From ab089872476248eace8080cb11dfae22312b038d Mon Sep 17 00:00:00 2001
From: Taylor Otwell <taylorotwell@gmail.com>
Date: Thu, 16 Jun 2011 19:51:32 -0500
Subject: [PATCH] improving auth class comments.

---
 system/auth.php | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

diff --git a/system/auth.php b/system/auth.php
index 00bb3e11..817e0a84 100644
--- a/system/auth.php
+++ b/system/auth.php
@@ -34,7 +34,9 @@ public static function check()
 	public static function user()
 	{
 		// -----------------------------------------------------
-		// Verify that sessions are enabled.
+		// Verify that sessions are enabled. Since the user ID
+		// is stored in the session, we can't authenticate
+		// without a session driver specified.
 		// -----------------------------------------------------
 		if (Config::get('session.driver') == '')
 		{
@@ -64,19 +66,18 @@ public static function login($username, $password)
 	{
 		$model = static::model();
 
-		// -----------------------------------------------------
-		// Get the user by username.
-		// -----------------------------------------------------
 		$user = $model::where(Config::get('auth.username'), '=', $username)->first();
 
 		if ( ! is_null($user))
 		{
 			// -----------------------------------------------------
-			// Hash the password.
+			// Hash the password. If a salt is present on the user
+			// record, we will recreate the hashed password using
+			// the salt. Otherwise, we will just use a plain hash.
 			// -----------------------------------------------------
 			$password = (isset($user->salt)) ? Hash::make($password, $user->salt)->value : sha1($password);
 
-			if ($user->password == $password)
+			if ($user->password === $password)
 			{
 				static::$user = $user;
 
@@ -96,7 +97,13 @@ public static function login($username, $password)
 	 */
 	public static function logout()
 	{
+		// -----------------------------------------------------
+		// By removing the user ID from the session, the user
+		// will no longer be considered logged in on subsequent
+		// requests to the application.
+		// -----------------------------------------------------
 		Session::forget(static::$key);
+
 		static::$user = null;
 	}