my UserController.php has logout function that looks like this
function logout()
{
$this->Session->destroy('User');
$this->Session->setFlash('You\'ve successfully logged out.');
var_export($this->Session->read('User'));
//$this->redirect('login');
}
my view Users/index.ctp
<?php echo $this->Html->link('Logout', array('controller' => 'users', 'action' => 'logout')); ?>
When I click "log out" the var_export still displays all the User data and if I go back to Users/index.ctp it still shows me that page even though in my my UserController.php I am checking if User is set
function beforeFilter()
{
$this->__validateLoginStatus();
}
function __validateLoginStatus()
{
if($this->action != 'login' && $this->action != 'logout')
{
if($this->Session->check('User') == false)
{
$this->redirect('login');
}
}
It does not redirect to login page and just brings me to index page.
}
$this->Session->destroy();
The destroy method will delete the session cookie and all session data stored in the temporary file system.
User to remove, use better delete.
$this->Session->delete('User');
If you use the AuthComponent to authenticate the users, you can log them out by using the logout() method.
$this->Auth->logout();
See http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#logging-users-out for Cake 2 or http://book.cakephp.org/1.3/en/view/1262/logout for Cake 1.3
And if you don't use the AuthComponent at all, you should maybe have a look at it as it contains out of the box many functionalities that you have already or will likely implement yourself.
Related
I tried out the "Simple Acl controlled Application 1&2" tutorial located at http://book.cakephp.org/2.0/en/tutorials-and-examples/simple-acl-controlled-application/simple-acl-controlled-application.html .
After doing this, I tried to activate BasicAuth instead of FormAuth.
I reimplemented the login() function im my UsersController as follows:
public function login() {
if ($this->Auth->login()) {
return $this->redirect($this->Auth->redirect());
} else {
$this->Session->setFlash('Not able to login');
}
}
and changed the $components variable in my AppController to the following:
public $components = array(
'Acl',
'Auth' => array(
'authorize' => array(
'Actions' => array('actionPath' => 'controllers')
),
'authenticate' => array('Basic')
),
'DebugKit.Toolbar',
'Session'
);
The BasicAuth "popup" appears as expected, but when I'm trying to login, it reappers in an endless loop. I did not change anything after doing the tutorial except for including DebugKit.
What am I missing? I hope someone can help me, as I'd like to go with CakePHP coding my next Project!
Update
AppController
public function beforeFilter() {
//Configure AuthComponent
$this->Auth->allow('display');
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
$this->Auth->logoutRedirect = array('controller' => 'users', 'action' => 'login');
$this->Auth->loginRedirect = array('controller' => 'posts', 'action' => 'add');
}
UsersController
public function beforeFilter() {
parent::beforeFilter();
}
I'm trying to access e.g. /users/ which works like a charm using the FormAuth described in the tutorial, so there can't be a permission problem. Logindata is pretty simple for testing (admin:admin) so there should be no problem either.
Update 2
In my Apache Log i get the following, so it says I'm not authorized:
IP - - [16/Apr/2013:18:08:37 +0200] "GET /users/login HTTP/1.0" 401 5179 "-" "Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv:23.0) Gecko/20130414 Firefox/23.0"
Update 3
For some reason it seems, that User and Password are either not sent or not saved in PHP. If I rewrite /lif/Cake/Controller/Auth/BasicAuthenticate to the following, it works!
public function authenticate(CakeRequest $request, CakeResponse $response) {
$_SERVER['PHP_AUTH_USER'] = $_SERVER['PHP_AUTH_PW'] = "admin";
$result = $this->getUser($request);
if (empty($result)) {
$response->header($this->loginHeaders());
$response->statusCode(401);
$response->send();
return false;
}
return $result;
}
Update 4
Don't know if thats helpful, but the Server is running Plesk 11, latest update, no special modifications.
Update 5
Okay, that answer of "thaJeztah" was useful, but now I'm getting more problems which can be subdivided.
Changed mode from fcgid to apache module
1.1. Results in working login, but logout does not work! After the redirect, the session seems to be cleared, but i can still access every restricted page until i clear my browsers "Active Logins" as it is called in Firefox.
var_dump($this->Session->read('Auth.User'));
NULL
When I access /users/login I am automatically logged in and redirected without having to enter login credentials.
print "<pre>";
print_r($this->Session->read('Auth.User'));
print "</pre>";
Array
(
[id] => 1
[username] => admin
[group_id] => 1
[created] => 2013-04-12 12:54:26
[modified] => 2013-04-16 14:27:24
[is_active] => 1
[Group] => Array
(
[id] => 1
[name] => Admin
[created] => 2013-04-12 12:46:42
[modified] => 2013-04-12 12:46:42
)
)
Using the .htaccess based solution works as well, it even looks like as if thats the only change needed (I removed the list() code as I did never get into it and it worked as well).
2.1. Same problem as above, no real logout possible.
Update 6
Probably the last or one of my last updates. :-)
Right now I'm trying to do a "fake logout" by logging the user in as a guest user I created who has only access to /users/login and /pages/home: http://guest:guest#my.domain/users/login
Accessing /users/logout might work too, as I'm using this piece of code there:
public function logout() {
$user = $this->User->find('first', array('conditions' => array('username' => 'guest')));
$this->Auth->login($user['User']['id']);
}
I simly don't believe, this will be consistent, since I believe the Session data will be deleted some time and the browser still got the active admin login and authenticates using these - am I right?
After that I can login a different User again using http://admin:admin#my.domain/users/login. Not perfect, but works at least for Firefox.
So basically one last question: Any suggestions on how to force a BasicAuth when accessing /users/login? This way I could easily switch users at any time using any client.
Update 7
I found a way to do exactly this with the idea in my accepted answer. I hope I caught all edge cases in this, feel free to correct me if not!
(P.s.: when using ACL and or basic authentication the isAuthorized() in at least the AppController seems to be ignored (it was recognized, but had no effect - when i deleted the method without changing $components, i got an error) which lead to me implementing this without using isAuthorized().)
AppController.php
public function beforeFilter($redirectlogin = true) {
//Configure AuthComponent
$this->Auth->allow('display', '/users/login');
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
$this->Auth->logoutRedirect = array('controller' => 'pages', 'action' => 'home');
$this->Auth->loginRedirect = array('controller' => 'pages', 'action' => 'home');
$this->Auth->unauthorizedRedirect = array('controller' => 'HTTPCODE', 'action' => 'c403');
if($redirectlogin && $this->Session->read('Auth.needs_reauthenticate')) {
if(!($this->request->params['controller'] == $this->Auth->loginRedirect['controller'] && $this->request->params['pass'][0] == $this->Auth->loginRedirect['action'])) {
$this->redirect('/users/login');
}
}
}
UsersController.php
public function beforeFilter() {
parent::beforeFilter(false);
}
public function login() {
$this->autoRender = false;
$this->Session->write('Auth.needs_reauthenticate', true);
if(!$this->Session->check('Auth.count')) {
$count = 1;
} else {
$count = $this->Session->read('Auth.count') + 1;
}
$this->Session->write('Auth.count', $count);
if($this->Session->read('Auth.needs_reauthenticate')) {
if((isset($_SERVER['HTTP_AUTHORIZATION']) && $this->Session->read('Auth.count') == 1) || (!isset($_SERVER['HTTP_AUTHORIZATION']) || empty($_SERVER['HTTP_AUTHORIZATION']) || !$this->Session->check('Auth.sent_header_step') || $this->Session->read('Auth.sent_header_step') < 1)) {
unset($_SERVER['HTTP_AUTHORIZATION']);
$this->Session->write('Auth.redirectTo', $this->Auth->redirect());
$this->response->header(sprintf('WWW-Authenticate: Basic realm="%s"', env('SERVER_NAME')));
$this->response->statusCode(401);
$this->response->send();
$this->Session->write('Auth.sent_header_step', 1);
}
if(isset($_SERVER['HTTP_AUTHORIZATION'])) {
$this->Session->write('Auth.sent_header_step', 0);
$base64string = base64_decode(substr($_SERVER['HTTP_AUTHORIZATION'], 6));
if(!(strlen($base64string) > 1 && substr($base64string, -1, 1) != ":")) {
