Re: Authorization missing autoMagic?
Thanks, Jens. Yes, I understand that straight sha256 hashes differ from salted ones, and that cake salts by prepending the core salt to the password. I had mentioned above that I included 'hashPasswords()' function in the model, which has been 'automagically' replacing the hash with the proprietary 'salt' logic and a sha256 hash. So that part is fine. I've debugged the $_SESSION variable there and verified the success of the hash. I had almost given up and switched to 'Authsome,' because my frustration levels were high. I happened to restore my source code to an earlier state, after which I ran the page to document the $_SESSION array, AND THE LOGIN WORKED AND REDIRECTED!!! There may be a couple of issues affecting this behavior, however I believe one part of the solution requires use of [autoRedirect = true] as a component setting. For me, I'm finding that this value HAS TO BE EXPLICITLY SET even though it defaults to true. For me, setting it to true when the component is initially configured made a difference. I'm also suspecting my difficulties identifying the problem arose as a result of [1] a non-standard implementation (using hashPasswords() function in the model as set forth by { $this->Auth->authenticate statement) = ClassRegistry::init('User') } and [2] the misinterpretation of what was actually happening as a result. I believe that what may have looked like a failure to redirect may have actually been a successful redirect but to the wrong location (meaning a redirect back to '/users/login' !!!). This redirect would be internally stored as part of the auth component. I've noticed that changes to the auth component are not reflected unless I clear the browser history. If the redirect wasn't working (before autoRedirect = true), this might explain what looked to be failed login attempts in addition to masking effects of beneficial changes to the auth component configuration. The essence is this: A workable configuration (requiring explicit "autoRedirect = true") appeared to fail, but because I had spent the latter part of a day setting up 'Authsome,' I was able to discover that it was indeed workable once the session had expired. This also revealed the importance of clearing browser caches when configuring this component. On Jul 12, 6:40 am, Jens Dittrich wrote: > You inherited a table with usernames and passwords where the passwords where > hashed with sha256 right? Was that a custom sha256 implementation? Was it > salted? CakePHP salts the passwords when hashing so the salt value is very > important for the output. sha256 hashed passwords are not the same as salted > sha256 passwords, the hash value differs. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Authorization missing autoMagic?
You inherited a table with usernames and passwords where the passwords where hashed with sha256 right? Was that a custom sha256 implementation? Was it salted? CakePHP salts the passwords when hashing so the salt value is very important for the output. sha256 hashed passwords are not the same as salted sha256 passwords, the hash value differs. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Authorization missing autoMagic?
Could this be caused by a server setting or something regarding Session handling? Just crossed my mind that I'm running on iis7, not Apache... Anyone? On Jul 11, 7:38 am, "Adrian B." wrote: > Thanks for the input... It seems the form helper create parameter is > more directed to the controller for which to use the 'login' method. > Because authentication methods would be the only methods I'd use in a > users controller, I was trying to include this in my section > controller (panels). But , being that it was something different in > my implementation than all other examples, I created a users > controller with a login view which now matches the standard call to > 'Users' > > echo $this->Form->create('User'); > > I still get the same results. The behavior I experience does not > generate any errors. Following is a list of events in the behavior. > > 1) my url gets redirected to user/login > 2) my form gets submitted, the component calls custom crypt algorithm > 'hashPasswords()' in the model to crypt the passord entry. Debugging > at this point verifies the correct hash for current user. Function > hashPasswords() returns $data with updated value for $data['User'] > ['password'] > > 3) Instead of redirecting back to original url with current user > authenticated, the user is redirected BACK to authentication with > HASHED value in the password input. Attempts to add component > authorization in component init ('authorize' => 'controller', ) and > isAuthorized() to manually force/verify authentication yields false > for $this->Auth->login($user)... > > Is there anything else I could possible be overlooking? Anyone? > Thanks so much for any suggestions. > > Adrian > > On Jul 9, 7:19 am, Jens Dittrich wrote: > > > > > > > > > unless this is a typo, you should tell the form helper the model name that > > your form is receiving data for and not the name of the controller. > > " echo $this->Form->create('Panels'); " seems to be wrong. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Authorization missing autoMagic?
Thanks for the input... It seems the form helper create parameter is more directed to the controller for which to use the 'login' method. Because authentication methods would be the only methods I'd use in a users controller, I was trying to include this in my section controller (panels). But , being that it was something different in my implementation than all other examples, I created a users controller with a login view which now matches the standard call to 'Users' echo $this->Form->create('User'); I still get the same results. The behavior I experience does not generate any errors. Following is a list of events in the behavior. 1) my url gets redirected to user/login 2) my form gets submitted, the component calls custom crypt algorithm 'hashPasswords()' in the model to crypt the passord entry. Debugging at this point verifies the correct hash for current user. Function hashPasswords() returns $data with updated value for $data['User'] ['password'] 3) Instead of redirecting back to original url with current user authenticated, the user is redirected BACK to authentication with HASHED value in the password input. Attempts to add component authorization in component init ('authorize' => 'controller', ) and isAuthorized() to manually force/verify authentication yields false for $this->Auth->login($user)... Is there anything else I could possible be overlooking? Anyone? Thanks so much for any suggestions. Adrian On Jul 9, 7:19 am, Jens Dittrich wrote: > unless this is a typo, you should tell the form helper the model name that > your form is receiving data for and not the name of the controller. > " echo $this->Form->create('Panels'); " seems to be wrong. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php
Re: Authorization missing autoMagic?
unless this is a typo, you should tell the form helper the model name that your form is receiving data for and not the name of the controller. " echo $this->Form->create('Panels'); " seems to be wrong. -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to cake-php+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php