Menu
I have two cakephp2 applications running on same database, but having different Auth tables and different $this->Auth->userModel values accordingly. Authentication works well and users from one app can't log into other.
BUT.. as apps uses same CAKEPHP session cookie, this happens: when user from app 'one' logs in, it can access any Auth protected action in app 'two'!
I will probably use different user roles and cookie names. But still, why Auth component is ignoring Auth->userModel settings when checking the session? Is there a way to configure it to work right in this situation?
Thanks in advance for any suggestions.
601
If not configured otherwise, AuthComponent will write the authenticated user record to the Auth.User session key in CakePHP 2. But it can be changed:
AuthComponent::sessionKey
The session key name where the record of the current user is stored. If unspecified, it will be "Auth.User".
(In CakePHP 1.3 this was different: Auth.{$userModel name})
So, if your apps share a Session, which they do, if cookie name and Security.salt match, the logged in record will be shared.
There are two possibilities to solve this:
Simply set a different AuthComponent::sessionKey for your two models. This will allow them to keep the logged in user separately
Configure different Cookie names and Salts for both apps, so their sessions cannot override each other. This is probably the cleaner solution, because it also covers the risk of other session keys being double-used.
157
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
