Wednesday, December 3, 2008

Login function redirecting users even though they supplied invalid credentials

Please read the "Explanation" below before answering this question

Question
========
Using the AuthComponent how can I accurately determine if a login
attempt was successful inside of my "login()" function?


Explanation
============
The manual (http://book.cakephp.org/view/395/autoRedirect) states the
following for the autoRedirect variable referencing the use of the
login() function:
"...This is the best place to determine whether or not a successful
login occured by the AuthComponent ...."

Here's the problem: User A walks up to a terminal and logs in.
AuthComponent does it's job and User A is now logged in and browsing
the site. User A walks away WITHOUT logging out. User B walks up to
the terminal, clicks the login link and mistypes their password.

Here's what happens: User B doesn't realize it but the system "logged
them in" anyways (even though their credentials were wrong) re-using
User A's information. How? Examine the code in the manual. The checks
are:

..........
Check #1: if ($this->Auth->user())
Check #2: if(!empty($this->data))
..........

Check #1 passes since User A never logged out (the Auth session
variable for User A still exists)
Check #2 passes because the login form was submitted by User B


Frustration
===========
Here's the frustrating part: It appears that the AuthComponent itself
is doing it's job correctly, it doesn't set a new Auth session
variable for User B and returns false since the credentials were
incorrect. However, the code inside the login function still executes
and passes all "if" tests because of the previously logged in user. I
can't seem to find what variable-to-test-for/function-to-call to, as
the manual puts it, "...determine whether or not a successful login
occurred.."

A) Is the example in the manual a bad example?
B) What am I missing? How can I accurately test that the NEW login was
a success or failure?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)