|
Ciekawe strony |
cuda świata telefony gsm telefony gsm 2008 speedway ekstraliga chris paul bojan krkic gra Komisje kongresu Posąg Rolanda Zakażenia Biznes |
| Appendix B. Example: Simple User Authentication | ||
|---|---|---|
| Prev | Next | |
|
Ciekawe strony |
cuda świata telefony gsm telefony gsm 2008 speedway ekstraliga chris paul bojan krkic gra Komisje kongresu Posąg Rolanda Zakażenia Biznes |
| Appendix B. Example: Simple User Authentication | ||
|---|---|---|
| Prev | Next | |
Table of Contents
![[Important]](./important.png)
|
Important |
|---|---|
|
If you're new to CakePHP, you'll be strongly tempted to copy and paste this code for use in your mission critical, sensitive-data-handling production application. Resist ye: this chapter is a discussion on Cake internals, not application security. While I doubt we'll provide for any extremely obvious security pitfalls, the point of this example is to show you how Cake's internals work, and allow you to create a bulletproof brute of an application on your own. |
Cake has access control via its built-in ACL engine, but what about user authentication and persistence? What about that?
Well, for now, we've found that user authentication systems vary from application to application. Some like hashed passwords, others, LDAP authentication - and almost every app will have User models that are slightly different. For now, we're leaving it up to you. Will this change? We're not sure yet. For now, we think that the extra overhead of building this into the framework isn't worth it, because creating your own user authentication setup is easy with Cake.
You need just three things:
A way to authenticate users (usually done by verifying a user's identity with a username/password combination)
A way to persistently track that user as they navigate your application (usually done with sessions)
A way to check if a user has been authenticated (also often done by interacting with sessions)
In this example, we'll create a simple user authentication system for a client management system. This fictional application would probably be used by an office to track contact information and related notes about clients. All of the system functionality will be placed behind our user authentication system except for few bare-bones, public-safe views that shows only the names and titles of clients stored in the system.
We'll start out by showing you how to verify users that try to access the system. Authenticated user info will be stored in a PHP session using Cake's Session Component. Once we've got user info in the session, we'll place checks in the application to make sure application users aren't entering places they shouldn't be.
One thing to note - authentication is not the same as access control. All we're after in this example is how to see if people are who they say they are, and allow them basic access to parts of the application. If you want to fine tune this access, check out the chapter on Cake's Access Control Lists. We'll make notes as to where ACLs might fit in, but for now, let's focus on simple user authentication.
I should also say that this isn't meant to serve as some sort of primer in application security. We just want to give you enough to work with so you can build bulletproof apps of your own.