Auth::setAdvancedSecurity()

Auth::setAdvancedSecurity() – Enables advanced security features. Turned off by default

Synopsis

void Auth::setAdvancedSecurity ( mixed $flag = true )

Description

Enables advanced security features to make man in the middle attacks and session hijacking much harder. Cookies and java script must be enabled on the client browser for some of these features to function correctly.

Enables the following security features of auth

  • Detection of client ip address change or User-Agent header change if such a change is detected the user will be logged out

  • Each client request a special unique cookie is given to the client. He must present this cookie on his next request. This cookie changes on every request. If client does not present the valid cookie he will be logged out.

  • Enables challenge responce for the default login screen of auth. The user password will be hashed with javascript before sent back to the server. Prevents the user password being stolen using password sniffing tools. Password is hashed with a random key so the md5 hash is not subject to brute force password cracking. This will only work for storage containers which support challenge responce password authenthication. Currently only the DB, MDB and MDB2 containers support this for md5 and clear text passwords

This method is available since 1.3.0

Parameter

mixed $flag

TRUE if you want to enable advanced security features FALSE if you want to disable them.

You also may pass an array if you want to fine-tune security options. TRUE means the following:

<?php
array(
    
AUTH_ADV_USERAGENT => true,
    
AUTH_ADV_IPCHECK   => true,
    
AUTH_ADV_CHALLENGE => true
);
?>

Note

This function can not be called statically.

remove a user account (Previous) Controls if the user will be allowed to login. Turned on by default (Next)
Last updated: Sat, 16 Feb 2019 — Download Documentation
Do you think that something on this page is wrong? Please file a bug report.
View this page in:
  • English

User Notes:

Note by: user@example.com
Auth::setAdvancedSecurity()

The function should give the user more power about WHAT is checked. For example you could need to check that the ip is persistent but the user agent could change.

This is at the moment not possible, either you can use ALL or NONE of the 'advanced security functions'.