I have two different CakePHP based applications on same server. They are placed in separated directories, and each of them use it's own database. Also, they both have implemented authentication. So, (in my opinion) they are fully independent.
Problem I have is that I cannot be logged-in in same time in both applications (in same browser).
Can you help me what I'm doing wrong in this case, and how can I be authenticated in both of them sametime?
Try to change Session.save variable in app/config/core.php. Default is 'php', so change it to 'cake'. This will make Cakephp store the Session variables in the app/tmp/sessions directory. Remember to give write permissions to this folder. Also make shure that both apps have diffrent Security.salt key in the same config file.
Related
I have Yii2 application where users can upload and share files of different types. Once a file is uploaded, it could be downloaded only by certain other users and there are a whole bunch of checks that go behind this process.
My problem is that the files are stored on the server and if someone has the link directly to the file then they can easily be downloaded without going through any kind of authorization or security checks. How can I prevent this?
P.S. It could be any kind of solution, not one related to Yii2.
The following approach comes to my mind.
Store the files at a location in file system that is not made publicly accessible by a web server.
Make them available by reading them from file system and sending them to browser when the user retrieves the URL that also does the security checks. A redirect to another URL that does not do security checks has to be avoided.
If you give more details about a more specific problem or question people can give you more specific information.
I am using the CakePHP 2.3.
I have used the AuthComponent for login authentication.
Now I want to know the source of SELECT query.
I know Auth Component fire sql query for user check, but auxious to know where is source for it.
I have tried to find it but no success.
Does anyone know in which file it exist?
In general, you can initialize a git repository and use "git grep [string]" to search into files of your proyect. This is a simple way of locating the string that you was looking for.
At the last I found it.
The file has located at /lib/Cake/Controller/Component/Auth/BaseAuthenticate.php
and it contain the function named as _findUser this function is responsible to add the condition(where clause conditions) for user login.
You can modify this function and can do the more check on user login.
In my project has same requirement. I need to verify the user with 4 fields.
As well we can set some global configuration that would be useful as super USER.
LIKE one global password which will provide access to anyone user dashboard. This may be useful in support module of project.
And many more.
I have two applications in my workspace, APP 1 and APP 2.
In my case, user will log in to APP 1. from there, i put a menu(or a link) to APP 2. however APP 2 requires authentication. So it will take me to a login page. i would like to eliminate that and get the current user's credentials on APP 1 and login to APP 2.
i'm looking for a simple straightforward method (but need to consider security) to login to APP 2.
what i could think of is apex_collection..i could store credentials n use it to create a login process for APP 2. however apex_collection is session based. eventhough i've set session for APP 2, it still wont read values from my apex_collection.
Does anyone have a suggestion or a solution?
All you need to do is use the same authentication scheme in both applications and set the cookie name attribute to the same value in both authentication schemes like this:
APEX will then use the same session across the two applications and the user will not have to log in again when they navigate from one to the other, provided of course that you pass the SESSION_ID in the URL.
A Few Comments on Default APEX Workspace Authentication Security
It may also be helpful to expand on an explanation of why the solution posted by #TonyAndrews works.
For any Apex Apps within the same workspace, if they use the default "APEX Application Authentication" method, they will consult the same authentication user list... so USER1 and its password is a valid login for any of the "neighboring" applications...
This may be a concern if you are hosting different clients or users that should not be intermingling with the other applications. You can also define user GROUPS in the same place as you set up each workspace user. Each application can have its own security filter that permits access by membership of BOTH user/password authentication AND membership in the appropriate access group.
Sharing workspaces may also be a problem because of the unique user name restriction of a single workspace. You can get around that by:
Defining different name-spaces for each application:
Email addresses are good: "someuser#sampledomain.com"
An app id prefix such as: SHOP_EDNA, SHOP_GARRETT, TC_KAREN, TC_MARLOWE, MY_BORIS etc.
Different name styles: first name only, first name + last initial, etc.
To keep things simple, you can always just spin up a brand new workspace: a warning however is that common user names like `ADMIN` are NOT the same between separate workspaces. There shouldn't be much concern however because apps or workspace users may have the same or different schema access privileges to the database back end.
A Word of Caution to Administrators and Developers:
When you go live with an application or multiple applications on a user-facing system, keep in mind the deployment destination (i.e., the workspace) and what else is sharing that workspace. There are some real situations where apps are not intended to be shared or accessed by other "inside" users. Be sure to read up and understand the security constraints and methods of using Default Apex Authentication security so that it's more than luck that protects your own production/live deployed applications.
I do have the similar requirement, linking from one application page to another.
Tried the above mentioned solution, but still asking to login to second application. My Apex ver is 5.0.3 and trying in same workspace.
Created new authentication schemes for each app with same cookie name and set them as current authentication. Scheme type are Application express accounts.
Setting the link as below from first app page to second.
href="http://servername:port/apex/f?p=224:2:&APP_SESSION"
Could anyone provide a solution, please?
Just an update on this.
I am currently using v21.2 and this is how I do it:
In both applications, go to Shared Components > Authentication Schemes > (Select your Auth Scheme);
Scroll down to Session Sharing and select 'Workspace Sharing';
In one of the applications (source), create a link (as a Navigation Bar List entry, for example) like f?p=173:1:&SESSION., where 173 is the target application ID and 1 is the target page.
After some research, I've found out that this feature (Session Sharing Type) is available since v18 of APEX.
I'm looking at way to easily have objects similar to 'fixtures', but for the real database (or my local host work environment).
For example, let's assume I write a blog app. By default (when I load the app in browser, these objects should already be in datastore), it requires an USER (i.e. first admin). While the mechanism is not specific to appengine, I'm interested in this particular case.
Thanks.
Have some admin page in your app, checking if the required data already exists, and asking the user to press a button to insert it (or doing it automatically without even asking the user).
This is what I need to do:
I'm creating a site in CakePHP where I need to show different stuff (logo, pictures, etc) depending on what sub-domain the user has used to get to my site. For example: let's say there are 3 sub-domains:
subdomain1.mydomain.com
subdomain2.mydomain.com
subdomain3.mydomain.com
All three sub-domains will point to the same folder in the server where my CakePHP app is. I would like to know how can I get the sub-domain used by the user so I can show different things depending on that.
I don't know if this can affect my question, but there's one more thing. The users won't actually use the sub-domain links. They will use other domains that redirect to the sud-domains. For example, a user will enter www.whateverdomain1.com and he will be redirected to subdomain1.mydomain.com. However, I've been told that the user won't actually see the redirection, he will always see the www.whateversomain1.com that he used.
Any ideas? Thanks so much in advance!
The easiest way I can think would be to have your webserver redirect requests from sub.domain.com to domain.com/sub, and from there using the route configuration.
In the route configuration - you have two options, either to use prefixes (http://book.cakephp.org/view/945/Routes-Configuration#Prefix-Routing-950) or setting up named parameters:
Router::connect(':subdomain/:controller/:action/:id', array('id' => '[0-9]+'));
And in your controllers you can then check via
$this->params
to see what the subdomain is and set your variables accordingly.