$_SERVER['PHP_AUTH_USER'] = "";
$_SERVER['PHP_AUTH_PW'] = "";
}
$data = true;
}
$this->Auth->logout();
if(isset($data) && $this->Session->read('Auth.count') > 1) {
if($this->Auth->login()) {
$this->Session->write('Auth.needs_reauthenticate', false);
if($this->Session->check('Auth.redirectTo')) {
$redirectTo = $this->Session->read('Auth.redirectTo');
$this->Session->delete('Auth.redirectTo');
$this->Session->delete('Auth.count');
return $this->redirect($redirectTo);
} else {
return $this->redirect($this->Auth->redirect());
}
} else {
$this->response->statusCode(403);
// my 403 message
}
} else {
if(!isset($_SERVER['HTTP_AUTHORIZATION']) && $this->Session->read('Auth.count') > 1 && isset($_SERVER['PHP_AUTH_USER']) && isset($_SERVER['PHP_AUTH_PW']) && trim($_SERVER['PHP_AUTH_USER']) != "" && trim($_SERVER['PHP_AUTH_PW']) != "") {
if($this->Auth->login()) {
$this->Session->write('Auth.needs_reauthenticate', false);
if($this->Session->check('Auth.redirectTo')) {
$redirectTo = $this->Session->read('Auth.redirectTo');
$this->Session->delete('Auth.redirectTo');
$this->Session->delete('Auth.count');
unset($_SERVER['HTTP_AUTHORIZATION']);
unset($_SERVER['PHP_AUTH_USER']);
unset($_SERVER['PHP_AUTH_PW']);
return $this->redirect($redirectTo);
} else {
return $this->redirect($this->Auth->redirect());
}
} else {
$this->response->statusCode(403);
// my 403 message
}
}
$this->response->statusCode(403);
// my 403 message
}
}
}
Thanks in advance
Adrian
Using Basic Authentication when running PHP as (Fast)CGI
It's possible that your website is configured to run PHP as (Fast)CGI, in which case the PHP_AUTH_USER and PHP_AUTH_PWD keys are not present in the $_SERVER variable. The BasicAuthenticate AuthComponent relies on these keys.
Either change the domain/webhosting settings in Plesk to run php as 'apache module' for this website/domain or extend the BasicAuthenticate Component to get these variables some other way.
More information on this subject can be found in this question:
PHP_AUTH_USER not set?
And for the Symfony framework, somebody seems to have written a workaround that may be useful in this situation as well;
https://github.com/symfony/symfony/issues/1813
update: loging out when using basic authentication
Loging out when using basic authentication is not really possible. Basic authentication is a 'stateless' authentication mechanism, which basically means that the browser is sending the user-credentials with every request. In other words; the server does not keep a 'state', the browser does. With Basic Authentication, you require the browser to send user credentials and as long as the browser sends valid credentials, you allow the browser access to the protected pages.
The only way to log out, is to close the browser, or tell the browser to close active sessions/logins.
Read more information here:
http://en.wikipedia.org/wiki/Basic_access_authentication
http basic authentication "log out"
Notes
Base Authentication is not a secure authentication mechanism; the username and password is sent to the server with every request. The password is sent unencrypted (only base64 encoded to prevent problems with special characters).
Although Form authentication also sends the password unencrypted, it is (a bit more) secure as it will only send the username/password when logging in. Subsequent requests will only send the Session-id, which can be set to expire and limited to a specific IP and/or Browser type.
In all cases, securing the connection via SSL is obviously important.
Forcing re-authentication on the login page
This is just 'thinking out loud', untested and highly experimental :)
Try this;
If no session is active, proceed the normal way. There is no way to differentiate 'already logged in' users from 'new users' in Basic Authentication - it is stateless
If a session is active, a user apparently has an active session going on. Don't destroy the session, but change the rules;
If the credentials sent are for the same user as the username inside the session (or, better: $this->Auth->user('username');?, Then invalidate the session (not destroy) and force the user to re-authenticate, by sending login headers;
You may copy the headers from the BasicAuthenticate behavior; see the source here BasicAuthenticate::authenticate()
Regarding 'copying the headers'; Maybe extending the BasicAuthenticate is a cleaner approach; handle all your custom code inside your customized version.
