In Zend/Auth.php
Lines: 119 - 125
function: authenticate(Zend_Auth_Adapter_Interface $adapter)
----
/**
* ZF-7546 - prevent multiple succesive calls from storing inconsistent
results
* Ensure storage has clean state
*/
if ($this->hasIdentity()) {
$this->clearIdentity();
}
----
Any time you call to Authenticate it will check to see if you have an
identify and clear it to re-validate it. And, there is no conditional to
avoid this in the code.
So, in a situation like my first post, were I might want to re-verify a
password for someone who's already authenticated (logged in), but not log
them out on failure, Zend_Auth isn't the solution. It will log you out on
failure.
A situation where you might want to do this would be to update/change a
password. It would be quite user-unfriendly to log them out because they
fat-fingered a password and it is likely not expected to be kicked out
because of that situation.
This could be a 'feature' for your application however. Perhaps you want
the security that if you ever fail an Auth attempted, you log them out.
--
View this message in context: http://zend-framework-community.634137.n4.nabble.com/Validating-Password-while-logged-in-and-not-loosing-session-tp3028677p3028849.html
Sent from the Zend Auth mailing list archive at Nabble.com.
没有评论:
发表评论