Unnecessary code in Login/Controller logme() #1402

halfdan opened this Issue May 30, 2010 · 3 comments

2 participants

Piwik Open Source Analytics member

In core/plugins/Login/Controller.php there is a function called logme() - it allow a user to do a formless login. I found that the following code is completely unnecessary:

$authenticated = $this->authenticateAndRedirect($login, $password, $urlToRedirect);
if($authenticated === false)
    echo Piwik_Translate('Login_LoginPasswordNotCorrect');

If the login is successful "authenticateAndRedirect" just redirects to $_REQUEST['url'] and exits. Otherwise the authenticate method prints an error to the user. authenticateAndRedirect does never return (it actually does not return anything at all), and even if it would $authenticate would be NULL.

logme as function name is not very descriptive. I can't think of a better name right now, but it should be changed.

Piwik Open Source Analytics member

Another thought: Shouldn't logme() use tokenAuth to authenticate a user instead of the md5 hashed password? The password hash is definitely better to brute-force than the tokenAuth.


I agree with removing the unreachable if{} block.

It's debateable whether switching to token_auth is more/less secure overall, but I agree it might be better against a dictionary attack. It's a compat buster, so I'll defer to Matthieu.


(In [2258]) fixes #1402 - remove unreachable if{} block; switching to token_auth is a wontfix as token_auth is intended for the API; logme() is a formless login which mirrors the form login, i.e., piwik_auth cookie and server-side session

@halfdan halfdan added this to the Piwik 0.6.3 milestone Jul 8, 2014
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment