In one cake app I use Auth and Acl to authenticate users, as per
manual.
Now I need to let some users, not listed in users table but in another
database, edit the records of a table. Let's say for clarification
that they should manage their own profile.
What I want to do is:
1. let those users "authenticate" outside of my app Auth system.
I created a form where those users enter their username and password.
The form is public ($this->Auth->allowedActions = array('mylogin');
2. If their credentials are valid I redirect to a form (a view of the
model they have to edit).
Obviously I want to be sure that when the second form is submitted,
what the server receives is not faked. I mean, I need some kind of
persistence in order to verify that the submitted data comes from an
authenticated user and the data is consistent with the user (a user
can modify only his own profile).
To accomplish that is it enough to create a session key and check it
before saving data?
And what kind of complexity should I implement from a security point
of view? I mean, is it enough to set a simple session key ( e.g. $this-
>Session->write('authenticated', true) ) ? Or should I write something
more complex (e.g.hashing of some user data?)
I'm not sure that php/cakephp Session component are enough to
guarantee that the submitted data is coming from the same user
previously authenticated.
Are there better cake methods to accomplish the same goal?
thank you
maxx
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
