I'm working on my first app w/ CakePHP 2.3 and I'm having an issue where I can login (no auth errors), but my session isn't sticking around so I'm sent back to the login page when the Auth->redirect() is called. I'm sure I'm just missing a setting or have something configured slightly wrong, but I haven't been able to find it.
# core.php
# session record is written the the database, but the same record's id changes w/ every request
Configure::write('Session', array(
'defaults' => 'database',
));
Configure::write('Security.level', 'medium');
I've tried tweaking the various Session.X parameters, but nothing has made any difference. I'm using bcrypt authentication with the following settings in my AppController:
'Auth' => array(
'authenticate' => array(
'Blowfish' => array(
'fields' => array( 'username' => 'email' ),
'scope' => array( 'active' => '1' )
),
),
'authorize' => array( 'Controller' ),
'loginAction' => array( 'admin' => false, 'controller' => 'users', 'action' => 'login' ),
'loginRedirect' => array( 'admin' => true, 'controller' => 'activities', 'action' => 'index' ),
'logoutRedirect' => array( 'admin' => false, 'controller' => 'users', 'action' => 'login' ),
),
What piece am I missing?
UPDATE
Realizing that this is only happening in my dev environment, I compared my Cake config (database, core, bootstrap) and php.ini values -- no differences. I'm stumped.
Holy Headslap, Batman.
So here's the issue. I'm storing sessions in the database. Somewhere, somehow, an (obviously) automated process changed the cake_sessions.data field to cake_sessions.DATA. Although I've looked at the database a thousand times while debugging this, I just noticed that difference.
Problem solved.
Moral of the story: Developers, don't let your database field names grow up and change case.
You need to set 'Session' as a component too.
Related
I have a CakePHP application (v 2.7), which contains a fairly standard login element using the Auth component. This works fine for the majority of users, however, a handful of users are reporting that they cannot sign in - when they attempt to do so they are redirected back to the login page, with no error message.
I have built some logging in to the site to check what is happening and it seems that the login is going through fine (everything in my login action is logged working as desired) until they hit the redirect part of the code, then they are not redirected to the intended page.
All the users who are having problems seem to be coming to the site through the same company network - not sure if that's of relevance or not! However, all have cookies enabled (I have added a script to display an error if they are not enabled).
I have tested the site in IE11, Edge 11, 12 + 13 (the browsers that users appear to be having issues with) but cannot replicate the issue, regardless of the security settings on the browser.
Could this issue be related to settings in the network that the users are accessing the site from? Are there any settings I should try to get them to check? Sorry - I'm pretty stumped by this one, as I just cannot replicate it, any pointers towards the questions I should be asking would be useful.
The relevant sections of my code are below. If there are any bits that would be helpful please let me know.
Thanks in advance for any help.
In the AppController (components)
public $components = array(
'Session',
'Cookie',
'Security' => array(
'csrfExpires' => '+300 minutes',
'csrfUseOnce' => false
),
'Auth' => array(
'loginAction' => array('controller' => 'users', 'action' => 'login', 'admin' => false),
'loginRedirect' => array('controller' => 'course_sections', 'action' => 'index', 'admin' => false),
'logoutRedirect' => array('controller' => 'website_pages', 'action' => 'view', 'home', 'admin' => false),
'authorize' => array('Controller'),
'authenticate' => array(
'all' => array(
'scope' => array('User.is_archived' => 0, 'Client.is_active' => 1),
'contain' => array('UserGroup'),
'passwordHasher' => 'Blowfish'
),
'Form' => array(
'fields' => array(
'username' => 'email',
'password' => 'password'
)
)
),
'Acl'
);
In the UsersController
public function login(){
// If user has submitted the form
if ($this->request->is(array('post', 'put'))) {
if ($this->Auth->login()) {
$this->log('Successfully logged in. Cookie Status: ' . $this->request->data['User']['cookies'], $this->Auth->user('public_id'));
// Redirect
return $this->redirect($this->Auth->redirectUrl());
} else {
// Log failed login attempt
$this->log('Unsusccessful login attempt using email: ' . $this->request->data['User']['email'], 'nosuccess');
$this->Session->setFlash($this->FlashMessage->translateFlash('invalid_login', false));
}
}
}
I am using database backed sessions, but the issue is the same whether using these or PHP ones.
In Config/Permit.php we define rules, which actions are permitted without login. It looks like that:
Permit::access(
array(
'controller' => array('incentives'), 'action' => array('downloadvoucher')
),
array(),
array()
);
(...)
Permit::access(
array('controller' => $controllers),
array('auth' => true),
array('redirect' => array('controller' => 'users', 'action' => 'login'), 'message' => __('Your session has ended. Please log in again.'))
);
The redirect is defined at the bottom. What would be the right approach to achieve the following: if the user calls an URL (note: by default in the following format: base/controller/action/?q=1&q=2#hash or with routing) he will be redirected to the users/login page, but we would like to store somewhere from where he is coming (for example appended to the URL).
