On his blog today Chris Hartjes has a new post about testing your Zend Framework application’s functionality that lives behind a Zend_Auth authentication.

While there are many major security issues possible in a web application, there is a particular one that bugged me for some time. The Identity theft – Broken account and session management issue.

Why can one so easily still my session id cookie and suddenly gain access to my account in one particular web application? I know it its rather impossible to make this 100% hack-proof but I strongly believe that the system should be improved as much as possible.

Our goal is to implement a Zend Auth extension that adds a new level of security to the previously mentioned class.

This extension – let’s call it Project_Application_Auth – would check the Zend Auth storage for the IP and/or User Agent.

In order to do so, these should be set in the login process in the storage.

If the IP is different then the initial IP from the login process and / or the User Agent is not the same as the initial User Agent from the login process, then our extension would tell us that it is not a secure identity (aka it is safe to assume it has been stolen) and thus we should disconnect the user.

The next ZendCast in the user authentication with the Zend Framework’s Zend_Auth has been posted to the ZendCasts.com site today. In this new screencast, they look at how to integrate it with Doctrine to automatically validate users against the information in your databases (following up on this first part of the series).

New from the ZendCasts.com site today there’s this new screencast looking at the integration of the Zend_Auth_Adapter component of the Zend Framework and the Doctrine ORM library to split out the authentication from the persistence layer.

I’ve created a simple application as an example for beginners starting with zend framework 1.9. I used the zf command to create the project, so it is somewhat similar to the quickstart directory structure. Many current examples are following the old directory structure which will confuse a newbie. This is just a simple blog application, missing most of the features of a full blog system such as Wordpress. It’s just designed to show how the Zend_ACL, Zend_Auth, and Zend_Form components of Zend Framework are used.

So, what is wrong with Zend_Acl and the current MVC implementation in the Zend Framework? there is nothing wrong, it is just that it gets not too obvious for developers how to achieve an optimal integration between these two important parts of the framework.

p. Matthew Weier O’Phinney (Master of the ZF-MVC) has posted a great tutorial on using the Zend_Auth and Zend_Form together to build a login form with identity persistence.

Probably my one favorite aspects of Zend Framework is that you can pull pieces out and use them by themselves without having to build a complete MVC installation. Not that building out a complete installation is difficult but there are times when you just need a small piece, not the entire puzzle. Zend_Auth is one of those pieces that can be pulled out and used by itself. If you need authentication for an existing application Zend_Auth may just be the piece you are looking for.

For those of you who don’t read the Zend Framework mailing list on a daily basis (and for the purposes of this post, I’ll pretend I do) Simon Mundy has posted an example showing how to use the new Zend_Auth and Zend_Acl classes. Click on inside, I’ve got the whole thing laid out nice and neat for you.