How to fetch current user password from session variables

Previous topic

Developer

Next topic

Author	Message
Elena Ivanova	Saturday 23 August 2008 4:18:32 am Hello, I'm dealing with a small extension and I need to fetch the current user password in my php script. I tried with: $currentUser =& eZUser::currentUser(); $currentUserPass = $currentUser->attribute( "password_hash" ); but it doesn't work for me, because of using LDAP for user authentication. Can I fetch current user password from session variables in some way? Thanks.
Xavier Gouley	Monday 25 August 2008 2:52:53 am Hi, Just used the LDAP for user authentication, I can say that the password is not stored in eZpublish : When a user try to login, the login / password is sent to LDAP for authentication. If LDAP reply with a positive answer, the eZuser (in eZpublish) is logged in, and updated with such elements like First Name, Last Name, groups, but NO password is put in the eZuser. In fact, the password is encrypted in LDAP (for my case it is, but check your LDAP), so there is no possibilities to retrive password form LDAP (it is not really secure I think). The password is natively not stored in the session vars also. The only possibility you have is to implement you own login handler (copy the LDAP one, and modify it) to store password elsewhere (at this step, the password is not encrypted yet). But caution, for security reasons, you have to put it on the server side only ($_SESSION could be a good way, but keep an eye on other eZ extensions that can see it, in clear). Good luck. Xavier Gouley http://www.gxapplications.com/eng_blog/GX-Admin-s-Blog/
Elena Ivanova	Monday 25 August 2008 10:57:20 am Hello Xavier, Many thanks for your answer. >When a user try to login, the login / password is sent to LDAP for authentication. If LDAP reply with a positive answer, the eZuser (in eZpublish) is logged in... If I understand you correctly - in terms of LDAP it means that this positive answer from LDAP comes if this user is binded with his/her username&password. Am I right? Best regards, Elena

Author

Message

Elena Ivanova

Saturday 23 August 2008 4:18:32 am

Hello,

I'm dealing with a small extension and I need to fetch the current user password in my php script. I tried with:

$currentUser =& eZUser::currentUser();
$currentUserPass = $currentUser->attribute( "password_hash" );

but it doesn't work for me, because of using LDAP for user authentication.

Can I fetch current user password from session variables in some way?

Thanks.

Xavier Gouley

Monday 25 August 2008 2:52:53 am

Hi,

Just used the LDAP for user authentication, I can say that the password is not stored in eZpublish :

When a user try to login, the login / password is sent to LDAP for authentication. If LDAP reply with a positive answer, the eZuser (in eZpublish) is logged in, and updated with such elements like First Name, Last Name, groups, but NO password is put in the eZuser.

In fact, the password is encrypted in LDAP (for my case it is, but check your LDAP), so there is no possibilities to retrive password form LDAP (it is not really secure I think). The password is natively not stored in the session vars also.

The only possibility you have is to implement you own login handler (copy the LDAP one, and modify it) to store password elsewhere (at this step, the password is not encrypted yet). But caution, for security reasons, you have to put it on the server side only ($_SESSION could be a good way, but keep an eye on other eZ extensions that can see it, in clear).

Good luck.

Xavier Gouley
http://www.gxapplications.com/eng_blog/GX-Admin-s-Blog/

Elena Ivanova

Monday 25 August 2008 10:57:20 am

Hello Xavier,

Many thanks for your answer.

>When a user try to login, the login / password is sent to LDAP for authentication. If LDAP reply with a positive answer, the eZuser (in eZpublish) is logged in...

If I understand you correctly - in terms of LDAP it means that this positive answer from LDAP comes if this user is binded with his/her username&password. Am I right?

Best regards,
Elena