Re: Authorization missing autoMagic?
Thanks, Jens. Yes, I understand that straight sha256 hashes differ
from salted ones, and that cake salts by prepending the core salt to
the password. I had mentioned above that I included 'hashPasswords()'
function in the model, which has been 'automagically' replacing the
hash with the proprietary 'salt' logic and a sha256 hash. So that
part is fine. I've debugged the $_SESSION variable there and verified
the success of the hash.
I had almost given up and switched to 'Authsome,' because my
frustration levels were high. I happened to restore my source code to
an earlier state, after which I ran the page to document the $_SESSION
array, AND THE LOGIN WORKED AND REDIRECTED!!! There may be a couple
of issues affecting this behavior, however I believe one part of the
solution requires use of [autoRedirect = true] as a component
setting. For me, I'm finding that this value HAS TO BE EXPLICITLY SET
even though it defaults to true. For me, setting it to true when the
component is initially configured made a difference.
I'm also suspecting my difficulties identifying the problem arose as a
result of [1] a non-standard implementation (using hashPasswords()
function in the model as set forth by { $this->Auth->authenticate
statement) = ClassRegistry::init('User') } and [2] the
misinterpretation of what was actually happening as a result. I
believe that what may have looked like a failure to redirect may have
actually been a successful redirect but to the wrong location (meaning
a redirect back to '/users/login' !!!). This redirect would be
internally stored as part of the auth component. I've noticed that
changes to the auth component are not reflected unless I clear the
browser history. If the redirect wasn't working (before autoRedirect
= true), this might explain what looked to be failed login attempts in
addition to masking effects of beneficial changes to the auth
component configuration.
The essence is this: A workable configuration (requiring explicit
"autoRedirect = true") appeared to fail, but because I had spent the
latter part of a day setting up 'Authsome,' I was able to discover
that it was indeed workable once the session had expired. This also
revealed the importance of clearing browser caches when configuring
this component.
On Jul 12, 6:40 am, Jens Dittrich wrote:
> You inherited a table with usernames and passwords where the passwords where
> hashed with sha256 right? Was that a custom sha256 implementation? Was it
> salted? CakePHP salts the passwords when hashing so the salt value is very
> important for the output. sha256 hashed passwords are not the same as salted
> sha256 passwords, the hash value differs.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Authorization missing autoMagic?
Could this be caused by a server setting or something regarding
Session handling?
Just crossed my mind that I'm running on iis7, not Apache... Anyone?
On Jul 11, 7:38 am, "Adrian B." wrote:
> Thanks for the input... It seems the form helper create parameter is
> more directed to the controller for which to use the 'login' method.
> Because authentication methods would be the only methods I'd use in a
> users controller, I was trying to include this in my section
> controller (panels). But , being that it was something different in
> my implementation than all other examples, I created a users
> controller with a login view which now matches the standard call to
> 'Users'
>
> echo $this->Form->create('User');
>
> I still get the same results. The behavior I experience does not
> generate any errors. Following is a list of events in the behavior.
>
> 1) my url gets redirected to user/login
> 2) my form gets submitted, the component calls custom crypt algorithm
> 'hashPasswords()' in the model to crypt the passord entry. Debugging
> at this point verifies the correct hash for current user. Function
> hashPasswords() returns $data with updated value for $data['User']
> ['password']
>
> 3) Instead of redirecting back to original url with current user
> authenticated, the user is redirected BACK to authentication with
> HASHED value in the password input. Attempts to add component
> authorization in component init ('authorize' => 'controller', ) and
> isAuthorized() to manually force/verify authentication yields false
> for $this->Auth->login($user)...
>
> Is there anything else I could possible be overlooking? Anyone?
> Thanks so much for any suggestions.
>
> Adrian
>
> On Jul 9, 7:19 am, Jens Dittrich wrote:
>
>
>
>
>
>
>
> > unless this is a typo, you should tell the form helper the model name that
> > your form is receiving data for and not the name of the controller.
> > " echo $this->Form->create('Panels'); " seems to be wrong.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Re: Authorization missing autoMagic?
Thanks for the input... It seems the form helper create parameter is
more directed to the controller for which to use the 'login' method.
