Wednesday, October 26, 2011

Re: Authentication & Authorization in CakePHP 2.0

"Bank Sites" are a perfect example. So for example if you login to say
bankofamerica.com and close the browser without logging out. Your
session is destroyed and you have to sign back in. I was wanting to
replicate that functionality. Closing the browser implies losing your
signed in session and you have to sign back in again to access your
profile.
That is what I desired. That is why I had set Session.timeout=0.
Stateless authentication implies that I would have to store the user
cred somewhere in cookie and signin for every page. I was wanting to
keep the session alive but only till the browser is open. as soon as
browser is closed. the session is lost.

Thanks,

Anand

On Oct 26, 10:24 pm, Jeremy Burns | Class Outfit
<jeremybu...@classoutfit.com> wrote:
> I don't think you can. If the user browses away from the site the server won't know so can't do anything. Why is this a problem? If the user comes back while the session is still valid he'll just be logged back in automatically. If its a secure system (say banking) and there's a large 'log out' button and the user doesn't press it, he deserves to have his account plundered.
>
> Have you looked at stateless authentication?
>
> Jeremy Burns
> Class Outfit
>
> http://www.classoutfit.com
>
> On 27 Oct 2011, at 06:11, Anand Ramamurthy wrote:
>
>
>
>
>
>
>
> > After much debugging I realized that my 'Session.timeout' was set to 0
> > hence my session data was being dropped for every request. once I set
> > it to a 3600, the sessions remained and authorizations were succesful
> > But now this leads to another quandary. If I set the timeout to a
> > value and the user closes the browser without logging out, I would
> > like his/ her session to end and not remain because it hasnt reached
> > its timeout. How can I accomplish this ? Any ideas?
>
> > Thanks,
>
> > Anand
>
> > On Oct 26, 9:27 pm, Jeremy Burns | Class Outfit
> > <jeremybu...@classoutfit.com> wrote:
> >> Do you have any auth code in the users controller? Have you pit a debug statement inside isAuthorized just before returning true to check that it is actually passing?
>
> >> Jeremy Burns
> >> Class Outfit
>
> >>http://www.classoutfit.com
>
> >> On 26 Oct 2011, at 22:15, Anand Ramamurthy wrote:
>
> >>> Hello,
>
> >>> I am a CakePHP newbie. I am implementing login features using
> >>> Authentication Component (User model). It works good. However I am
> >>> facing problem in Authorization and Statefulness features. Once I am
> >>> logged in I am unable to browse to other pages as user seems to be not
> >>> logged in.
>
> >>> This is my component variable in AppController:
>
> >>> public $components = array(
> >>>        'Session',
> >>>        'Auth' => array(
> >>>            'loginAction' => array('controller' => 'users', 'action'
> >>> => 'login'),
> >>>            'loginRedirect' => array('controller' => 'users', 'action'
> >>> => 'index'),
> >>>            'logoutRedirect' => array('controller' => 'home', 'action'
> >>> => 'index'),
> >>>            'authError' => 'Did you really think you are allowed to
> >>> see that?',
> >>>            'authenticate' => array(
> >>>                'Form' => array('fields' => array('username' =>
> >>> 'email', 'password' => 'password')),
> >>>                'Basic' => array('userModel' => 'Users.User', 'fields'
> >>> => array('username' => 'email', 'password' => 'password'))
> >>>             ),
> >>>            'authorize' => array('Controller')
> >>>        )
> >>>    );
>
> >>> //AppController beforeFilter
> >>> function beforeFilter() {
>
> >>>        $this->Auth->autoRedirect = false;
> >>>        $this->Auth->userModel = 'User';
> >>>        $this->Auth->allow('index', 'view');
> >>>    }
>
> >>> //AppController isAuthorized
> >>> public function isAuthorized($user) {
>
> >>>        if (isset($user['role']) && $user['role'] == 'admin') {
> >>>             return true; //Admin can access every action
> >>>        }
> >>>        return false; // The rest don't
> >>>    }
>
> >>> The user I log in has the role of "admin" set in DB. The user is able
> >>> to login properly get redirected to index and then I try to use the
> >>> edit feature in the UsersController for which he should be authorized
> >>> but apparently instead I get redirected to login page again with the
> >>> message "You are not authorized!"
>
> >>> I would be grateful if somebody could chime in and help or provide
> >>> pointers as to what I could be doing wrong?
>
> >>> Thanks in advance.
>
> >>> Anand
>
> >>> --
> >>> Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org
> >>> Check out the new CakePHP Questions sitehttp://ask.cakephp.organdhelp others with their CakePHP related questions.
>
> >>> To unsubscribe from this group, send email to
> >>> cake-php+unsubscribe@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php
>
> > --
> > Our newest site for the community: CakePHP Video Tutorialshttp://tv.cakephp.org
> > Check out the new CakePHP Questions sitehttp://ask.cakephp.organd help others with their CakePHP related questions.
>
> > To unsubscribe from this group, send email to
> > cake-php+unsubscribe@googlegroups.com For more options, visit this group athttp://groups.google.com/group/cake-php

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.


To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php

No comments: