In one cake app I use Auth and Acl to authenticate users, as per manual. Now I need to let some users, not listed in users table but in another database, edit the records of a table. Let's say for clarification that they should manage their own profile.
What I want to do is: 1. let those users "authenticate" outside of my app Auth system. I created a form where those users enter their username and password. The form is public ($this->Auth->allowedActions = array('mylogin'); 2. If their credentials are valid I redirect to a form (a view of the model they have to edit). Obviously I want to be sure that when the second form is submitted, what the server receives is not faked. I mean, I need some kind of persistence in order to verify that the submitted data comes from an authenticated user and the data is consistent with the user (a user can modify only his own profile). To accomplish that is it enough to create a session key and check it before saving data? And what kind of complexity should I implement from a security point of view? I mean, is it enough to set a simple session key ( e.g. $this- >Session->write('authenticated', true) ) ? Or should I write something more complex (e.g.hashing of some user data?) I'm not sure that php/cakephp Session component are enough to guarantee that the submitted data is coming from the same user previously authenticated. Are there better cake methods to accomplish the same goal? thank you maxx -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php