Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Unnecessary code in Login/Controller logme() #1402

Closed
halfdan opened this Issue · 3 comments

2 participants

Fabian Becker Anthon Pang
Fabian Becker
Collaborator

In core/plugins/Login/Controller.php there is a function called logme() - it allow a user to do a formless login. I found that the following code is completely unnecessary:

$authenticated = $this->authenticateAndRedirect($login, $password, $urlToRedirect);
if($authenticated === false)
{
    echo Piwik_Translate('Login_LoginPasswordNotCorrect');
}

If the login is successful "authenticateAndRedirect" just redirects to $_REQUEST['url'] and exits. Otherwise the authenticate method prints an error to the user. authenticateAndRedirect does never return (it actually does not return anything at all), and even if it would $authenticate would be NULL.

logme as function name is not very descriptive. I can't think of a better name right now, but it should be changed.

Fabian Becker
Collaborator

Another thought: Shouldn't logme() use tokenAuth to authenticate a user instead of the md5 hashed password? The password hash is definitely better to brute-force than the tokenAuth.

Anthon Pang
Collaborator

I agree with removing the unreachable if{} block.

It's debateable whether switching to token_auth is more/less secure overall, but I agree it might be better against a dictionary attack. It's a compat buster, so I'll defer to Matthieu.

Anthon Pang
Collaborator

(In [2258]) fixes #1402 - remove unreachable if{} block; switching to token_auth is a wontfix as token_auth is intended for the API; logme() is a formless login which mirrors the form login, i.e., piwik_auth cookie and server-side session

Fabian Becker halfdan added this to the Piwik 0.6.3 milestone
This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.