I'm experiencing a VERY weird auth problem, which is a very big security risk for my application.
When I try to access a page in the admin section directly, I'm being redirected to the login page. When I try to do the same via an XHR call, the page is loaded! Example: When I try to access the URL http://localhost/admin/sections/edit/1294 I get redirected to http://localhost/admin/login When the program accesses the same URL, it loads the page. Any ideas why it happens? Here's my auth setup: function auth() { $this->controller->Auth->userScope = array( 'AdminUser.active' => '1' ); $this->controller->Auth->userModel = 'AdminUser'; $this->controller->Auth- >loginAction='/' .Configure::read('Routing.admin') .'/login/'; $this->controller->Auth- >loginRedirect='/' .Configure::read('Routing.admin') .'/'; $this->controller->Auth->authorize = false; $this->controller->Auth->sessionKey = 'AdminUser'; } Here are the headers, checked by FireBug: Response Headers ============== Date Fri, 30 Nov 2007 10:30:54 GMT Server Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e mod_autoindex_color PHP/5.2.3 X-Powered-By PHP/5.2.3 P3P CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Pragma no-cache Cache-Control no-store, no-cache, max-age=0, must-revalidate Content-Length 719 Keep-Alive timeout=5, max=97 Connection Keep-Alive Content-Type text/html Request Headers ============= Host localhost User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.8.1.10) Gecko/20071115 Firefox/2.0.0.10 Accept text/xml,application/xml,application/xhtml+xml,text/ html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language en-us,en;q=0.7,he;q=0.3 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive X-Requested-With XMLHttpRequest Referer http://localhost/admin/ Cookie ProgramName=77254f4fb7cf56b71b266668f6708f9a Pragma no-cache Cache-Control no-cache If I request it through an HTTP data proxy, it doesn't load. Here are the headers: Response Headers ============== Date Fri, 30 Nov 2007 10:43:57 GMT Server Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e mod_autoindex_color PHP/5.2.3 X-Powered-By PHP/5.2.3 P3P CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM" Pragma no-cache Cache-Control no-store, no-cache, max-age=0, must-revalidate Location http://localhost/admin/login/ Content-Length 0 Keep-Alive timeout=5, max=95 Connection Keep-Alive Content-Type text/html Request Headers ============ Host localhost User-Agent Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: 1.8.1.10) Gecko/20071115 Firefox/2.0.0.10 Accept */* Accept-Language en-us,en;q=0.7,he;q=0.3 Accept-Encoding gzip,deflate Accept-Charset ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive 300 Connection keep-alive Referer http://localhost/admin/ Cookie ProgramName=bc904aec5ff06a2d12bb6f334fde97ab How can I make Auth check XHR calls? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