Because authentication methods would be the only methods I'd use in a
users controller, I was trying to include this in my section
controller (panels). But , being that it was something different in
my implementation than all other examples, I created a users
controller with a login view which now matches the standard call to
'Users'
echo $this->Form->create('User');
I still get the same results. The behavior I experience does not
generate any errors. Following is a list of events in the behavior.
1) my url gets redirected to user/login
2) my form gets submitted, the component calls custom crypt algorithm
'hashPasswords()' in the model to crypt the passord entry. Debugging
at this point verifies the correct hash for current user. Function
hashPasswords() returns $data with updated value for $data['User']
['password']
3) Instead of redirecting back to original url with current user
authenticated, the user is redirected BACK to authentication with
HASHED value in the password input. Attempts to add component
authorization in component init ('authorize' => 'controller', ) and
isAuthorized() to manually force/verify authentication yields false
for $this->Auth->login($user)...
Is there anything else I could possible be overlooking? Anyone?
Thanks so much for any suggestions.
Adrian
On Jul 9, 7:19 am, Jens Dittrich wrote:
> unless this is a typo, you should tell the form helper the model name that
> your form is receiving data for and not the name of the controller.
> " echo $this->Form->create('Panels'); " seems to be wrong.
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
Authorization missing autoMagic?
Hi,
I've been trying a bunch of different configurations, but I believe
this is the one that has me the closest. Since I've inherited a table
of users with custom sha256 hashed passwords, I'm using
hashPasswords() in my model, which does replace the password in $data
with the correct (verified) hash.
function hashPasswords($data) {
Security::setHash('sha256');
if (isset($data['Panels']['username'])) {
$data['Panels']['password'] =
Security::hash(Configure::read('Security.salt').$data['Panels']
['password']);
return $data;
}
return $data;
}
My challenge is this: when I attempt to login in thru my form, no
attempt to actually login is made by the Auth component. Instead, I
get the values submitted by the form with one exception. The password
input now has the hashed value of password filled in the form. Manual
attempts to login using $this->Auth->login($user) fail as well
(return false)... However, The usernames and passwords match.
///*** HERE IS MY CONTROLLER SETUP ... I'm using /panels/login as the
controller/method for logging in, and the user pw fields in my db are
non-standard. ***///
var $helpers = array('Html', 'Form');
//Array of components used by Controller
var $components = array(
'Auth' => array(
'loginAction' => array(
'controller' => 'panels',
'action' => 'login',
'plugin' => false,
'admin' => false,
),
'fields' => array(
'username' => 'user_id',
'password' => 'user_password',
),
'userModel' => 'User',
'authorize' => 'controller',
'allowedActions' => array('login','logout')
),
'Session',
'Cookie'
);
function beforeFilter() {
$this->Auth->authenticate = ClassRegistry::init('User');
parent::beforeFilter();
}
function login() {
//Where is the Auth Magic?
}
function logout() {
//Leave empty for now.
}
function isAuthorized() {
var_dump("this is running"); /// This never actually runs! UGH
if (
!empty($this->data) &&
!empty($this->Auth->data['User']['username']) &&
!empty($this->Auth->data['User']['password'])
){
$user = $this->User->find('first', array('conditions'
=>
array('User.user_id' => $this->Auth->data['Panels']
['username'],'User.user_password' => $this->Auth->data['Panels']
['password']), 'recursive' => -1 ));
var_dump("check this out!-");
var_dump($this->Auth->login($user));
if (!empty($user) && $this->Auth->login($user)) {
if ($this->Auth->autoRedirect) {
return true;
}
}else{
$this->Session->setFlash($this->Auth->loginError, $this-
>Auth->flashElement, array(), 'auth');
return false;
}
}else{
return false;
}
}
///*** HERE IS MY LOGIN FORM
Session->flash('auth'); // This displays nothing on
the second instance form
echo $this->Form->create('Panels');
echo $this->Form->input('username');
echo $this->Form->input('password');
echo $this->Form->end('Login');
?>
$this->Auth->data['Panels']['username'] & $this->Auth->data['Panels']
['password'] both contain values the second iteration thru login()...
I am missing something, but I feel I am close.
Any direction would very much be appreciated!
Thanks, AdrianB
--
Our newest site for the community: CakePHP Video Tutorials
http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others
with their CakePHP related questions.
To unsubscribe from this group, send email to
cake-php+unsubscr...@googlegroups.com For more options, visit this group at
http://groups.google.com/group/cake-php
