Category Archives: CakePHP

CakePHP Ajax/JSON calls fail? Try turning debug output off

The problem / symptoms

When calling a server side cakephp method through Ajax calls usualy in combination with JSON encoding, the call fails. The server returns HTTP 200 and everything seems fine, but the Ajax call just doesn’t work.

Continue reading →

CakeOTP 1.1 – User Registration with One Time Password for CakePHP Released

New in CakeOTP release 1.1

1) Automatic login process, after the account activation- The user is automatically logged into the site and is redirected to an internal page, immediately after activating his/her account.
2) User email validation.

Download this release here.

Checkout the Online Demo, project page and getting started page.

How to: Automatic User Login in CakePHP

Leave a reply

Sometimes you need to enable silent (implicit) login for your users. A good example of this would be this – after a registration process, you would want to automatically login the user, rather then having him retype the user name and password.

In CakePHP there is a simple method in the Auth components that lets you login on the user’s behave.

Here is how it is done:

// assuming $password is the clear text password $this->data["User"]["password"] = $this->Auth->password($password); $this->data["User"]["username"] = $username;


// do the login

$login = $this->Auth->login($this->data);
// $login is true is login went well.

// now we can redirect the user to any page:

if($login){

   $this->redirect(array('controller' => "anycontroller",

          'action' => "any_secure_action", null));

}

This will be implemented in the next CakeOTP release.


		
		
			This entry was posted in CakePHP, Open source, Software development, Tips on April 13, 2010 by Amir Shevat.



	
				
			
						
				Security issue in CakePHP code documentation
			
										
					5 Replies				

					


				
			I have been using CakePHP for a long time now and enjoy every second. It provides a productive, easy to use and well document  platform for PHP application. The key advantages for me are – transparent OR mapping, a strong Model View Controller framework, and tons of extra utilities that make your life better.
I have came across a possible security issue in one of cakePHP code examples. This section of code is responsible to authorize or un-authorize clients access to a certain action (MVC flow)
action == 'delete') {
            if ($this->Auth->user('role') == 'admin') {
                return true;
            } else {
                return false;
            }
        }

        return true;
    }
?>

The major security rule this code is breaking is – never ever have ‘return true’ as a default for an authorization method.

 Continue reading →
					

		
		
			This entry was posted in CakePHP, Open source, PHP, Security, Software development on March 5, 2010 by Amir Shevat.								

	


	
				
			
						
				CakeOTP 1.0 – Secure, Expirable, Table-less One Time Password for CakePHP Released
			
										
					Leave a reply				

					


				
			
CakeOTP is a secure, table-less and expirable implementation of One Time Password for the popular CakePHP development framework.
A one-time password (OTP) is a password that is only valid for a single login session or transaction. It is commonly used in the internet for registration and password reminder process in which OTPs are provides to the user in a form of a link that the user uses to access in order to create/reset his password.
The problem is that most one-time password implementation involve maintaining additional database tables and batch process that handle the persistence and expire date of the one time password. This adds complexity and reduces performance.
CakeOTP is a simple and clean implementation of one time password. It reduces complexity by removing the redundant SQL calls and DB batch maintenance while still keeping the one time password secure and expirable.
Download this release here.
Checkout the Online Demo, project page and getting started page.



Feel free to post comments and questions.
					

		
		
			This entry was posted in CakePHP, Open source, PHP, release, Security, Software development on February 11, 2010 by Amir Shevat.								

	


	
				
			
						
				CakeOTP  0.1 beta release – One Time Password Reference Implementation for CakePHP
			
										
					Leave a reply				

					


				
			

I have started to implement the algorithm for tableless, secure One time password.
Here is a link to the Demo, and here is a link to the beta release.
The only thing you need to do other then the regular cakePHP setup is to create a user table (used by the CakePHP Auth component):


CREATE TABLE IF NOT EXISTS `users` (
  `id` int(11) NOT NULL auto_increment,
  `username` char(50) default NULL,
  `password` char(40) default NULL,
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=23 ;

 Continue reading →
					

		
		
			This entry was posted in CakePHP, Open source, PHP, release, Security, Software development on January 22, 2010 by Amir Shevat.

Spacebug Open Source Initiative

Keeping Software Simple, Open and Pragmatic.

Category Archives: CakePHP

CakePHP Ajax/JSON calls fail? Try turning debug output off

The problem / symptoms

CakeOTP 1.1 – User Registration with One Time Password for CakePHP Released

New in CakeOTP release 1.1

How to: Automatic User Login in CakePHP

Security issue in CakePHP code documentation

CakeOTP 1.0 – Secure, Expirable, Table-less One Time Password for CakePHP Released

CakeOTP 0.1 beta release – One Time Password Reference Implementation for CakePHP