Skip Menu |

This queue is for tickets about the Apache2-AuthCookieDBI CPAN distribution.

Report information
The Basics
Id: 79335
Status: open
Priority: 0/
Queue: Apache2-AuthCookieDBI
People
Owner: Nobody in particular
Requestors: ccolumbu [...] gmail.com
Cc:
AdminCc:
Bug Information
Severity: Normal
Broken in: 2.16
Fixed in: (no value)

History Show all quoted text
  Sat Sep 01 04:49:49 2012 ccolumbu [...] gmail.com - Ticket created
Subject: Missing user exists check
There used to be an error is the user was not in the mysql table, that check seems to be missing. This is how I think it could be added (I tested this), but you may have another idea of how to add that check. I suggest adding this code to the authen_cred sub after the password length check: # Check that the user exists: if ( !$class->user_exists( $r, $user ) ) { my $message = "${class}\tNo such user '$user', for auth realm $auth_name."; $class->logger( $r, Apache2::Const::LOG_NOTICE, $message, $user, LOG_TYPE_AUTH, $r->uri ); return; } ######## Then add this subroutine to the code as well: sub user_exists { my ( $class, $r, $user ) = @_; my %c = $class->_dbi_config_vars($r); my $dbh = $class->_dbi_connect($r) || return; my $sql_query = <<"SQL"; SELECT $c{'DBI_UserField'} FROM $c{'DBI_UsersTable'} WHERE $c{'DBI_UserField'} = ? SQL my $sth = $dbh->prepare_cached($sql_query); $sth->execute($user); my $num_rows = $sth->rows; $sth->finish(); if ($sth->rows == 0) { return(0); } else { return(1); } }
  Sun Sep 09 12:11:21 2012 matisse [...] spamcop.net - Correspondence added
This adds an extra SQL query and in some ways duplicates _get_crypted_password which of course will return false if the user is not in the database. Is your intention here to get more fine-grained logging on failed authentications?
  Sun Sep 09 12:11:21 2012 The RT System itself - Status changed from 'new' to 'open'
  Sun Sep 09 17:17:55 2012 ccolumbu [...] gmail.com - Correspondence added
Subject: Re: [rt.cpan.org #79335] Missing user exists check
Date: Sun, 09 Sep 2012 14:17:42 -0700
To: bug-Apache2-AuthCookieDBI [...] rt.cpan.org
From: Chad <ccolumbu [...] gmail.com>
Yes, I am looking for more fine-grained logging on failed authentications. I was trying to login and kept getting bad password, but really I had miss-spelled the user name. So the fact that the error message returns a different error than the actual problem made it harder to diagnose. Additionally if the user name is not in the DB, I might want to re-direct to a different page, like a "registration" page instead of a "forgot password", but that is secondary (and could potentially allow a bad guy to figure out if a user name is valid). While we are on the subject of multiple DB calls, I noticed that in 2.16 each time you go to the DB you make a new _dbi_connect call. There is one open/close for each of these: _get_crypted_password _get_new_session group user_is_active I am not sure if that was the case in the older version or not, but is there a reason you don't just create a "global to the package" DB connection and keep the connection open, then when a second call comes to _dbi_connect you simply return the existing open connection, instead of one open/close per check? I am not a OOP or mod_perl developer I am strictly CGI/procedural so please forgive me if there is an obvious answer. ^C On 9/9/2012 9:11 AM, Matisse Enzer via RT wrote: Show quoted text
> <URL: https://rt.cpan.org/Ticket/Display.html?id=79335 > > > This adds an extra SQL query and in some ways duplicates _get_crypted_password which of > course will return false if the user is not in the database. > > Is your intention here to get more fine-grained logging on failed authentications? >