Lithium all rows in cookies, session

Question

Currently after login Lithium stores in session and cookies all rows from users table like password, hash etc. How to remove (don't allow to store) some of the information like password and hash?

Answer 1

Since this commit you can pass an option 'persist' => array('field1','..') to Auth::check, or set them as default in your bootstrap session config, to store only specified fields.

So either you set this in your bootstrap/session.php

Auth::config(array(
    'user' => array(
        'adapter' => 'Form',
        'session' => array(
            'persist' => array('_id','username')
        ),
        'model' => 'Users'
    )
));

or you define the fields, when calling Auth::check() - this will override everything from the config above!

Auth::check('user', $this->request, array(
                'persist' => array('username','email')
            ))

Note: If not defined explicitly the password is never stored by default.

Answer 2

Passing options to Auth::check will get passed down to the adapter as well (plus some extras) -- for this I'm assuming you're using the Form adapter for the Auth class.

Try doing this when you perform your check: Auth::check('config', $data, array('fields' => array('fields', 'you', 'want'))

The key here is that array we tacked on the end with the fields key in it, this will be passed down to the Form adapter which takes in those options and uses them to query your model for a matching user. By telling it explicitly which fields to return, it will only pass those back to the Auth class for storing away.

Answer 3

The Session class stores what you tell it to! After Auth::check is done, you should only store the session identifier and/or absolutely necessary data in the cookie. Also make sure to use the Encryption provided by lithium (AES) out of the box.

For more detailed help, please post your login controller and all appropriate model/filters.