Logs for #cakephp

Page 10 of 36,512, showing 100 records out of 3,651,104 total, starting on record 901, ending on 1,000

# At Username Text
# Feb 11th, 17:34 phantomwatson If you want to get wacky, you could generate the token by `hash($username . $passwordHash)` in order for that remote possibility of someone deriving the password from the publicly-transmitted authentication token to be even less likely. But whenever people are hashing hashes, people tend to consider that a code smell that indicates that something dumb is happening.
# Feb 11th, 17:34 damiano maybe randomString() there is pointless
# Feb 11th, 17:34 damiano this is what i did: `$entity->token = Security::hash($entity->username . $entity->password . Security::randomString(24), 'sha1', true);`
# Feb 11th, 17:31 damiano @phantomwatson sure!! hehe
# Feb 11th, 17:31 phantomwatson (Assuming usernames must be unique ;) )
# Feb 11th, 17:31 damiano but i must add a salt for sure
# Feb 11th, 17:31 damiano yeah i would like to avoid it, i mean, i would like to save and stop, as @neon1024 said i can hash(user + password) in that way i will surelly get an unique token
# Feb 11th, 17:30 phantomwatson If you just need a unique string and that's the only requirement, then you could literally just generate a random string and test it for uniqueness before setting it. That would be perfectly fine for a small user pool, but might cause long database lookups if you have a billion users.
# Feb 11th, 17:30 damiano however if my database gets exposed, they will copy the token and that's all, they can use whatever they want with user token... i am implementing login via user/password, token and cookie
# Feb 11th, 17:28 damiano @phantomwatson but are there any other method to create a safe token ?
# Feb 11th, 17:27 damiano ok @phantomwatson
# Feb 11th, 17:27 damiano UUIDs look insecure to me
# Feb 11th, 17:27 phantomwatson If it's not salted, and if your database gets exposed, and if someone else knows what hashing function you're using and how your inputs are concatenated together, they could theoretically (and easily, if the password is weak) generate a rainbow table of hashes that correspond to different passwords until they find a hash that matches the one stored for that user. Then they'll know what the user's password is. With a long and secret
# Feb 11th, 17:27 slackebot salt, to do the same thing, they would essentially need to guess two passwords at the same time, and one of them is guaranteed to be long enough that it's impractical to ever brute-force it.
# Feb 11th, 17:22 damiano sha256 seems too long for a token
# Feb 11th, 17:21 damiano @phantomwatson otherwise? :)
# Feb 11th, 17:21 phantomwatson @damiano, if you're using a salt that you keep secret, `sha1()` should be sufficient.
# Feb 11th, 17:02 damiano @neon1024 sha1() is enough ?
# Feb 11th, 16:49 damiano i will check if the entity is new and then hash user/password)that
# Feb 11th, 16:49 damiano ok
# Feb 11th, 16:40 neon1024 By hashing data from the object, you’re using unique inputs to generate a unique output was my though
# Feb 11th, 16:39 neon1024 Hash something from the object id and username or something
# Feb 11th, 16:38 neon1024 No, you’ll still get duplicates
# Feb 11th, 16:37 damiano @neon1024 generate random string and then hash() ?
# Feb 11th, 16:32 neon1024 If you want to avoid duplicates you might consider hasing instead
# Feb 11th, 16:32 neon1024 Which is what a ` do{} while()` loop is for
# Feb 11th, 16:31 neon1024 Sounds like what you mean is. I want to generate random strings and test that they don’t already exist in my dataset
# Feb 11th, 16:31 neon1024 That is the essence of random
# Feb 11th, 16:31 neon1024 A random string will produce the same string
# Feb 11th, 16:30 damiano i am adding it in beforesave
# Feb 11th, 16:30 damiano @neon1024 i do not know what it is using under the hood, there can be collosion? as i told you i need random string to use as TOKEN (for authentication)
# Feb 11th, 16:30 neon1024 …but I see it has randomString now :)
# Feb 11th, 16:29 neon1024 I used this and converted to string https://book.cakephp.org/3/en/core-libraries/security.html#getting-secure-random-data
# Feb 11th, 16:24 damiano is it safe using randomString() to create a token?
# Feb 11th, 15:43 sebastian.krzewinski. not to login page
# Feb 11th, 15:43 sebastian.krzewinski. authentication redirect to 404
# Feb 11th, 15:42 sebastian.krzewinski. i cant even log in
# Feb 11th, 15:42 sebastian.krzewinski. autherization
# Feb 11th, 15:42 sebastian.krzewinski. authentication
# Feb 11th, 15:42 dereuromark what part isnt working? can you be more specific on those?
# Feb 11th, 15:41 sebastian.krzewinski. things from doc github about tuts are not work too
# Feb 11th, 15:23 challgren I don't think it's ever been document, since you're experiencing the issue I would suggest doing a pull request
# Feb 11th, 15:20 damiano however it works!
# Feb 11th, 15:20 damiano @challgren no no the documentation is awesome, it misses the unload part only :)
# Feb 11th, 15:19 sebastian.krzewinski. https://i.imgur.com/W8j3d0Q.png
# Feb 11th, 15:19 sebastian.krzewinski. yea but i dont know .. i can do something wrong there
# Feb 11th, 15:13 pieceof symfony is waitin 4 you
# Feb 11th, 15:08 challgren If you are using an IDE you can always “Go to declaration” and inspect the code from there.
# Feb 11th, 15:07 challgren Your acting like nothing is documented. If you feel something isn’t documented well please open an issue and/or PR
# Feb 11th, 15:06 damiano @challgren i try there is no documentation
# Feb 11th, 15:00 challgren They dont know theres errors unless their reported
# Feb 11th, 14:59 challgren Any errors you should report at https://github.com/cakephp/docs and if you can PR the fix
# Feb 11th, 14:54 sebastian.krzewinski. i cant do anything without errors
# Feb 11th, 14:53 sebastian.krzewinski. omg this docs have so many errors
# Feb 11th, 14:48 challgren @damiano I think its `$this->components()->unload('
# Feb 11th, 14:39 lpj145 the answer is, i cannot put simple i18n (default) message for each rule ?
# Feb 11th, 14:39 damiano https://book.cakephp.org/4/en/controllers/components.html there is no doc
# Feb 11th, 14:38 damiano :,(
# Feb 11th, 14:38 lpj145 if i need to put i18n messages on validator i need to install and modify my table to you plugin.
# Feb 11th, 14:37 admad adios
# Feb 11th, 14:37 admad try stuff and figure it out
# Feb 11th, 14:37 damiano if i do not know one ? :)
# Feb 11th, 14:36 admad @damiano that one that works for you
# Feb 11th, 14:36 damiano @admad what is the correct wait to unload a component ?
# Feb 11th, 14:36 admad not sure what to make of your question
# Feb 11th, 14:35 dereuromark The same way a black car never can and will be.
# Feb 11th, 14:35 dereuromark Any sane person would know the actual meaning of the word, thus the meaning and why it cannot be racist by definition.
# Feb 11th, 14:35 lpj145 validator have problem to support locale ?
# Feb 11th, 14:34 dereuromark Black driving also isnt.
# Feb 11th, 14:34 dereuromark its not. then that person doesnt understand basic things in life.
# Feb 11th, 14:33 admad then set table's `$_validatorClass` prpoerty to my class :)
# Feb 11th, 14:32 admad @lpj145 https://github.com/ADmad/cakephp-i18n/blob/master/src/Validation/Validator.php
# Feb 11th, 14:31 neon1024 I saw a tweet saying that calling it black and white lists is racist.
# Feb 11th, 14:29 lpj145 see: https://book.cakephp.org/3/en/controllers.html
# Feb 11th, 14:29 slackebot <lpj145>
# Feb 11th, 14:27 lpj145 looking for code, i understand what have one message for all entire rules.
# Feb 11th, 14:26 damiano same thing ?
# Feb 11th, 14:26 damiano should i unload it inside initialize() of PagesCOntroller or beforeFilter ?
# Feb 11th, 14:26 lpj145 @admad the validation lib have way to put default locale string ?
# Feb 11th, 14:25 damiano got it!
# Feb 11th, 14:25 dereuromark whitelist instead of blacklist :)
# Feb 11th, 14:25 damiano ok, makes sense
# Feb 11th, 14:24 admad it's always safer to secure the app globally and then disable it where not needed
# Feb 11th, 14:24 damiano ok
# Feb 11th, 14:24 damiano :)
# Feb 11th, 14:24 damiano (and obviously move the login/logout outside pagescontroller)
# Feb 11th, 14:23 admad you will surely need authentication at other places too in your app in future :)
# Feb 11th, 14:23 damiano so i can enable it inside the AppController there, no?
# Feb 11th, 14:23 damiano the users dashboard etc..
# Feb 11th, 14:23 damiano i mean, inside that plugin i have all the controllers i need to protect
# Feb 11th, 14:23 damiano @admad but wait one moment, why not in AppController inside the Companies plugin ?
# Feb 11th, 14:22 damiano ok
# Feb 11th, 14:22 damiano @admad ah ok perfect, enable everywhere but inside the pagescontroller i will disable it
# Feb 11th, 14:21 admad @damiano load the component in AppController, put your login logout actions in UsersController instead of PagesController, unload component in PagesController::initialize()
# Feb 11th, 14:21 damiano yeah i have a form in login action
# Feb 11th, 14:21 lpj145 you have Password identifier ?
# Feb 11th, 14:20 lpj145 ok
# Feb 11th, 14:20 damiano but i load the component there because i do not need it for other pagescontroller's actions
# Feb 11th, 14:20 damiano i load it and check if the user is ok or not...if yes i redirect the logged user to protected area
# Feb 11th, 14:20 damiano yes look at the login action()