I tried this:
array('redirect' => array('controller' => 'users', 'action' => 'login', '?' => $this->here()), 'message' => __('Your session has ended. Please log in again.'))
but of course it doesn't work - the here()method is not defined in the Permit class.
Any better ideas?
I have a ACL plugin, and I want to be able to redirect back to users/index from this plug in.. but I end up getting funny url's that don't exist. such as /cakephp/admin/acl/users/index
how can I make it go to cakephp/users/index
I have looked through the HTML helper and I'm stumped.
I will be in the cakephp chat room as well
Thanks
You can 'reset' the plugin by setting it to 'false' when creating a link;
e.g.;
echo $this->Html->link('go to user overview', array(
'controller' => 'users',
'action' => 'index',
'plugin' => false
);
update
My guess is that you're using both prefix routing and a plugin. To reset both the plugin and the prefix, do this;
echo $this->Html->link('go to user overview', array(
'controller' => 'users',
'action' => 'index',
'plugin' => false, // resets the plugin
'admin' => false, // resets the admin-prefix
);
I'm using the admin prefix in my Cakephp app, for some admin views. I'm also using Auth to restrict access to those views, based on a role field in the User table. Pretty standard.
The problem is, that when an unauthorized user tries to go to, say, admin/users, (in this case the index action is prohibited), they are redirected to /admin/users/login which of course, doesn't exist.
This doesn't happen with actions that do not have the admin prefix. Those behave just fine.
Why are users being sent to to a login that is prepended by the admin prefix and the prohibited action?
Anyone who is still having trouble with this, according to the documentation you can use an array or a string in loginAction (Documentation).
Using an array and setting 'admin' => false was still giving me trouble, so I tried using a string instead:
public $components = array(
'Auth' => array(
'loginRedirect' => array('controller' => 'dashboards', 'action' => 'home'),
'logoutRedirect' => array('controller' => 'users', 'action' => 'login'),
'loginAction' => '/users/login',
'authorize' => array('Actions')
),
);
This ended up solving my problem. Hopefully it works for you as well.
You need to override the specific prefix in the routing array.
$this->Auth->loginAction = array(
'controller' => 'users',
'action' => 'login',
'admin' => false
);
or, if you're using multiple prefixes, you can dynamically remove the prefix name like this:
$this->Auth->loginAction = array(
'controller' => 'users',
'action' => 'login',
$this->request->prefix => false
);
I have used ACL in CakePHP 1.3 without a single issue, after 2 weeks of bitter frustrations it still does not work in CakePHP 2.0.
I have followed the Cake ACL tutorial EXACTLY, but nothing happens. All Aros are in correctly, same for ACOS and permissions.
After all this, I can enter all denied actions without a problem.
Hereby my AppController:
public $components = array('Acl','Auth'=> array(
'authenticate' => array(
'Actions',
'Form' => array(
'fields' => array('username' => 'email')
),
)
), 'Session', 'MathCaptcha', 'RequestHandler');
In my BeforeFilter:
$this->Auth->actionPath = 'controllers';
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
$this->Auth->logoutRedirect = array('controller' => 'pages', 'action' => 'home');
$this->Auth->loginRedirect = array('controller' => 'users', 'action' => 'profile');
$this->Auth->allow('display');
Does someone have an idea what goes wrong. Thanks!
In CakePHP 2.0 I've made this way:
app/Controller/AppController.php
class AppController extends Controller {
public $components = array(
// others components...
'Session',
'Acl',
'Auth'=> array(
// Setting AUTHORIZATION "What can you do?"
'authorize' => array(
'Actions' => array(
'actionPath' => 'controllers'
)
),
// Setting AUTHENTICATION "Who are you?"
'authenticate' => array(
'Form' => array(
'fields' => array(
'username' => 'email', 'password' => 'password'
)
)
)
)
);
// other stuffs...
With this aproach, ACL will make all dirty job. Is not necessary to check permitions, as you probably know.
I believe you are Ok about AROs and ACOs, not big deal. Just in case:
http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html#simple-acl-controlled-application
The CakeBook for 2.0 shows a Console plugin called AclExtras that build your ACOs. Your AROs will be built as users and groups are added/deleted. I've used this plugin to generate AROs regarding my already filled tables: http://www.alaxos.ch/blaxos/pages/view/plugin_acl. This works fos 1.3, but there is a beta version for 2.0 that works ok.
After that, You must set up permitions. Manually (or from Console) as this links describes: http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/part-two.html#setting-up-permissions. Or visually with Alaxos's Plugin.
I hope this help! It's worked for me. I'm using CakePHP 2.0.2
The Auth component changed quite a bit from CakePHP 1.3 to 2.0. I bumped into similar issues migrating an app from 1.3 to 2.0. I found that setting the authorize option was where I needed to make my change:
In beforeFilter:
$this->Auth->authorize = array(
'Actions' => array(
'userModel' => 'User',
'actionPath' => 'users'
)
);
The userModel was the model class used in the Aro table. The actionPath is the root level of the actions that Acl checks in the Aco table.
You may also want to deny then allow:
$this->Auth->deny('*');
$this->Auth->allow('display');
Hope this helps.