Comments on: CakePHP Auth Component – Will You Remember Me Tomorrow?

By: Chris

Chris — Tue, 09 Feb 2010 14:02:06 +0000

I think I am correct in saying this :-

“And all I need to do is sniff your cookie and you secure access is all mine”

Using any of these methods would allow a captured “Remember Me” cookie to be used to access the supposed secure system.

And I am fairly sure a cookie is easy to capture (sniff), and it wont matter that its encrypted because I dont need to decrypt it, just present it.

If I am wrong, please feel free to set me right, seriously, please do.

By: Dani Berg

Dani Berg — Wed, 28 Oct 2009 07:05:55 +0000

Good article. Just one note though.

“This login() function is run every time a user accesses a page that needs authentication (I think)”.

This is not true.

You can use the User::login method to just add the user cookie in case authentication succeeds and the user asks to be remembered.

Then use AppController::beforeFilter to try to authenticate the user based on the user cookie information in case Auth->user() is null.

By: Adventures in Japanese Programming » CakePHP and RememberMe — AutoLogins for the soul

Mon, 14 Sep 2009 07:37:37 +0000

[...] it’s small, lightweight and doesn’t take much configuring. (And don’t believe the page that comes up when you enter “CakePHP rememberme” into google. That’s what got me off on the wrong [...]

By: Davide

Davide — Tue, 04 Aug 2009 15:40:06 +0000

Perfect, clear and simple, and it did the job in 5 mins. Thanks!

By: Bookmarks for Saturday, February 28th — Trevor Fitzgerald

Bookmarks for Saturday, February 28th — Trevor Fitzgerald — Sat, 28 Feb 2009 16:02:43 +0000

[...] CakePHP Auth Component – Tutorial Three: Remember Me Cookie [...]

By: myltik

myltik — Sun, 15 Feb 2009 16:07:10 +0000

Good article. Helped me a lot Thanks.

By: myltik

myltik — Sun, 15 Feb 2009 16:05:52 +0000

Good article. Helped me a lot Thanks.

myltik’s last blog post..??????????? ?? ????????????? – ?????????? ?? MIKArom

By: Feras

Feras — Tue, 27 Jan 2009 17:44:37 +0000

Thanks for the gr8 article. Very helpful.

One observation though, it seems that $this->redirect($this->Auth->logout()); doesnt log the user out of all open windows.

Say a user has an authentic site open in more than one window, if you log out from one, the others remain logged in!

Is there a work around this?
Or am I doing something wrong?

By: Computing Posts From Across The Web Part II : KillerCodingNinjaBunny

Computing Posts From Across The Web Part II : KillerCodingNinjaBunny — Tue, 20 Jan 2009 14:35:44 +0000

[...] Will You Remember Me Tomorrow? – A tutorial on CakePHP login forms, focussing on the ‘remember me’ function. [...]

By: Baz L

Baz L — Thu, 19 Jun 2008 20:48:24 +0000

@Pj Hile:
Make sure $this->authRedirect = false in your beforeFilter().
The line you mentioned is in Auth::identify() which is called from Auth::login().

And if you’re using the code above right, Auth shouldn’t be running this function on it’s own.

By: PJ Hile

PJ Hile — Thu, 19 Jun 2008 20:16:12 +0000

I've been trying to implement a 'remember me' option similar to this, but it seems that $this->data['User']['password'] is getting unset before my login() function, so I had to use $_REQUEST['data']['User']['password']. Looks like the culprit may be "unset($data[$this->userModel][$this->fields['password']]);" on line 777 of the Auth component?

By: Inflo.us

Inflo.us — Tue, 03 Jun 2008 21:31:29 +0000

The best alternative I’ve been able to come up with is to give each user a long, randomly generated magic token. This token is tied neither to the user/pass or to the users id, so it’s impossible to guess (brute force is another matter). It also can be changed at any time (definitely on password change and on logout).

By: Baz L

Baz L — Mon, 02 Jun 2008 19:46:43 +0000

What kind of variant? I’m interested.

By: Graham Weldon

Graham Weldon — Mon, 02 Jun 2008 06:34:10 +0000

Excellent post. Very useful. I’m now using a variant of this on a couple of sites.

By: Baz L

Baz L — Mon, 12 May 2008 17:02:15 +0000

@pjosephson: Excellent catch!

If statement needs to be modified: if (!empty($this->data) && $this->data['User']['remember_me']) {

ThanX!

By: pjosephson

pjosephson — Sat, 10 May 2008 14:16:19 +0000

Where do you assume the value of the remember checkbox? It just seems that because you have data that you always assume the checkbox has been checked or am I missing something?

By: gauravanim

gauravanim — Mon, 14 Apr 2008 16:16:58 +0000

Yes i remember you
will try it soon
added to my bulk of BOOKh markss.Bookmarks i mean

By: Baz L

Baz L — Wed, 09 Apr 2008 17:06:35 +0000

That’s interesting. We’d still need to write the cookie in the login() function, but you’re saying pull the forced login out into app_controller? Interesting.

By: Jelmer

Jelmer — Wed, 09 Apr 2008 14:04:47 +0000

Good article, I’ve also made this sort of remember me cookie in a slightly different way. One thing that bothers me a bit is this:
“This login() function is run every time a user accesses a page that needs authentication”

Often you want to display user information (welcome back, username) on a page that doesn’t need authentication, like your home page, but that won’t work anymore because the cookie isn’t checked right..

Of course there’s a solution, this is what works for me at least, some code in app_controller.php’s beforeFilter function:
$cookie = $this->Cookie->read(‘Auth.User’);
if (!is_null($cookie))
{
if ($this->Auth->login($cookie))
{
$this->Session->del(‘Message.auth’);
}
}