link

Initial ION_auth Setup and Error Message #701

Closed ghost closed 9 years ago

ghost commented 9 years ago

Greetings, I am testing your ION_Auth in CodeIgniter 2.2.0. I have downloaded the programs from Git Hub, etc. and I am testing on WAMP.

  1. Are there any changes besides the obvious to config/config.php (autoload libraries & helper)?
  2. What encryption key did you use for your default email/password: admin@admin.com/password?
  3. When I 1st execute, I receive a CI error of: "In order to use the Session class you are required to set an encryption key in your config file.". I have attached config/config.php and libraries/ion_auth.php. Thanks John <?php if ( ! defined('BASEPATH')) exit('No direct script access allowed');
/* -------------------------------------------------------------------------- Base Site URL
URL to your CodeIgniter root. Typically this will be your base URL,
WITH a trailing slash:
http://example.com/
If this is not set then CodeIgniter will guess the protocol, domain and
path to your installation.

*/ $config['base_url'] = 'localhost/ion_auth';

/* -------------------------------------------------------------------------- Index File
Typically this will be your index.php file, unless you've renamed it to
something else. If you are using mod_rewrite to remove the page set this
variable so that it is blank.

*/ $config['index_page'] = '';

/* -------------------------------------------------------------------------- URI PROTOCOL
This item determines which server global should be used to retrieve the
URI string. The default setting of 'AUTO' works for most servers.
If your links do not seem to work, try one of the other delicious flavors:
'AUTO' Default - auto detects
'PATH_INFO' Uses the PATH_INFO
'QUERY_STRING' Uses the QUERY_STRING
'REQUEST_URI' Uses the REQUEST_URI
'ORIG_PATH_INFO' Uses the ORIG_PATH_INFO

*/ $config['uri_protocol'] = 'AUTO';

/* -------------------------------------------------------------------------- URL suffix
This option allows you to add a suffix to all URLs generated by CodeIgniter.
For more information please see the user guide:
http://codeigniter.com/user_guide/general/urls.html

*/

$config['url_suffix'] = '';

/* -------------------------------------------------------------------------- Default Language
This determines which set of language files should be used. Make sure
there is an available translation if you intend to use something other
than english.

*/ $config['language'] = 'english';

/* -------------------------------------------------------------------------- Default Character Set
This determines which character set is used by default in various methods
that require a character set to be provided.

*/ $config['charset'] = 'UTF-8';

/* -------------------------------------------------------------------------- Enable/Disable System Hooks
If you would like to use the 'hooks' feature you must enable it by
setting this variable to TRUE (boolean). See the user guide for details.

*/ $config['enable_hooks'] = FALSE;

/* -------------------------------------------------------------------------- Class Extension Prefix
This item allows you to set the filename/classname prefix when extending
native libraries. For more information please see the user guide:
http://codeigniter.com/user_guide/general/core_classes.html
http://codeigniter.com/user_guide/general/creating_libraries.html

*/ $config['subclassprefix'] = 'MY';

/* -------------------------------------------------------------------------- Allowed URL Characters
This lets you specify with a regular expression which characters are permitted
within your URLs. When someone tries to submit a URL with disallowed
characters they will get a warning message.
As a security measure you are STRONGLY encouraged to restrict URLs to
as few characters as possible. By default only these are allowed: a-z 0-9~%.:_-
Leave blank to allow all characters -- but only if you are insane.
DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!

*/ $config['permitted_urichars'] = 'a-z 0-9~%.:-';

/* -------------------------------------------------------------------------- Enable Query Strings
By default CodeIgniter uses search-engine friendly segment based URLs:
example.com/who/what/where/
By default CodeIgniter enables access to the $_GET array. If for some
reason you would like to disable it, set 'allow_get_array' to FALSE.
You can optionally enable standard query string based URLs:
example.com?who=me&what=something&where=here
Options are: TRUE or FALSE (boolean)
The other items let you set the query string 'words' that will
invoke your controllers and its functions:
example.com/index.php?c=controller&m=function
Please note that some of the helpers won't work as expected when
this feature is enabled, since CodeIgniter is designed primarily to
use segment based URLs.

*/ $config['allow_get_array'] = TRUE; $config['enable_query_strings'] = FALSE; $config['controller_trigger'] = 'c'; $config['function_trigger'] = 'm'; $config['directory_trigger'] = 'd'; // experimental not currently in use

/* -------------------------------------------------------------------------- Error Logging Threshold
If you have enabled error logging, you can set an error threshold to
determine what gets logged. Threshold options are:
You can enable error logging by setting a threshold over zero. The
threshold determines what gets logged. Threshold options are:
0 = Disables logging, Error logging TURNED OFF
1 = Error Messages (including PHP errors)
2 = Debug Messages
3 = Informational Messages
4 = All Messages
For a live site you'll usually only enable Errors (1) to be logged otherwise
your log files will fill up very fast.

