Welcome to The Cookbook

The Big Picture

If you're new to CakePHP, you'll be strongly tempted to copy and paste this code for use in your mission critical, sensitive-data-handling production application. Resist ye: this chapter is a discussion on Cake internals, not application security. While I doubt we'll provide for any extremely obvious security pitfalls, the point of this example is to show you how Cake's internals work, and allow you to create a bulletproof brute of an application on your own.

Cake has access control via its built-in ACL engine, but what about user authentication and persistence? What about that?

Well, for now, we've found that user authentication systems vary from application to application. Some like hashed passwords, others, LDAP authentication - and almost every app will have User models that are slightly different. For now, we're leaving it up to you. Will this change? We're not sure yet. For now, we think that the extra overhead of building this into the framework isn't worth it, because creating your own user authentication setup is easy with Cake.

You need just three things:

• A way to authenticate users (usually done by verifying a user's identity with a username/password combination)
• A way to persistently track that user as they navigate your application (usually done with sessions)
• A way to check if a user has been authenticated (also often done by interacting with sessions)

In this example, we'll create a simple user authentication system for a client management system. This fictional application would probably be used by an office to track contact information and related notes about clients. All of the system functionality will be placed behind our user authentication system except for few bare-bones, public-safe views that shows only the names and titles of clients stored in the system.

We'll start out by showing you how to verify users that try to access the system. Authenticated user info will be stored in a PHP session using Cake's Session Component. Once we've got user info in the session, we'll place checks in the application to make sure application users aren't entering places they shouldn't be.

One thing to note - authentication is not the same as access control. All we're after in this example is how to see if people are who they say they are, and allow them basic access to parts of the application. If you want to fine tune this access, check out the chapter on Cake's Access Control Lists. We'll make notes as to where ACLs might fit in, but for now, let's focus on simple user authentication.

I should also say that this isn't meant to serve as some sort of primer in application security. We just want to give you enough to work with so you can build bulletproof apps of your own.

Authentication and Persistence

First, we need a way to store information about users trying to access our client management system. The client management system we're using stores user information in a database table that was created using the following SQL:

Table 'users', Fictional Client Management System Database

CREATE TABLE `users` (
  `id` int(11) NOT NULL auto_increment,
  `username` varchar(255) NOT NULL,
  `password` varchar(32) NOT NULL,
  `first_name` varchar(255) NOT NULL,
  `last_name` varchar(255) NOT NULL,
  PRIMARY KEY  (`id`)
)

1. CREATE TABLE `users` (
2. `id` int(11) NOT NULL auto_increment,
3. `username` varchar(255) NOT NULL,
4. `password` varchar(32) NOT NULL,
5. `first_name` varchar(255) NOT NULL,
6. `last_name` varchar(255) NOT NULL,
7. PRIMARY KEY (`id`)
8. )

Pretty simple, right? The Cake Model for this table can be pretty bare:

<?php
class User extends AppModel
{
    var $name = 'User';
}
?>

1. <?php
2. class User extends AppModel
3. {
4. var $name = 'User';
5. }
6. ?>

First thing we'll need is a login view and action. This will provide a way for application users to attempt logins and a way for the system to process that information to see if they should be allowed to access the system or not. The view is just a HTML form, created with the help of Cake's Html Helper:

/app/views/users/login.thtml

<?php if ($error): ?>
<p>The login credentials you supplied could not be recognized. Please try again.</p>
<?php endif; ?>

<form action="<?php echo $html->url('/users/login'); ?>" method="post">
<div>
    <label for="username">Username:</label>
    <?php echo $html->input('User/username', array('size' => 20)); ?>
</div>
<div>
    <label for="password">Password:</label>
    <?php echo $html->password('User/password', array('size' => 20)); ?>
</div>
<div>
    <?php echo $html->submit('Login'); ?>
</div>
</form>

1. <?php if ($error): ?>
2. <p>The login credentials you supplied could not be recognized. Please try again.</p>
3. <?php endif; ?>
4.  
5. <form action="<?php echo $html->url('/users/login'); ?>" method="post">
6. <div>
7. <label for="username">Username:</label>
8. <?php echo $html->input('User/username', array('size' => 20)); ?>
9. </div>
10. <div>
11. <label for="password">Password:</label>
12. <?php echo $html->password('User/password', array('size' => 20)); ?>
13. </div>
14. <div>
15. <?php echo $html->submit('Login'); ?>
16. </div>
17. </form>

This view presents a simple login form for users trying to access the system. The action for the form is /users/login, which is in the UsersController and looks like this:

/app/controllers/users_controller.php (partial)

<?php
class UsersController extends AppController
{
    function login()
    {
        //Don't show the error message if no data has been submitted.
        $this->set('error', false);

        // If a user has submitted form data:
        if (!empty($this->data))
        {
            // First, let's see if there are any users in the database
            // with the username supplied by the user using the form:

            $someone = $this->User->findByUsername($this->data['User']['username']);

            // At this point, $someone is full of user data, or its empty.
            // Let's compare the form-submitted password with the one in
            // the database.

            if(!empty($someone['User']['password']) && $someone['User']['password'] == $this->data['User']['password'])
            {
                // Note: hopefully your password in the DB is hashed,
                // so your comparison might look more like:
                // md5($this->data['User']['password']) == ...

