CakePHP login() with 'Remember Me' causing infinite loop

0
votes

I am trying to get my login() function with 'Remember Me' to work.

function login() {
    if ($this->Auth->user()) {
        if (!empty($this->data) && $this->data['User']['remember_me']) {
            $cookie = array();
            $cookie['username'] = $this->data['User']['username'];
            $cookie['password'] = $this->data['User']['password'];
            $this->Cookie->write('Auth.User', $cookie, true, COOKIE_EXPIRE);
            unset($this->data['User']['remember_me']);
        }

        $this->LogDetail->Write('activity','has logged IN');
        $this->redirect($this->Auth->redirect());
    }

    if (empty($this->data)) {
        $cookie = $this->Cookie->read('Auth.User');
        if (!is_null($cookie)) {
            if ($this->Auth->login($cookie)) {
                $this->Session->destroy('Message.Auth'); # clear auth message, just in case we use it.
                $this->LogDetail->Write('activity','has been authenticated via cookie and is now logged IN');

                $this->redirect($this->Auth->redirect());
            } else {
                $this->LogDetail->Write('activity','attempted to gain access with an invalid cookie');
                $this->Cookie->destroy('Auth.User'); # delete invalid cookie

                $this->Session->setFlash('Invalid cookie');
                $this->redirect('login');
            }
        }
    }
}

It first checks to see if the user is authorized in session.

If the user is authorized in session, it redirects them to the intended page.

If the user is authorized in session because they have submitted the login form, it checks to see if 'Remember Me' is selected-- then it creates a cookie, before redirecting.

If the user is not authorized in session, the function checks for the existence of the Auth.User cookie, and then attempts to Auth->login($cookie).

This is where the problem occurs.

If a user without a session, but HAS a Auth.User cookie, visits the site, it redirects forever, writing to the log "has been authenticated via cookie and is now logged IN" over and over again until the browser terminates.

I am confused because $this->Auth->login($cookie) is returning true, but the SESSION is not being updated!

How can Auth->login($cookie) return true, but the session's auth info remain unset (causing the infinite loop)?

When watching the Cookie's in Firebug during the infinite loop, I notice that the CAKEPHP session cookie is constantly changing values during this process

I should also mention that the login system/auth/redirect etc work fine when no Auth.User cookie is present

If anyone can help me figure this out I would appreciate it

Thank you

2
cakephpcakephp-1.3

2 Answers

1
votes

I haven't tryed it, but according to the manual, you have to set autoRedirect to false, like so:

function beforeFilter() {
    $this->Auth->autoRedirect = false;
}

And session->delete instead of session->destroy, session->delete clear the data wheras session->destroy destroy the session and cookie and creates a new one, which is what happens to you

0
votes

never save password in cookies

you should save md5(username) than save all login the data in the database.