Additionally, check if the session is still 'valid' inside AppController::isAuthorized()(see Using ControllerAuthorize)
Something like this (Mockup code):
Login page/action:
if ("usercredentials sent by browser" === "current logged in user in session") {
// Mark session as 'needs-to-reauthenticate'
$this->Session->write('Auth.needs_reauthenticate', true);
// Need to find a clean approach to get the BasicAuth loginHeaders()
// *including* the right settings (realm)
$this->response->header(/*BasicAuth::loginHeaders()*/);
// Access denied status
$this->response->statusCode(401);
return $this->response->send();
}
AppController::isAuthorized()
if ($this->Session->read('Auth.needs_reauthenticate')) {
return false;
} else {
// Normal 'isAuthorized()' checks here
}
NOTE:
Once a browser has visited the 'login' page during an active session, the user will either have to log-in with different credentials, or close the browser to log in again.
This may be problematic if the session-cookie is still present after closing and re-opening the browser. Try to force the session-cookie to be a "real" session-cookie and have it deleted on browser close by setting Session.cookieTimeout to 0 (see Session Configuration
I want to record a user's last login, so I'm doing some fairly standard things. In my UsersController:
if ($this->Auth->login()) {
$this->User->id = $this->Auth->user('id');
$this->User->saveField('last_login', date(DATE_ATOM));
$this->Session->setFlash('Yay!'));
$this->redirect( $this->Auth->redirectUrl() );
}
Also, I have set 'autoRedirect' => false in my AppController, which is required so the data will save. The problem is, the user is not taken back to the page they were on, before they went to the login page.
What happens is, the login page thinks for some reason that the referrer was the login page, which results in the user getting kicked back to the "home page" of my app.
I'm mystified. How can I ensure that on log in, the user is taken to the page they were on prior to going to the login screen, with 'autoRedirect' => false?
This seems to be the most reliable approach.
The link to the login page:
echo $this->Html->link('Login', '/login?redirect='.$this->here);
In the login form:
echo $this->Form->input('redirect', array('type' => 'hidden', 'value' => $this->request->query['redirect']));
In the login action in the controller
if (isset($this->request->data['User']['redirect'])) {
$this->redirect( $this->request->data['User']['redirect'] );
} else {
$this->redirect( $this->Auth->redirectUrl() );
}
I want to have a login form in my home page, the registered users should be redirected to users/index
with the below code, my home page is going to redirect loop
can anyone tell me where is the issue ??
Note:- infact it is perfectly working if i change the line to
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
App Controller
public function beforeFilter(){
$this->Auth->autoRedirect = false;
$this->Auth->loginAction = array('controller' => './', 'action' => 'index');
$this->Auth->loginRedirect = array('controller' => 'users', 'action' => 'index');
$this->Auth->logoutRedirect = array('controller' => './', 'action' => './');
$this->Auth->authorize = 'controller';
$this->Auth->authError= 'You need permissions to access this page';
$this->Auth->allow('index');
$this->set('Auth',$this->Auth);
}
UsersController
public function login(){
$id = $this->Auth->user('id');
if(empty($id)){
if($this->request->is('post')){
if($this->Auth->login()){
$this->redirect($this->Auth->redirect());
}else{
$this->Session->setFlash('Invalid Username or password');
}
}
}else{
$this->redirect(array('action'=>'index'));
}
}
Thanks for the help...
You pretty much answered your own question here:
Note:- infact it is perfectly working if i change the line to
$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
Indeed that would work and that is what it should look like. Right now, you're telling the auth component your loginAction (the action which holds your login logic) is the index action of the ./ controller (which doesn't even exist). I'm assuming you're confusing it with the loginRedirect variable, which is for setting the page to go to after successful authentication.
If you only want Registered Users to Access Your Site you could have something like this... at least, this is how I implement something similar in my site...
In your app_controller file add the following to the beginning of your beforeFilter() function
function beforeFilter(){
//Check if user was able to log in thru Auth using your form in the homepage
if($this->isLoggedIn() == TRUE){
$this->layout = 'default'
}else{
// You can created this layout with a login form and
// whatever else you need except <?php echo $content_for_layout; ?>
// Any registered user will be allowed to login using the form
// and continue on to your site using the default layout
// But it guarantees no one else can see your default site
$this->layout = "unregistered_user"
}
}
On your App_controller.php you can create this function
function isLoggedIn(){
// You can also use $this->Auth->user directly in your App's beforeFilter()
// But I just like to have functions so I can reuse
if($this->Auth->user()){
$loggedin= TRUE;
}else{
$loggedin= FALSE;
}
return $loggedin;
}
I have something similar of my site but is only used when in maintenance mode. I am still developing my site. The only problem I've seen with this way, which I have not yet have time/need to look at, is that my errors are not sent to the layout I want. Supposed a user types in http://www.mydomain.com/inexistentpage then cake transfers them to my default layout. It might be easy to fix, but I havent got time to do that yet.
