Although the user has previously authenticated (e.g. on the login page), the
point in asking the user for the password again is to re-enforce
authentication. If it were simply a matter of trusting the identity
persisted in the session, there wouldn't be any point in asking for the
password.
--
*Hector Virgen*
Sr. Web Developer
http://www.virgentech.com
On Tue, Nov 9, 2010 at 7:10 AM, Ralph Schindler <ralph.schindler@zend.com>wrote:
> I do not think I would use the authentication adapter to do what you are
> attempting to do.
>
> Basically, if the user is already logged in, they are past the point of
> "authentication", or, "ensuring the validity of an identity to persist".
>
> What you are doing here is a job more specific to the user model itself.
> While you are free to piggy back this functionality into the Zend_Auth layer
> components, I think it better fits in like this:
>
> Your controller would
>
> class UserService {
> public function changePassword(User $u, $oldPassword, $newPassword,
> $confirmPassword) {
> // ensure passwords are the same, old password is ok
> // update the password in the user object
> // persist user object somehow
> }
> }
>
> which would interact with a model via the user object:
>
> class User {
> protected $_password;
> public function setPassword($password) {}
> public function getPassword() {}
> }
>
> That way you are not putting this logic inside of authentication.
>
> -ralph
>
>
> On 11/5/10 9:17 AM, Fozzyuw wrote:
>
>>
>> Hi all,
>>
>> Here's a seemingly simple question.
>>
>> I have a "update your password" form. It asks for:
>>
>> * The current password
>> * The new password
>> * Confirm the new password (repeat it for comparison)
>>
>> What I do is simple:
>>
>> Zend_Form validates the password rules and that the confirmation password
>> matches.
>> I call Zend_Auth to see if the current password is valid.
>> I update the password if all things are valid.
>>
>> The problem I've encountered is that Zend_Auth will kill the session with
>> the "->isValid()" method if the password entered is wrong.
>>
>> In other words, if you want to change your password, and you miss-typed
>> the
>> current password, you will be logged out of the account because Zend_Auth
>> failed.
>>
>> Is there a way to simply ask Zend_Auth to validate the credentials without
>> effecting the session?
>>
>> I've not cracked open the Zend_Auth code, but I've tried to search for any
>> one asking this same question and I'm either not asking the right keywords
>> to search or it's just not that frequently asked.
>>
>> One obvious thing I can do is simply not use Zend_Auth, just do simple SQL
>> password comparison using Zend_Db, which is fine, but I feel like it just
>> makes more sense using Zend_Auth.
>>
>> Thanks in advance for any discussion on this topic!
>> Cheers!
>> Fozzy
>>
>>
>>
>
没有评论:
发表评论