CakePHP Auth Component For Dummies Tutorial

Page content

First off, I would like to say much thanks to Gwoo for finally helping me to understand this thing.

So I know what you’re thinking; I’m probably the last person to finally figure out the CakePHP’s Auth Component. For the past few months, I’ve been using obAuth because that’s the only authentication I could get to work with CakePHP. I think that I was just making it more difficult than it should have been.

My main resource for learning the Auth Component has been Chris’s tutorial, but even then I still needed help. Also, I’m the type that doesn’t really learn much without code.

Note that I’m running off of the CaekPHP 1.2 beta.

Getting Started

Now you can modify this however you like, but I’m starting out with the basics. You’re going to need the following:

  • A user database with fields username, password. Of course they don’t need to be named that way, but defaults are fun.
  • A User Model with Controller and Views - This can be baked from CakePHP
  • A login view for the user.
  • And a base app_controller.php. That’s it.

The Setup - app_controller and users_controller

So here’s the minimum in app_controller:

var $components = array('Auth');

function beforeFilter(){
	$this->Auth->loginAction = array('controller' => 'users', 'action' => 'login');
	$this->Auth->loginRedirect = array('controller' => 'pages', 'action' => 'display', 'home');
	$this->Auth->authorize = 'controller';
function isAuthorized() {
	return true;

You can always visit the API for a better understanding of what’s going on, but right now we’re just trying to get stuff working.

After that there’s the users_controller.php. This you can get straight out of CakePHP’s baking. You do need a small modification:

function login()

function logout(){

Brief Explanation

Honestly, it’s magic; automagic to be precise. If you want to know how it works, you can read up in the API. But what I will do, is give you some of the magic words.

$this->Auth->authorize = ‘controller’

There are different types of authorization action (ugh - ACL stuff), CRUD (basically locks up all the editing stuff), and controller (gives you some need control). Hey, sorry I don’t know too much of what it does, just what I need.

$this->Auth->loginAction = array(‘controller’ => ‘users’, ‘action’ => ‘login’)

This tells yo what the login page is. It also controls where the user is redirected to if he’s not authorized to view a page.

$this->Auth->loginRedirect = array(‘controller’ => ‘pages’, ‘display’ => ‘home’)

Self explanatory: default action to redirect the user to when logged in if they go straight to the login page. If, however, they tried to access a restricted page then this will be ignored and when they login they’ll be redirected to where they wanted to go to.


This is one of the magic functions. By default, adding the authentication component locks down all actions, except the login and logout. This is your way of telling the component let me in to the ‘display’ action for every controller. You at least want to see the homepage right?

You can also add to this in the beforeFilter() of each controller you you need (don’t forget the parent::beforeFilter() to make sure the Auth stuff is still called). Likewise there’s a $this->Auth->deny(), which does the reverse. One small tip: you can also use allow(array('*')) to allow everything.

User Controller

For right now, the login() action can be left as is. The Auth Component handles all that foot work beautifully. You just need to make sure you call $this->Auth->logout() in your logout() action. It has the added benefit of returning the Auth’s logoutRedirect, so $this->redirect($this->Auth->logout() works great.

There you have it, I hope that helps. Now if you’re still having a hard time, I got a present for you:

Download: CakePHP Auth 1  CakePHP Auth 1 (4.3 KiB, 18,444 hits)

There you’ll find some code, to get you up and running. It’s slightly different from what I got above (some extra stuff), but it’s heavily documented.

Enjoy and Happy Baking!