*/ $config['log_threshold'] = 0;

/* -------------------------------------------------------------------------- Error Logging Directory Path
Leave this BLANK unless you would like to set something other than the default
application/logs/ folder. Use a full server path with trailing slash.

*/ $config['log_path'] = '';

/* -------------------------------------------------------------------------- Date Format for Logs
Each item that is logged has an associated date. You can use PHP date
codes to set your own date formatting

*/ $config['log_date_format'] = 'Y-m-d H:i:s';

/* -------------------------------------------------------------------------- Cache Directory Path
Leave this BLANK unless you would like to set something other than the default
system/cache/ folder. Use a full server path with trailing slash.

*/ $config['cache_path'] = '';

/* -------------------------------------------------------------------------- Encryption Key
If you use the Encryption class or the Session class you
MUST set an encryption key. See the user guide for info.

*/ $config['encryption_key'] = '';

/* -------------------------------------------------------------------------- Session Variables
'sess_cookie_name' = the name you want for the cookie
'sess_expiration' = the number of SECONDS you want the session to last.
by default sessions last 7200 seconds (two hours). Set to zero for no expiration.
'sess_expire_on_close' = Whether to cause the session to expire automatically
when the browser window is closed
'sess_encrypt_cookie' = Whether to encrypt the cookie
'sess_use_database' = Whether to save the session data to a database
'sess_table_name' = The name of the session database table
'sess_match_ip' = Whether to match the user's IP address when reading the session data
'sess_match_useragent' = Whether to match the User Agent when reading the session data
'sess_time_to_update' = how many seconds between CI refreshing Session Information

*/ $config['sess_cookie_name'] = 'ci_session'; $config['sess_expiration'] = 7200; $config['sess_expire_on_close'] = TRUE; $config['sess_encrypt_cookie'] = FALSE; $config['sess_use_database'] = FALSE; $config['sess_table_name'] = 'ci_sessions'; $config['sess_match_ip'] = FALSE; $config['sess_match_useragent'] = TRUE; $config['sess_time_to_update'] = 300;

/* -------------------------------------------------------------------------- Cookie Related Variables
'cookie_prefix' = Set a prefix if you need to avoid collisions
'cookie_domain' = Set to .your-domain.com for site-wide cookies
'cookie_path' = Typically will be a forward slash
'cookie_secure' = Cookies will only be set if a secure HTTPS connection exists.

*/ $config['cookie_prefix'] = ""; $config['cookie_domain'] = ""; $config['cookie_path'] = "/"; $config['cookie_secure'] = FALSE;

/* -------------------------------------------------------------------------- Global XSS Filtering
Determines whether the XSS filter is always active when GET, POST or
COOKIE data is encountered

*/ $config['global_xss_filtering'] = TRUE;

/* -------------------------------------------------------------------------- Cross Site Request Forgery
Enables a CSRF cookie token to be set. When set to TRUE, token will be
checked on a submitted form. If you are accepting user data, it is strongly
recommended CSRF protection be enabled.
'csrf_token_name' = The token name
'csrf_cookie_name' = The cookie name
'csrf_expire' = The number in seconds the token should expire.

*/ $config['csrf_protection'] = TRUE; $config['csrf_token_name'] = 'csrf_test_name'; $config['csrf_cookie_name'] = 'csrf_cookie_name'; $config['csrf_expire'] = 7200;

/* -------------------------------------------------------------------------- Output Compression
Enables Gzip output compression for faster page loads. When enabled,
the output class will test whether your server supports Gzip.
Even if it does, however, not all browsers support compression
so enable only if you are reasonably sure your visitors can handle it.
VERY IMPORTANT: If you are getting a blank page when compression is enabled it
means you are prematurely outputting something to your browser. It could
even be a line of whitespace at the end of one of your scripts. For
compression to work, nothing can be sent before the output buffer is called
by the output class. Do not 'echo' any values with compression enabled.

*/ $config['compress_output'] = FALSE;

/* -------------------------------------------------------------------------- Master Time Reference
Options are 'local' or 'gmt'. This pref tells the system whether to use
your server's local time as the master 'now' reference, or convert it to
GMT. See the 'date helper' page of the user guide for information
regarding date handling.

*/ $config['time_reference'] = 'local';

/* -------------------------------------------------------------------------- Rewrite PHP Short Tags
If your PHP installation does not have short tag support enabled CI
can rewrite the tags on-the-fly, enabling you to utilize that syntax
in your view files. Options are TRUE or FALSE (boolean)

*/ $config['rewrite_short_tags'] = FALSE;

/* -------------------------------------------------------------------------- Reverse Proxy IPs
If your server is behind a reverse proxy, you must whitelist the proxy IP
addresses from which CodeIgniter should trust the HTTP_X_FORWARDED_FOR
header in order to properly identify the visitor's IP address.
Comma-delimited, e.g. '10.0.1.200,10.0.1.201'

*/ $config['proxy_ips'] = '';

/* End of file config.php / / Location: ./application/config/config.php */

<?php if ( ! defined('BASEPATH')) exit('No direct script access allowed'); /**

/* ------------------------------------------------------------------------- Tables.
Database table names.

*/ $config['tables']['users'] = 'users'; $config['tables']['groups'] = 'groups'; $config['tables']['users_groups'] = 'users_groups'; $config['tables']['login_attempts'] = 'login_attempts';

/* Users table column and Group table column you want to join WITH.
Joins from users.id
Joins from groups.id

*/ $config['join']['users'] = 'user_id'; $config['join']['groups'] = 'group_id';

/* ------------------------------------------------------------------------- Hash Method (sha1 or bcrypt)
Bcrypt is available in PHP 5.3+
IMPORTANT: Based on the recommendation by many professionals, it is highly
recommended to use bcrypt instead of sha1.
NOTE: If you use bcrypt you will need to increase your password column
character limit to (80)
Below there is "default_rounds" setting. This defines how strong the
encryption will be, but remember the more rounds you set the longer it will
take to hash (CPU usage) So adjust this based on your server hardware.
If you are using Bcrypt the Admin password field also needs to be changed in
order login as admin:
$2a$07$SeBknntpZror9uyftVopmu61qg0ms8Qv1yV6FG.kQOSM.9QhmTo36
Be careful how high you set max_rounds, I would do your own testing on how
long it takes to encrypt with x rounds.
salt_prefix: Used for bcrypt. Versions of PHP before 5.3.7 only support
"$2a$" as the salt prefix
Versions 5.3.7 or greater should use the default of "$2y$".

*/ // sha1 or bcrypt, bcrypt is STRONGLY recommended $config['hash_method'] = 'bcrypt'; // This does not apply if random_rounds is set to true $config['default_rounds'] = 8;
$config['random_rounds'] = FALSE; $config['min_rounds'] = 5; $config['max_rounds'] = 9; $config['salt_prefix'] = '$2y$';

/* ------------------------------------------------------------------------- Authentication options.
maximum_login_attempts: This maximum is not enforced by the library, but is
used by $this->ion_auth->is_max_login_attempts_exceeded().
The controller should check this function and act
appropriately. If this variable set to 0, there is no maximum.

*/ $config['site_title'] = "Example.com"; // Site Title, example.com $config['admin_email'] = "admin@example.com"; // Admin Email, admin@example.com $config['default_group'] = 'members'; // Default group, use name $config['admin_group'] = 'admin'; // Default administrators group, use name $config['identity'] = 'email'; // A database column which is used to login with $config['min_password_length'] = 8; // Minimum Required Length of Password $config['max_password_length'] = 20; // Maximum Allowed Length of Password $config['email_activation'] = FALSE; // Email Activation for registration $config['manual_activation'] = FALSE; // Manual Activation for registration $config['remember_users'] = TRUE; // Allow users to be remembered and enable auto-login $config['user_expire'] = 86500; // How long to remember the user (seconds). Set to zero for no expiration $config['user_extend_on_login'] = FALSE; // Extend the users cookies every time they auto-login $config['track_login_attempts'] = FALSE; // Track the number of failed login attempts for each user or ip. $config['track_login_ip_address'] = TRUE; // Track login attempts by IP Address, if FALSE will track based on identity. (Default: TRUE) $config['maximum_login_attempts'] = 3; // The maximum number of failed login attempts. $config['lockout_time'] = 600; // The number of seconds to lockout an account due to exceeded attempts $config['forgot_password_expiration'] = 0; // The number of milliseconds after which a forgot password request will expire. If set to 0, forgot password requests will not expire.

