Mastering the Security component's authentication mechanism


Comments are closed.

Sorry, but I found this talk too much "for dummies", and this had nothing to do with "mastering" as the title suggests.

To be honest, I found this to be a mixed bag. Some parts of it, particularly the concept slides was quite useful and put good definitions on some concepts in the security component.

I did however find the interactivity part of the session to be unnecessary, particularly as many of the questions had multiple correct answers or depended on specific vendor API knowledge (differences in the OAuth implementation between Google+ and Facebook e.g.). In all, I think a regular talk would have worked better.

I was also a little alarmed that a talk about authentication in the security component skips over some authentication security issues. Most people probably already know that HTTP Basic Authentication is not a secure authentication mechanism unless using SSL, but it's still worth mentioning. However, sending passwords as query parameters is never a good idea because query parameters are usually logged by web servers (on both HTTP and HTTPS) and by proxies (on HTTP).

Oh, and as a side note, the header for HTTP Basic authentication is Authorization, but the ServerBag adds PHP_AUTH_USER and PHP_AUTH_PW, even though they're not actually headers, but rather PHP-specific CGI environment variables. ;)

All in all, the talk has potential, but I find it could use some reworking to fulfill it.

A very good talk, I really like the interaction with public with questions and music !

Fully agree with @Marius B - too less content about "mastering".

Like others, it was better an introduction than a mastering.
But anyway, I liked the way the presentation was done. Switching from slides to a detailled exemple on each pull request was a great idea. And it's cool when you want to re-read what you've done after.

I really liked the way you organized this talk - more like fast workshop than one-way speech. The problem was that in the title it was said "mastering" while in fact it was introduction - however it was perfect for me.

BTW I had a strange feeling when you were talking about passing password as query parameter ;)

Anonymous at 10:31 on 16 Dec 2013

I liked this talk very much. The concept of the talk was different from the other talks and it was very interesting.

This is a very complex subject but Joseph explained them very well. The source code on github with the comments was a bit confusing. Probably showing it on the IDE with bigger font would be more easier.