So in the sake of security I force all password change requests to validate through a password check. The problem I have is that using a debug($this->request) call I'm seeing a plaintext password:
object(CakeRequest) {
...snip...
data => array(
'User' => array(
'password' => '*****',
'password_check' => 'asdfa',
'id' => '38'
)
)
...snip...
}
Should this be a concern for me? Is there a way I can have password_check treated like a password?
as long as you don't actually print it anywhere on the page you will be fine!
Related
in CakePHP, when applying the debug function on a User model :
debug($user);
we get a result that hide the login or password.
'User' => array(
'login' => '*****',
'id' => (int) 2,
'pwd' => 'fjiogjfdlmgjdomngdjm',
'avatar' => null,
'prenom' => 'Fake',
'nom' => 'Admin',
'email' => 'blabla#domain.fr',
'i18n_code_appli' => '',
'numtel' => ''
),
How could we configure what model has that field hidden or not ?
Like you can see in the example below, as password field named 'pwd', it is not hidden, but login is.
And this is my actual case. I would want to toggle this to view 'login' and hide 'pwd' in debug mode.
As agreed in the comments of OP, I'll add my comment as an answer.
Just use var_dump() instead of debug() if you have to check the password hash. I have had the same problem a long while ago and I thought I'd used var_dump then. I guess you aren't keeping the call to debug() in the code on release so it shouldn't do any harm.
Or you could use the CakePHP Debug Kit. It has a list of all the set variables which you can collapse and extend. That way you have a clear overview of all the data in a deep multidimensional array.
Every cakephp user will have his database(Postgres) user replica. Therefore when he logs in, the database default config must take the "login" and "password" sent in the login.ctp form and with those values create the DATABASE_CONFIG. So far I have this, but I can't figure it out how to pass variables to the constructor. Is it possible? Is there an alternative?. Please help.
enter code here
class DATABASE_CONFIG{
var $default = array(
'datasource' => 'Database/Postgres',
'persistent' => false,
'host' => 'localhost',
'login' => 'XXX',
'password' => 'YYY',
'database' => 'db1',
'prefix' => '',
'schema'=>'public'
//'encoding' => 'utf8',
);
function __construct(){
$this->default['login'] = $userSentFromForm;
$this->default['password'] = $passwordSentFromForm;
}
}
I think that you should have some global database with users which stores login information (username and hashsed password) so you can validate & login user.
When user logs-in you save data from that form into the session.
Then you redirect the user to some action, like /dashboard or any else. Following request will have your desired data in session object, so you can read it in DATBASE_CONFIG::__construct().
Just for organization sake, I wanted to use a different table for the authentication component to check, but it doesn't quite work. While I can initially state:
$this->Auth->userModel = "CoreUsers" plus set the loginAction to my proper MVC
works to look at that table just to confirm it's there, but the login doesn't work, it only keeps returning an incorrect password. Something happens in the authentication component; I can't tell what makes it fail. When I rename my table to "Users", it works.
The other part is I'd prefer to actually use the column name of 'email' rather than 'username' since that's really what I'm using anyway.
I am just not having luck finding a complete tutorial and reference sets to do both these successfully with CakePHP 2.x. What is the way forward?
References:
Stack Overflow question How do I use a table other than "Users" for CakePHP's AuthComponent?
Stack Overflow question CakePHP - 'AuthComponent' with a different model name (not 'User')
(I had a look for answers, but I never quite got the whole answer.)
Make sure your database table "core_users" and model "CoreUser" exists.
When you setup component you can put login/logout redirect here.
var $components = array(
"Auth" => array(
'loginRedirect' => array('controller' => 'dashboard', 'action' => 'index'),
'logoutRedirect' => array('controller' => 'core_users', 'action' => 'login')
),
"Session");
Now in beforeFilter medhod you can put the following
function beforeFilter(){
$this->Auth->authenticate = array(
AuthComponent::ALL => array('userModel' => 'CoreUser', 'scope' => array("CoreUser.status" => 1), "fields" => array("username" => "email", "password" => "your_password_field"), 'Form', 'Basic'
);
}
Above example you can ignore status, if you need to pass any other info on the login verification u can use that. Now about you can remove 'Basic' if you only need form validation.
I hope this would work .
First, model names are generally singular. Are you sure you didn't mean CoreUser which would look in the core_users table?
Secondly, you can use the email field instead of username by setting the fields key on your auth setup.
public $components = array(
'Auth' => array(
'authenticate' => array(
'Form' => array(
'userModel' => 'CoreUser',
'fields' => array('username' => 'email')
)
)
)
);
See the book for more information.
CakePHP's Auth component requires the username field to be present in order to convert the password field into a hash upon save. Apparently, even if I put the following in the beforeFilter():
$this->Auth->fields = array('username' => 'email', 'password' => 'password');
it doesn't encrypt the password before inserting it into the database.
So my question is, assuming this is supposed to happen, what is the best way to encrypt the password? Or, have I made a simple error somewhere?
Thanks in advance for any assistance!
Here's the before filter in the users_controller.php:
function beforeFilter() {
$this->Auth->fields = array('username' => 'email', 'password' => 'password');
}
And the app_controller.php:
var $components = array('Auth');
Oops, I had duplicated the line $this->Auth->fields = array('username' => 'email', 'password' => 'password'); in the AppController as well and it seems that was causing the problem. Sorry about that and thanks for the tip to double check by posting here :)
Here's my scenario:
I'm creating a password change page.
the real field that holds the password is User.password
On the password create page, I used 3 made up fields:
$form->input('User.old_passwd');
$form->input('User.new_passwd');
$form->input('User.confirm_new_passwd');
How do I validate them with the rules:
old password must match User.password
new_passwd and confirmnew_passwd must
be equal
Are there better solutions for this? I'm open for suggestions. Thanks!
The built-in authentication component doesn't offer that functionality. I would specify the validation rules for your "made up" fields in the validate property of the model and write my own validation methods, for example: correctPassword() to ensure that the users enter their old password and matchingPasswords() to ensure that the new password was re-typed correctly.
var $validate = array(
// your existing validation rules
'old_passwd' => array(
'rule' => 'correctPassword',
'message' => 'invalid password'
),
'new_passwd' => array(
'rule' => array('minLength', 8),
'message' => '8 characters minimum';
),
'confirm_new_passwd' => array(
'rule' => 'matchingPasswords',
'message' => 'passwords do not match'
)
);
function correctPassword($check) { }
function matchingPasswords($check) { }
See the Cookbook for more information about custom validation rules.