I am interested in testing the incoming password field for a particular admin level password. If it matches, I want it to manually have Auth log in with whatever username they want (submitted via form)
My understanding is Auth, in taking the data, will only authorize it if it sees the same email/hashed password in the database. Is there a way to get around this check to manually set it? Even $this->Auth->login(..) will do this check right?
$this->Auth->login($userId)
Auth::login accepts either a username/password combination or simply a user id (the primary key of the user model in the database).
see my answer here: Using username instead of email in CakePHP's Auth Component
It's not the same question, but the idea is, when the login fails, you can intercept it and do what you want.
Related
Hello, StackOverflow Community.
I am currently programming an electron Application which contains a login.
My login is working perfectly but now I do not know how to correctly save the information from the user.
The user should not be able to edit the file or the cookie type of thing so that he cannot abuse the system to be another user without knowing his password.
I hope you can understand my problem and help me out!
When storing user data you shouldn't store it locally at all you should make an authentication key and store it in your database with your user, you then need to store this on the client side too. Normally people store this in memory therefore once the user exists the system they "sign out" if you don't want them to you could save it to some sort of settings file using something like electron-settings or a cookie using the electron API. Once you have this key you should use that to authenticate calls to your API and when doing so you should check that the key is valid for the user who is performing the action.
Example:
When UserA sends a message to UserB you should check that UserA's auth key equals the key which represents UserA in your database.
Using this method will make it hard for other users to "guess" other users keys and also keep user data safe from user interaction.
NOTE: Change the users auth key every time they login to prevent someone from stealing it!
I'm trying to keep in my app which user is connected. I'm really not sure if I'm doing this correctly. So here is how I plane to do it:
First I use my Slim API to check if the username and password are correct and if has access privilege.
If it returned the username and his privilege level, I will store them in a cookie and use those two information in the app.
The problem is that I'm afraid that if I store the username in a cookie, someone could try to change the cookie and put an other username instead.
Is it alright to only use the username for my requests to the DB as soon as the user is connected (like get all item of a user using the name of the user), or should I use a more secured and efficient way, if there is one?
P.S: I'm not asking how to have my site remember the user when he go back to the site. I'm asking how I should remember the username and other information while my user is still on my site in a secured way.
You should generate a long random number password and store that in a cookie. This random number is essentially just another unique password for this user. So, on the server side, you only store a properly salted hash of this random number. Think of this like a Hash key for that user stored in DB, and you use this HASH key to decrypt the long ramdom password.
You could encrypt these informations in the cookie, so nobody can steal these ones. Each time a user is trying to launch your application check if the credentials in the cookie are still correct (Is this username in your databse ? Is the accreditation level correct for this user ?). So you know if these informations have been changed. If they aren't correct you invite the user to login again.
I have an app that requires login for users. However, to keep matters simple, we are only supplying the user with a unique code, so that they just enter the code and that code logs them in. This code is only valid for two weeks, and will never be repeated.
However, our Admin also needs to log in but the admin requires a username and password.
How will I modify the AppController to allow for both logins? I'm using the AclExtras plugin for Authentication
The one login is located under APP/Users/enter (for the users), the other is under APP/Users/login (for the admins)
Implement a custom Auth adapter that checks for the token. No need to have a separate action except you explicitly want that.
Cake is iterating over all loaded auth adapters so you can have username and password and the token in the same form. If the regular form adapter returns false but the token auth adapter true the user is logged in.
Check the books section about auth. It has all information you need to understand what needs to be done.
You can just make a simple if/else in your AppController checking if the field for unique code is passed, if not then you can implement login with username/password. In all other cases you can implement login by unique code.
I am looking to build a "reset password" function in my CakePHP app, and reading around the net I have decided to: Have the user type in their email address, send them an email with a link to http://www.mysite.com/users/reset_password/generated_uuid_that_expires_in_24_hours. This will present a form that allows them to change their password. Obviously the hiccup is that I don't know how to log the user in with a temporary password. Am I approaching this correctly? I am thinking that the url I send them would be a hashed version of their email plus a uuid to use as a temp password, and that I would perform a user id lookup based on the email that comes in the url....but still, I wouldn't know how to manually log them in so they can change their password.
I use the session approach.
after using the token from the email the user gets a
Tmp.User.id (as opposed to Auth.User.id)
in the session which will allow him to change the password.
afterwards it will be removed from the session again.
While developing my app, I suddenly can't login using Auth anymore, according to Cake, the password or username is not correct.
When I track the query, the password (hashed) that Cake is looking for is not the one that the user has. I matched the query password to the User table in MAMP.
What can be the reason of this sudden error? What can Cake make looking for another password that not exists in the user table.
all error logs are clear
I can register a user without any issue
I use everything the standard Cake way (Auth, register process etc)
Many thanks!
well, most likely, you changed the salt value in core.php or hash mehod, or both. That's the only 2 reasons the hash is different for the same password.