NOTE: I quickly did this off the top of my head and because of it, this code is untested. However, if you have any issues please let me know and I will test it and post back.
using $this->requestAction(anotherController/action); in the view might call to another controller->action. you must ensure that the another controller->action has the right permissions. or you'll get redirect loop.
solve it by adding $this->auth->allow('action name'); to the another controller page in the beforeFilter() callback.
How would I create a login link on a CakePHP page that contains a query string with the current page so for example: domain.com/login/?back=/posts/This_is_a_post
and then how would I use this in the login method to send the user BACK to this url?
I have tried this: <?php echo $this->Html->link('Log in', array('controller'=>'users','action'=>'login','admin'=>false, '?'=> array('back'=>$this->here)), array('escape'=>false)); ?>
but it does this on the url /login?back=%2Fportfolio%2Fgt%2FCreatHive
how do I get it to NOT change the / in the URL
Cheers
The best way to do this is to store the last page visited in a session at some point, probably when the page is loaded in the login action or something. Why you ask? As an attacked could make a link to your site eg: yoursite.com/login?back=mysite.com/login, so that when the user logs in, you send them to my site which is an exact duplicate of your login form and get them to login again. Voila, an attacker could now easily phish your users info.
With sessions there'd be no url encoding problems either. Just something like this in your login action:
$this->Session->set('back_to', $this->referer());
// Then if they have logged in:
$backTo = $this->Session->read('back_to');
if($backTo) {
$this->redirect($back_to);
} else {
$this->redirect($this->Auth->redirect());
}
Update - Try using named parameters instead:
For your link:
echo $this->Html->link('My Link', array('controller' => 'users', 'action' => 'login', 'url' => $url));
In your users login:
function login(){
if($this->Session->read('Auth.User')){
$url = $this->params['named']['url']
// encode/decode url
$this->redirect("$url");
}
}
You can always use urlencode() and urldecode() for the $url variable.
You also need to make sure your form also sends the URL back to the login function:
echo $this->Form->create('User', array('controller' => 'users', 'action' => 'login', 'url' => $url));
for my client's website I have an admin section- only thing is my admin routing doesn't seem to be password protected. I added the admin protection with a tutorial on how to set up a user system, and have placed the following code in app_controller.php:
function beforeFilter() {
// if an admin route is requested and not logged in
$user = $this->Session->read('User');
if(isset($this->params['admin']) && $this->params['admin'] && is_null($user)) {
// set Flash and redirect to login page
$this->Session->setFlash('You need to be logged in for that action.','default',array('class'=>'flash_bad'));
$this->redirect(array('controller'=>'users','action'=>'login','admin'=>FALSE));
}
}
& in my app/config/routes.php I have this:
Router::connect('/login', array('controller' => 'users', 'action' => 'login'));
Router::connect('/admin/logout', array('controller' => 'users', 'action' => 'logout'));
which I'm pretty sure is missing something for the protection.
I can still access other admin areas without logging in though, i.e. theowlhouse.com.au/admin/bookings.
What am I doing wrong? The admin page for the users model is the only protected one.
Thanks :)
It looks like you're confusing prefix routing with using the auth component. Note that prefix routing was called 'admin routing' prior to version 1.3.
You don't need to use admin routing to use the auth component. Let's start with just getting the auth component set up. In your app controller, make sure you have it included in your components array:
var $components = array('Auth');
Once you've done that, users will be directed to a login page unless they are logged in. To allow anonymous users to access an action, you make a called to $this->Auth->allow('action name'); So, for example, say you want to allow unauthenticated users to use the index() and view() actions in your items controller, but not add() or edit(). In your items_controller.php, you would set up the beforeFilter() to make a call:
function beforeFilter() {
parent::beforeFilter();
$this->Auth->allow(array(
'index',
'view'
));
}