                // This means they were the same. We can now build some basic
                // session information to remember this user as 'logged-in'.

                $this->Session->write('User', $someone['User']);

                // Now that we have them stored in a session, forward them on
                // to a landing page for the application.

                $this->redirect('/clients');
            }
            // Else, they supplied incorrect data:
            else
            {
                // Remember the $error var in the view? Let's set that to true:
                $this->set('error', true);
            }
        }
    }

    function logout()
    {
        // Redirect users to this action if they click on a Logout button.
        // All we need to do here is trash the session information:

        $this->Session->delete('User');

        // And we should probably forward them somewhere, too...
     
        $this->redirect('/');
    }
}
?>

1. <?php
2. class UsersController extends AppController
3. {
4. function login()
5. {
6. //Don't show the error message if no data has been submitted.
7. $this->set('error', false);
8. // If a user has submitted form data:
9. if (!empty($this->data))
10. {
11. // First, let's see if there are any users in the database
12. // with the username supplied by the user using the form:
13. $someone = $this->User->findByUsername($this->data['User']['username']);
14. // At this point, $someone is full of user data, or its empty.
15. // Let's compare the form-submitted password with the one in
16. // the database.
17. if(!empty($someone['User']['password']) && $someone['User']['password'] == $this->data['User']['password'])
18. {
19. // Note: hopefully your password in the DB is hashed,
20. // so your comparison might look more like:
21. // md5($this->data['User']['password']) == ...
22. // This means they were the same. We can now build some basic
23. // session information to remember this user as 'logged-in'.
24. $this->Session->write('User', $someone['User']);
25. // Now that we have them stored in a session, forward them on
26. // to a landing page for the application.
27. $this->redirect('/clients');
28. }
29. // Else, they supplied incorrect data:
30. else
31. {
32. // Remember the $error var in the view? Let's set that to true:
33. $this->set('error', true);
34. }
35. }
36. }
37. function logout()
38. {
39. // Redirect users to this action if they click on a Logout button.
40. // All we need to do here is trash the session information:
41. $this->Session->delete('User');
42. // And we should probably forward them somewhere, too...
44. $this->redirect('/');
45. }
46. }
47. ?>

Not too bad: the contents of the login() action could be less than 20 lines if you were concise. The result of this action is either 1: the user information is entered into the session and forwarded to the landing page of the app, or 2: kicked back to the login screen and presented the login form (with an additional error message).

Access Checking in your Application

Now that we can authenticate users, let's make it so the application will kick out users who try to enter the system from points other than the login screen and the "basic" client directory we detailed earlier.

One way to do this is to create a function in the AppController that will do the session checking and kicking for you.

/app/app_controller.php

<?php
class AppController extends Controller
{
    function checkSession()
    {
        // If the session info hasn't been set...
        if (!$this->Session->check('User'))
        {
            // Force the user to login
            $this->redirect('/users/login');
            exit();
        }
    }
}
?>

1. <?php
2. class AppController extends Controller
3. {
4. function checkSession()
5. {
6. // If the session info hasn't been set...
7. if (!$this->Session->check('User'))
8. {
9. // Force the user to login
10. $this->redirect('/users/login');
11. exit();
12. }
13. }
14. }
15. ?>

Now you have a function you can use in any controller to make sure users aren't trying to access controller actions without logging in first. Once this is in place you can check access at any level - here are some examples:

Forcing authentication before all actions in a controller

<?php
class NotesController extends AppController
{
    // Don't want non-authenticated users looking at any of the actions
    // in this controller? Use a beforeFilter to have Cake run checkSession
    // before any action logic.

    function beforeFilter()
    {
        $this->checkSession();
    }
}
?>

1. <?php
2. class NotesController extends AppController
3. {
4. // Don't want non-authenticated users looking at any of the actions
5. // in this controller? Use a beforeFilter to have Cake run checkSession
6. // before any action logic.
7. function beforeFilter()
8. {
9. $this->checkSession();
10. }
11. }
12. ?>

Forcing authentication before a single controller action

<?php
class NotesController extends AppController
{
    function publicNotes($clientID)
    {
        // Public access to this action is okay...
    }

    function edit($noteId)
    {
        // But you only want authenticated users to access this action.
        $this->checkSession();
    }
}
?>

1. <?php
2. class NotesController extends AppController
3. {
4. function publicNotes($clientID)
5. {
6. // Public access to this action is okay...
7. }
8. function edit($noteId)
9. {
10. // But you only want authenticated users to access this action.
11. $this->checkSession();
12. }
13. }
14. ?>

Now that you have the basics down, you might want to venture out on your own and implement some advanced or customized features past what has been outlined here. Integration with Cake's ACL component might be a good first step.