I tried to make PHP login and authentication system base on MVC. I even need some guide about how can I prevent to access all classes on controller/admin folder without proper login.
I have two ideas :
1- make constructor for all classes on admin folder and check for logged in session and then only allow calls to any other methods in that class.
2- add a secret word at the end of all methods name on my admin folder. Then all calls to those methods will redirected to __call function for check session and if that process done successfully then try to call admin's methods by adding that secret word.
I don't know which one is the better way or is there any other solution?
Related
I have a project which includes admin and user section. Both section use the same controllers, just different functions and templates (ex: viewAdmin() and viewUser()). In function beforeRender() of every controllers, I set variable $admin as true for admin functions and false for user functions.
For authentication, I use Shibboleth. Shibboleth uses data from LDAP, while user types were saved in SQL-Database, that means while it can check if the login and password are false, it can't check if the user is admin or not. An user can go to ADMIN section as long as they use the right action (ex: go to the link http://example.com/tool/viewAdmin).
To prevent this, I will have to:
Load model Users
Compare the environment variable uid (login name) with the "login" columns in Users table in my SQL-Database
See the "type" column in Users table to know if user is admin or not.
Compare the result with value of $admin and redirect to an error page when necessary.
The problem is: I don't want to repeat those steps for EVERY controllers.
Currently I have 2 ideas:
Write a function in UsersController, and use it in every controllers.
Create a component and load it in every controllers.
Both methods require me changing code in all controllers. I would like to hear a better way with less work, perhaps by changing app.php or bootstrap.php.
Any suggestion is appreciated.
To share methods in CakePHP controllers you can do:
Create component and include in controller
Or create method in AppController and use it in child controllers
Or PHP way create Trait.
But when you authorize users, then all user data is stored in session, incl. is user roles (example admin, regular, member,.. )
Use the official CakePHP authentication plugin and extend the LDAP adapter with the additional code check you need. This is very easy to do and also a very clean way of solving the problem. Disclaimer: I'm one of the authors of the authentication plugin. https://github.com/cakephp/authentication
Or if you want to stay agnostic to any framework, use my library that is based on the authentication plugin and was decoupled from any framework but still works just nice with Cake https://github.com/Phauthentic/authentication.
The documentation doesn't talk much about logging in and out and handling security in general.In Symfony, you can secure pages of your site via a YML file. Does F3 have anything like that?
What is the recommended way to secure pages and handle a logged in user? I liked basic Auth, but it isn't very flexible, and it seems logging out is trickier. So I decided to set up a form for login/logout.
I would have assumed that Auth automatically creates a session, but from what I can tell it doesn't. So does that mean I need to manually do it?
Also, how do I block non authenticated visitors from the site? Do I need to add a SESSION check in each route?
The freedom when using F3 is that you can/must implement this on your own.
You got multiple options here or can create some other creative solutions too, if your project requires it. The included Auth plugin doesn't create a SESSION of course, because it cannot know if you want to use a SESSION to track your users or maybe use other solutions (cookie, JWT, etc).
So in most cases you need to create an Auth controller where you check if a user is logged in or not - here you would probably use the Auth plugin and create the SESSION if you want that. From there on you got serveral other options.. just to name a few:
use a base controller, that your other controllers will extend (or a Trait) and add a beforeroute there, where you'll check if the user is logged in and allowed to access that ressource.
check the user rights in the front controller (index.php) and don't even register the routes that the user has no access to.
use a 3rd party plugin to add access checks to routes, i.e. f3-access
use another middleware router to pre-flight the current request and add auth checks to multiple routes at once
I'm building my first Cakephp application, but I'm pulling my hairs over this problem: I need my application (mydomain.com/cake-app) to co-operate with another non-cake php application (mydomain.com/custom-class) on the same server.
Both applications should share authentications and sessions, and I would like Cakephp to handle these.
However, custom-class will need to see who's logged in, and also add/edit users to my cake-app db, either by accessing my User Model, or by calling an setUser action in my UsersController. custom-class does not have access to the cake-app database.
How can I access Cakephp's AuthComponent and my User Model / UsersController from outside the Cakephp framework? What cake files do I need to include in my custom-class in order to accomplish this?
custom-class does not have access to the cake-app database.
The only way is an API then that doesn't require direct DB access. Implement a RESTful API for example that your none-cake app can call.
http://book.cakephp.org/3.0/en/development/rest.html
http://book.cakephp.org/3.0/en/views/json-and-xml-views.html
However, custom-class will need to see who's logged in, and also
add/edit users to my cake-app db, either by accessing my User Model,
or by calling an setUser action in my UsersController.
You'll have to read the cookie then and the cookie needs to require something you can send along with your API request so that the API knows who is asking for what.
You won't be able to simply require() or include() a few files from Cake and it will work, this isn't going to happen because the Auth system is a complete stack, you would have to initialize a request, controller, component collection, auth component and the auth adpater(s). Instead check how Cake writes and reads the Cookie and implement the same way in your custom class. But pay attention, Cake saves the cookie encrypted.
Lets say I have the url http://localhost/home and this is the standard url of a page.
When a user logs in they are redirected to http://localhost/admin/home.
This URL without any routing is actually more like http://localhost/admin/panel/index/home.
Where admin is a folder, panel a controller, index a function and home an extension to give the view.
Can I theoretically check if a user is logged in depending on if the rsegment(2) is equal to 'admin'? or can a user fake the url somehow to break the system.
NB: The panel controller (inside the admin folder) has in its index function an actual login check I wan curious as to if a user would be able to trick the system into not running the index function, or is that secure.
No, You cannot rely on URI to check if a user is logged in.
You have to use an authentication library like TankAuth, or IonAuth.
Also if you need more options you can visit How should I choose an authentication library for CodeIgniter?.
I advise you to read Phil Sturgeon's Post on CI Base Classes. Class inheritance is key for maintaining who can access your controllers and who cannot. The URL contains no kinds of checks itself, but you know it calls a controller. The basic premise is:
If you create a controller called MY_Admin_Controller and all of your administrative controllers inherit from it and you perform the administrative check in MY_Admin_Controller, then you keep your system DRY (Don't Repeat Yourself) because you don't have to check whether or not that user should have access in every single controller. Only Once, and the controllers will inherit that check.
or can a user fake the url somehow to break the system.[?]
Sure, the URL is the most easy part that can be send to a server, you only need a browser with an address bar - which now as I write it, every browser has ;)
Whaaa?
Your route will point to a controller, if that controller is not secure then its open to public access.
I have two controllers, user and module. By default the user controller is loaded and the user first logs in. Once the user is authenticated (by the school), a token is issued which is used to make all the calls to the school's API. I create a session and store the token in it.
$this->session->set_userdata('token', $_GET['token']);
After login I need to display the user's registered modules (basically subjects) for which I create a object of the module class and call a function to show the modules. The module calls makes a call to the API to get the list of registered modules. For this I need the token so i try to access the token through:
$this->session->userdata('token');
But i get an error: "Message: Undefined property: Module::$session"
the user.php file has a class User in which all functions are defined (redirecting to login page and storing the token in session) while the module.php file has a claa Module which makes a call to the api to get the list of registered modules.
The session class is set to autoload!
hope this one solve your problem :)
General problems regards loading libraries, and hooks
I followed Phil Sturgeon's advice on setting up a base class to extend from. This way you don't have to keep defining the same session stuff across multiple classes.
http://philsturgeon.co.uk/blog/2010/02/CodeIgniter-Base-Classes-Keeping-it-DRY