I am using two cakephp framework . Problem is when I logged in to 1 st one, without login I can login to 2nd one by using same session.
how to resolve this issue . I am using cakephp 2x
From what you are saying I understood that you have two applications running on the same server (the default realm for Auth plugin). And what is happening is that once you login in one application the other lets you access the protected locations without the need to login (I've faced this).
IF this is your issue you can either change the prefixes of the applications in the configuration file app/Config/core.php.
It is one line like this:
<?php [...]
$prefix = 'myapp_';
Change the prefix to other name.
OR
Configure the realm key in the AuthComponent configuration to other value than the 'servername' which is the default.
For this one check the docs and search for 'realm'.
Related
I took back the maintenance of a cakephp app, however I have never been a cake developer and I just encountered my first problem.
Currently users are logging in by using a simple form, it is something really simple and it looks like this:
$this->Auth->authenticate = array('Form' => array('userModel'=> .....
Whenever I try to access a protected page, I am getting redirected to the page which implements this login form, this is totally fine and I don't have any problem with that.
However, I have different clients that requires different "authentication format" (if I may say), some wants an Ldap authentication, others an openId authentication, others a CAS authentication...
I managed to create a working authentication for every "system" by extending the BaseAuthenticate and implementing my logic to connect to the app.
Let's take the example with OpenId (which is a little explained in the cakephp book and that I base myself on : http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html). I have created my OpenIdAuthenticate in app/controller/component/auth, implemented the method,...
As in the book, I have chosen the openId as the "main authentication" is my appController :
$this->Auth->authenticate = array(
AuthComponent::ALL => array('userModel' => 'Member'),
'OpenId',
'Form'
);
For the CAS I have the same with Cas instead of OpenId and whenever i try to access a protected page I am redirect to my cas server, where I log myself and I am logged in the cake application (so no problem).
I have also created another method in my user controller in case of the external authentication is broken (if we have any problem, it will probably be useful still to be able to log ourselves for maintenance).
To do so I created an adminLogin method (+ the ctp view file) where I "forced" the original Form authentication by doing as it was written before:
public function adminLogin() {
$this->Auth->authenticate = array('Form' => array('userModel'=> .....
if ($this->request->is('post')) {
//rest of the logic
}
}
Whenever I query the uri /users/adminLogin, I am using the classic authentication system and have access to all the protected pages by bypassing the external authentication.
First question: Is it recommended to do something like that? The only goal is to have access to the content of the app as long as our database is up (in case of).
Now comes the part I still haven't found the solution. As I said, I have different clients with different needs and I don't want to have the classic version hosted for client X, the OpenId for the Y and the Ldap for the Z. I would like the same application everywhere and it will be up to the client to use whichever system he wants to use.
This means, I want to be able to change the authentication method dynamically. What i would like to do is to create a page (only available for the administrator obviously) where it will be able to choose between all the supported system and to configure the system.
For example, I choose Ldap, I will have to give the ip,port,reading suer and pwd, DN, filter,etc.... If I choose cas, the url,port,...(you understood).
And when I press the submit button, my authentication system has changed (except for the adminLogin page).
This is where I would like you to help me find a way to do so. I tried to create a global variable when I click on submit using
Configure::write('SystemUsed','LDAP');
And in my appController in the beforeFilter(), I tried to do :
if (Configure::read('SystemUsed') == 'LDAP') {
$this->Auth->authenticate(...);
else if (Configure::read('SystemUsed') == 'OpenId') {
$this->Auth->authenticate(...);
}
etc. But it is not working, the variable is becoming null after the submit and it doesn't look like a clean way to do it.
Can anyone help me, please?
currently i'm trying to implement the opauth plugin for cakephp found here using the facebook strategy at present. I've followed the instructions however when I attempt to login using my facebook account I am redirected to the login page. What I have noticed is that the authentication is occurring and successful using this->Auth->login($user) where $user is an array of the user's stored information, but on redirection, the login function of my UserController is called an I'm returned to the login page. Any ideas? Thanks in advance!
So I figured it out. Turns out its a config setting, I noticed it while staring at his commit comments on github. In the config of the plugin the default option for the callback transport was changed from session (losing the session was my issue) to post. The change can be seen here. After making that change to the config everything worked.
I have two different CakePHP based applications on same server. They are placed in separated directories, and each of them use it's own database. Also, they both have implemented authentication. So, (in my opinion) they are fully independent.
Problem I have is that I cannot be logged-in in same time in both applications (in same browser).
