Comments on: Follow-up to “A Hopefully Usefull Tutorial For Using CakePHP’s Auth Component”

By: Erik Gyepes

Erik Gyepes — Mon, 30 Jun 2008 14:53:32 +0000

I don’t know what I’m doing bad, but it doesn’t work for me in Opera. When I reopen it my “session” is lost and I must relogin. In FF it works correctly.

By: leo

leo — Mon, 25 Feb 2008 14:56:58 +0000

Thanks Chris. It’s taken me days to get this working. Nowhere does it seem to clearly say that the stored password must be hashed, nor that the easiest way to do it is by using cake to insert the user. One of your articles has pointed me in the right direction once again!

By: Anh

Anh — Sun, 24 Feb 2008 14:17:23 +0000

Well, I think I figured that out. Just change the code in beforeFilter() to the following and it would work:

$cookie = $this->Cookie->read(‘User’);
if ($cookie) {
$this->Auth->login($cookie);
}

By: Anh

Anh — Sun, 24 Feb 2008 13:22:02 +0000

I have some problems trying to implementing the Remember me feature.

I followed your previous tutorial and store the username as well as the hashed password in the cookie. Then, in beforeFilter(), I put these values into the $this->data array. However, seems that the password in $this->data has to be plaintext, as the Auth component will automatically hash all passwords in this array.

Did I miss anything?

By: Chris Hartjes

Chris Hartjes — Sat, 05 Jan 2008 15:47:13 +0000

@Kabturek
Well, perhaps I don’t understand how the hashing of the passwords works in the Auth component, but since the hash is only one way I don’t see how anyone could even figure out the password unless they know the original. I would be storing a *hashed* password in the cookie, not the plaintext one. Storing plaintext passwords in a cookie is an insane security hole.

By: kabturek

kabturek — Sat, 05 Jan 2008 10:40:03 +0000

@Chris
yep but i rather store an ID of the user (encrypted with a salt) if the cookie will be compromised i would only have to change the salt ( or the login system) and no paswords would be leaked.

By: Chris Hartjes

Chris Hartjes — Thu, 20 Dec 2007 14:38:50 +0000

@SFI: The purpose of storing the username and password in a cookie is so that when the user comes back to the site at a later date, they can be automatically logged in.

By: Daniel Hofstetter

Daniel Hofstetter — Thu, 20 Dec 2007 05:56:02 +0000

@Martin: Many people use the same password for different applications. So if I can get the password then it is possible I will also get access to other applications in a worst-case scenario.

By: SFI

SFI — Thu, 20 Dec 2007 04:13:46 +0000

am I missing something..? I don’t see the point of storing a username and password in a cookie… why not store using a session and have authenticated=true and if you want more security put the ip in so if someone hijacks the session cookie they can’t use it ??

By: Martin Schapendonk

Martin Schapendonk — Wed, 19 Dec 2007 14:47:40 +0000

Daniel, Chris, others,

Nice to see how people try to prevent reverse engineering of a password from a cookie.

However, I miss one thing in the discussion… if I have the cookie, I don’t *need* the password anymore! I just offer the cookie to the server and it logs me in. Who cares about the password?

BTW, I guess most (if not all) ‘Remember Me’ solutions are vulnerable to ‘cookie hijacking’.