/* ------------------------------------------------------------------------- Cookie options.
remember_cookie_name Default: remember_code
identity_cookie_name Default: identity

*/ $config['remember_cookie_name'] = 'remember_code'; $config['identity_cookie_name'] = 'identity';

/* ------------------------------------------------------------------------- Email options.
email_config:
'file' = Use the default CI config or use from a config file
array = Manually set your email config settings

*/ $config['use_ci_email'] = FALSE; // Send Email using the builtin CI email class, if false it will return the code and the identity $config['email_config'] = array( 'mailtype' => 'html', );

/* ------------------------------------------------------------------------- Email templates.
Folder where email templates are stored.
Default: auth/

*/ $config['email_templates'] = 'auth/email/';

/* ------------------------------------------------------------------------- Activate Account Email Template
Default: activate.tpl.php

*/ $config['email_activate'] = 'activate.tpl.php';

/* ------------------------------------------------------------------------- Forgot Password Email Template
Default: forgot_password.tpl.php

*/ $config['email_forgot_password'] = 'forgot_password.tpl.php';

/* ------------------------------------------------------------------------- Forgot Password Complete Email Template
Default: new_password.tpl.php

*/ $config['email_forgot_password_complete'] = 'new_password.tpl.php';

/* ------------------------------------------------------------------------- Salt options
salt_length Default: 22
store_salt: Should the salt be stored in the database?
This will change your password encryption algorithm,
default password, 'password', changes to
fbaa5e216d163a02ae630ab1a43372635dd374c0 with default salt.

*/ $config['salt_length'] = 22; $config['store_salt'] = FALSE;

/* ------------------------------------------------------------------------- Message Delimiters.

*/ $config['delimiters_source'] = 'config'; // "config" = use the settings defined here, "form_validation" = use the settings defined in CI's form validation library $config['message_start_delimiter'] = '

'; // Message start delimiter $config['message_end_delimiter'] = '

'; // Message end delimiter $config['error_start_delimiter'] = '

'; // Error message start delimiter $config['error_end_delimiter'] = '

'; // Error message end delimiter

/* End of file ionauth.php / /_ Location: ./application/config/ion_auth.php */

avenirer commented 9 years ago

Well... Is as simple as it says. For ion auth to work you need to have session library enabled and to use sessions you need to set an encryption key in the config.php.

ghost commented 9 years ago

avenirer, Thank you for your response and you are absolutely right which prompted me to as Ben what he set the value to for his test login of admin@admin.com/password. Obviously, when I "go live" in my application I will change this to my current encryption key.

benedmunds commented 9 years ago

The encryption key is not used for the password hashing.

avenirer commented 9 years ago

That password or the encryption it uses has nothing to to with the encryption key that is asked in there. The encryption key that you must insert there is for CodeIgniter to work with sessions. Has nothing to do with Ion Auth.

ghost commented 9 years ago

Thanks.

I do get them confused.

Sorry for the bother.

john

From: Adrian Voicu [mailto:notifications@github.com] Sent: Wednesday, January 07, 2015 11:21 AM To: benedmunds/CodeIgniter-Ion-Auth Cc: jufkirkpatrick Subject: Re: [CodeIgniter-Ion-Auth] Initial ION_auth Setup and Error Message (#701)

That password or the encryption it uses has nothing to to with the encryption key that is asked in there. The encryption key that you must insert there is for CodeIgniter to work with sessions. Has nothing to do with Ion Auth.

— Reply to this email directly or view it on GitHub https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/701#issuecomment-69066011 . https://github.com/notifications/beacon/AEfM8d0AF4EhpwFGPfz7MB__Mf1D7CKNks5nfXCjgaJpZM4DPfJL.gif

ghost commented 9 years ago

Not to hash a dead horse, but doesn't there have to be a SALT value stored somewhere for the default login admin@admin.com/password?

benedmunds commented 9 years ago

With the default config the salt is stored inside the password field in the DB. If "store_salt" is true it will be stored in the salt field in the DB.

ghost commented 9 years ago

I got IT!!

From: Ben Edmunds [mailto:notifications@github.com] Sent: Wednesday, January 07, 2015 11:21 AM To: benedmunds/CodeIgniter-Ion-Auth Cc: jufkirkpatrick Subject: Re: [CodeIgniter-Ion-Auth] Initial ION_auth Setup and Error Message (#701)

Closed #701 https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/701 .

— Reply to this email directly or view it on GitHub https://github.com/benedmunds/CodeIgniter-Ion-Auth/issues/701#event-215446530 . https://github.com/notifications/beacon/AEfM8ZjIlJE3vy3Os-9fzt3xhwSyUNCrks5nfXCKgaJpZM4DPfJL.gif

ghost commented 9 years ago

Thanks. I got it, finally. I do get the SALT and encryption key mixed up!! And I do not make them the same. John