Can you help me what I'm doing wrong in this case, and how can I be authenticated in both of them sametime?
Try to change Session.save variable in app/config/core.php. Default is 'php', so change it to 'cake'. This will make Cakephp store the Session variables in the app/tmp/sessions directory. Remember to give write permissions to this folder. Also make shure that both apps have diffrent Security.salt key in the same config file.
I have two applications in my workspace, APP 1 and APP 2.
In my case, user will log in to APP 1. from there, i put a menu(or a link) to APP 2. however APP 2 requires authentication. So it will take me to a login page. i would like to eliminate that and get the current user's credentials on APP 1 and login to APP 2.
i'm looking for a simple straightforward method (but need to consider security) to login to APP 2.
what i could think of is apex_collection..i could store credentials n use it to create a login process for APP 2. however apex_collection is session based. eventhough i've set session for APP 2, it still wont read values from my apex_collection.
Does anyone have a suggestion or a solution?
All you need to do is use the same authentication scheme in both applications and set the cookie name attribute to the same value in both authentication schemes like this:
APEX will then use the same session across the two applications and the user will not have to log in again when they navigate from one to the other, provided of course that you pass the SESSION_ID in the URL.
A Few Comments on Default APEX Workspace Authentication Security
It may also be helpful to expand on an explanation of why the solution posted by #TonyAndrews works.
For any Apex Apps within the same workspace, if they use the default "APEX Application Authentication" method, they will consult the same authentication user list... so USER1 and its password is a valid login for any of the "neighboring" applications...
This may be a concern if you are hosting different clients or users that should not be intermingling with the other applications. You can also define user GROUPS in the same place as you set up each workspace user. Each application can have its own security filter that permits access by membership of BOTH user/password authentication AND membership in the appropriate access group.
Sharing workspaces may also be a problem because of the unique user name restriction of a single workspace. You can get around that by:
Defining different name-spaces for each application:
Email addresses are good: "someuser#sampledomain.com"
An app id prefix such as: SHOP_EDNA, SHOP_GARRETT, TC_KAREN, TC_MARLOWE, MY_BORIS etc.
Different name styles: first name only, first name + last initial, etc.
To keep things simple, you can always just spin up a brand new workspace: a warning however is that common user names like `ADMIN` are NOT the same between separate workspaces. There shouldn't be much concern however because apps or workspace users may have the same or different schema access privileges to the database back end.
A Word of Caution to Administrators and Developers:
When you go live with an application or multiple applications on a user-facing system, keep in mind the deployment destination (i.e., the workspace) and what else is sharing that workspace. There are some real situations where apps are not intended to be shared or accessed by other "inside" users. Be sure to read up and understand the security constraints and methods of using Default Apex Authentication security so that it's more than luck that protects your own production/live deployed applications.
I do have the similar requirement, linking from one application page to another.
Tried the above mentioned solution, but still asking to login to second application. My Apex ver is 5.0.3 and trying in same workspace.
Created new authentication schemes for each app with same cookie name and set them as current authentication. Scheme type are Application express accounts.
Setting the link as below from first app page to second.
href="http://servername:port/apex/f?p=224:2:&APP_SESSION"
Could anyone provide a solution, please?
Just an update on this.
I am currently using v21.2 and this is how I do it:
In both applications, go to Shared Components > Authentication Schemes > (Select your Auth Scheme);
Scroll down to Session Sharing and select 'Workspace Sharing';
In one of the applications (source), create a link (as a Navigation Bar List entry, for example) like f?p=173:1:&SESSION., where 173 is the target application ID and 1 is the target page.
After some research, I've found out that this feature (Session Sharing Type) is available since v18 of APEX.
I'm working on some projects (all in CakePHP) and I found an issue. The problem is that when I'm logged in one system and I try to log into another one with SAME USERNAME, it logs me in to the second one and logs me out of the first one. The problem only appears when I try it with same user name. I have different Security.salt and Security.cipherSeed variables.
Can anyone help me ? Thank you very much
are you using the same Session Name in all your apps?
Edit:
What about the cookie name? Maybe you are using the same name and same domain, thus every time you login you rewrite the cookie. I would change the name of the cookie in every app.
Edit your core.php
Configure::write('Session.cookie', "app1");//app2, app3, etc
You can set session path for different project in AppContoller or UsersController
function beforeFilter() {
$this->Session->path = '/projectname/';
}
So, Each time session path will be different for different project and not conflict in Login process