CakePHP的权威性与两款车型的会话组件 [英] Cakephp auth component with two models session

问题描述

我有相同的数据库相应的运行，但具有不同验证表和不同的$这个 - > Auth->的usermodel值的两个cakephp2应用。
验证效​​果很好，并从一个应用程序的用户无法登录等。

I have two cakephp2 applications running on same database, but having different Auth tables and different $this->Auth->userModel values accordingly. Authentication works well and users from one app can't log into other.

但..作为应用程序使用相同的CakePHP的会话cookie，出现这种情况：
当用户在应用程序一登录，就可以访问任何验证程序中的二保护行动！

BUT.. as apps uses same CAKEPHP session cookie, this happens: when user from app 'one' logs in, it can access any Auth protected action in app 'two'!

我可能会使用不同的用户角色和cookie名称。
但尽管如此，为什么验证组件检查会话时忽略Auth->的usermodel设置？有没有配置它的工作权利在这种情况下的方法吗？

I will probably use different user roles and cookie names. But still, why Auth component is ignoring Auth->userModel settings when checking the session? Is there a way to configure it to work right in this situation?

在此先感谢您的任何建议。

Thanks in advance for any suggestions.

推荐答案

如果不是采用其他配置，AuthComponent会写在身份验证的用户记录在 Auth.User 会话密钥2. CakePHP的但它是可以改变的：

If not configured otherwise, AuthComponent will write the authenticated user record to the Auth.User session key in CakePHP 2. But it can be changed:

AuthComponent :: sessionKey

在当前用户的记录被存储会话密钥名称。如果未指定，将Auth.User。

The session key name where the record of the current user is stored. If unspecified, it will be "Auth.User".

（在CakePHP 1.3 这是不同的：验证{$的usermodel名} ）

(In CakePHP 1.3 this was different: Auth.{$userModel name})

所以，如果您的应用程序共享会话，这是他们做的，如果cookie名称和 Security.salt 匹配，登录的记录将被共享。

So, if your apps share a Session, which they do, if cookie name and Security.salt match, the logged in record will be shared.

有两种方法可以解决这个问题：

There are two possibilities to solve this:

只需设置一个不同的 AuthComponent :: sessionKey 为您的两款车型。这将使他们保持登录的用户单独

Simply set a different AuthComponent::sessionKey for your two models. This will allow them to keep the logged in user separately

为应用程序配置不同的cookie的名字和盐，所以他们的会话不能互相覆盖。这可能是清洁的解决方案，因为它也涉及其他会话密钥被重复使用的风险。

Configure different Cookie names and Salts for both apps, so their sessions cannot override each other. This is probably the cleaner solution, because it also covers the risk of other session keys being double-used.

这篇关于CakePHP的权威性与两款车型的会话组件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！