具有两个模型会话的 Cakephp 身份验证组件 [英] Cakephp auth component with two models session

问题描述

我有两个 cakephp2 应用程序在同一个数据库上运行，但相应地具有不同的 Auth 表和不同的 $this->Auth->userModel 值.身份验证运行良好，一个应用程序的用户无法登录其他应用程序.

I have two cakephp2 applications running on same database, but having different Auth tables and different $this->Auth->userModel values accordingly. Authentication works well and users from one app can't log into other.

但是……由于应用程序使用相同的 CAKEPHP 会话 cookie，会发生这种情况:当应用一"的用户登录时，它可以访问应用二"中的任何受身份验证保护的操作！

BUT.. as apps uses same CAKEPHP session cookie, this happens: when user from app 'one' logs in, it can access any Auth protected action in app 'two'!

我可能会使用不同的用户角色和 cookie 名称.但是，为什么 Auth 组件在检查会话时会忽略 Auth->userModel 设置?有没有办法将其配置为在这种情况下正常工作?

I will probably use different user roles and cookie names. But still, why Auth component is ignoring Auth->userModel settings when checking the session? Is there a way to configure it to work right in this situation?

预先感谢您的任何建议.

Thanks in advance for any suggestions.

推荐答案

如果没有另外配置，AuthComponent 会将经过身份验证的用户记录写入 CakePHP 2 中的 Auth.User 会话密钥. 但是可以改:

If not configured otherwise, AuthComponent will write the authenticated user record to the Auth.User session key in CakePHP 2. But it can be changed:

AuthComponent::sessionKey

存储当前用户记录的会话密钥名称.如果未指定，它将是Auth.User".

The session key name where the record of the current user is stored. If unspecified, it will be "Auth.User".

(在 CakePHP 1.3 这是不同的:Auth.{$userModel名称})

(In CakePHP 1.3 this was different: Auth.{$userModel name})

因此，如果您的应用共享一个会话，如果 cookie 名称和 Security.salt 匹配，则将共享登录记录.

So, if your apps share a Session, which they do, if cookie name and Security.salt match, the logged in record will be shared.

解决这个问题有两种可能:

There are two possibilities to solve this:

只需为您的两个模型设置不同的 AuthComponent::sessionKey.这将允许他们单独保留登录用户

Simply set a different AuthComponent::sessionKey for your two models. This will allow them to keep the logged in user separately

为两个应用程序配置不同的 Cookie 名称和 Salts，因此它们的会话不能相互覆盖.这可能是更简洁的解决方案，因为它还涵盖了其他会话密钥被重复使用的风险.

Configure different Cookie names and Salts for both apps, so their sessions cannot override each other. This is probably the cleaner solution, because it also covers the risk of other session keys being double-used.

这篇关于具有两个模型会话的 Cakephp 身份验证组件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！