Bug #9403

Authentication does not work

Added by Michael Schams over 11 years ago. Updated about 11 years ago.

Status:
Closed
Priority:
Should have
Category:
Security
Start date:
2010-09-02
Due date:
% Done:

0%

Estimated time:
PHP Version:
Has patch:
Complexity:

Description

After recent changes (and as far as I can see the issue occurs in alpha-11, too), user authentication with Security Framework does not work any more.

Exception #1222204027:
Authentication failed: "Could not authenticate any token. Might be missing or wrong credentials or no authentication provider matched."

Submitted data (username and password) are correct (see further information about name of input-tag below).
PHP Suhosin is active but configured to accept 128 characters for POST names (these settings worked in the past):

suhosin.post.max_name_length = 128
suhosin.request.max_varname_length = 128

Fluid template contains the following <input...> tag naming:

DOES NOT WORK (as in older FLOW3 version before revision r5005)
F3\FLOW3\Security\Authentication\Token\UsernamePassword::username
F3\FLOW3\Security\Authentication\Token\UsernamePassword::password

DOES NOT WORK (as in FLOW3-1.0.0-alpha11)
F3.FLOW3.Security.Authentication.Token.UsernamePassword.username
F3.FLOW3.Security.Authentication.Token.UsernamePassword.password

It also does not work if keywords are shortened (this proves that Suhosin or the length is not the issue) as follows.

DOES NOT WORK (< 64 characters)
F3.FLOW3.Security.Authentication.Token.UsernamePassword.user

("user" instead of "username" => string length 60 characters)

If I change FLOW3 core file Packages/Framework/FLOW3/Classes/Security/Authentication/Token/UsernamePassword.php as follows (and naming of the input tag in Fluid templates as well) - it works:

Method updateCredentials()

$username = \F3\FLOW3\Reflection\ObjectAccess::getPropertyPath($postArguments, 'username');
$password = \F3\FLOW3\Reflection\ObjectAccess::getPropertyPath($postArguments, 'password');

Possibly a side effect of revision r5005 and/or issue #6315.

#1

Updated by Michael Schams over 11 years ago

Further analysis revealed:
It is most likely the dot in the input-tag name that causes this issue.

DOES NOT WORK
F3FLOW3SecurityAuthenticationTokenUsernamePassword.Username

WORKS
F3FLOW3SecurityAuthenticationTokenUsernamePasswordUsername

Suhosin is currently deactivated on this server.

#2

Updated by Karsten Dambekalns over 11 years ago

  • Subject changed from Authentication does not work (Security Framework) to Authentication does not work
  • Category set to Security
  • Status changed from New to Accepted
  • Assignee set to Karsten Dambekalns
  • Target version set to 1.0 alpha 12
  • Start date changed from 2010-08-23 to 2010-09-02
#3

Updated by Karsten Dambekalns over 11 years ago

  • Status changed from Accepted to Closed

The template must contain form elements like this:

<input type="text" name="F3[FLOW3][Security][Authentication][Token][UsernamePassword][username]"/>
<input type="password" name="F3[FLOW3][Security][Authentication][Token][UsernamePassword][password]"/>

Also available in: Atom PDF