Custom Authentication Error Message in Yii


If you follow the instruction in Create a Web Application with yiic in TurnKey Linux to generate a web application, we may customize error messages. How Login is handled in Yii Framework will help you to learn about how authentication works in a generated web application.

Model: LoginForm.php

LoginForm is a class declared in /protected/models/LoginForm.php.

The public method authenticate() of class LoginForm contains code to compare returned value from public method authenticate() of instance UserIdentity. We need to modify public method authenticate() of class UserIdentity from comparing ERROR_NONE to more const in CBaseUserIdentity.

Where are the const

UserIdentity is a class declared in /protected/components/UserIdentity.php.

These error numbers come from public method authenticate() of instance UserIdentity but are not available in UserIdentity.php. Therefore, I check the parent class CUserIdentity.

Partial source code of class UserIdentity:

class UserIdentity extends CUserIdentity

CUserIdentity is a class declared in /usr/local/share/yiiframework/framework/web/auth/CUserIdentity.php.

But still not available, go up and check its parent class CBaseUserIdentity.

Partial source code of class CUserIdentity:

class CUserIdentity extends CBaseUserIdentity

CBaseUserIdentity is a class declared in /usr/local/share/yiiframework/framework/web/auth/CBaseUserIdentity.php.

Now we got them. These const are declared in CBaseUserIdentity.

Partial source code of class CBaseUserIdentity:

abstract class CBaseUserIdentity extends CComponent implements IUserIdentity
{
        const ERROR_NONE=0;
        const ERROR_USERNAME_INVALID=1;
        const ERROR_PASSWORD_INVALID=2;
        const ERROR_UNKNOWN_IDENTITY=100;

Custom Error Message

UserIdentity is a class declared in /protected/components/UserIdentity.php.

This is where we need to custom error message. We need to modify line 6 and 7 to display different message for ERROR_USERNAME_INVALID and ERROR_PASSWORD_INVALID.

Source code of public method authenticate() in class LoginForm:

public function authenticate($attribute,$params)
{
    if(!$this->hasErrors())
    {
        $this->_identity=new UserIdentity($this->username,$this->password);
        if(!$this->_identity->authenticate())
            $this->addError('password','Incorrect username or password.');
    }
}

In line 6, call public method authenticate() of instance UserIdentity. It will update public property $errorCode after comparison. $errorCode is inherited from CBaseUserIdentity which is the parent class of CUserIdentity.

Modified source code of public method authenticate() in class LoginForm:

public function authenticate($attribute,$params)
{
    if(!$this->hasErrors())
    {
        $this->_identity=new UserIdentity($this->username,$this->password);
        $this->_identity->authenticate();
        if($this->_identity->errorCode==UserIdentity::ERROR_USERNAME_INVALID)
            $this->addError('password','Incorrect user name');
        if($this->_identity->errorCode==UserIdentity::ERROR_PASSWORD_INVALID)
            $this->addError('password','Incorrect password.');
    }
}

Thoughts

I found Custom Login Error Messages has a very detail explain about customizing error message. It should be helpful, too.

For security concern, it would be better to leave wrong username and/or password using the same error message. It slows hackers to get the right combination.

Reference

  1. Create a Web Application with yiic in TurnKey Linux
  2. How Login is handled in Yii Framework
  3. Yii Framework: Documentation: CBaseUserIdentity
  4. Yii Framework: Documentation: CUserIdentity
  5. Yii Framework: Documentation: Yii 1.1: Custom Login Error Messages
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s