Thursday, August 6, 2015

Using a cookie for API authentication

Hello, I am a complete cakephp beginner and have inherited some code that was developed by someone else. The code is a PHP based server that uses CakePHP 2.5 to also expose APIs.

As of today, one can log into the server via login.php which in turn sets a cookie - ZMSESSID.

The cakePHP APIs are completely unauthenticated today, and I want to add code to it to basically check if ZM_SESSION is set, and if so, respond to the API else return a 401

I understand that the PHP app and the cakePHP app are separate as far as cookie sharing goes, so to make sure it can see the cookie, I've added the following line to web/api/app/Config/core.php:

Configure::write('Session', array('defaults' => 'php','cookie'=>'ZMSESSID'));



I assume this would make this cookie accessible in the cake layer?

Now how do I go about rejecting API requests if this cookie is not set? Is there a common file I can use that rejects all APIs or do I have to go into each API controller and add code? Would someone be so kind as to also guide me on how I can perform this check?

thanks

--
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP

---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.

No comments: