SSL Authentication Using Security Component In CakePHP

SSL Authentication Using Security Component In CakePHP

We can achieve SSL authentication in CakePHP by writing own methods like ‘forceSSL’ and ‘unforceSSL’. Also there is an in-built Security Component in CakePHP to achieve SSL authentication.

  • Using Security Component we can integrate tighter security in our application.
  • Like all components it needs configurations through several parameters.
  • We can get CSRF and form tampering protection using Security Component.
  • CsrfExpires controls the form submission.

Example:

All SSL URLs will redirect to a sub-domain ‘https://app.andolacrm.com/’ and the non SSL URL will redirect to a sub-domain ‘http://www.andolacrm.com’

Contents

How To Use Security Component

  • Include the security component in you AppControler.php
  •  Like as below
class AppController extends Controller {
public $components =array( 'Acl','Session','Email','Security','Cookie' );

}
  • There are 3 configurable variable for which you need to set the values as per the requirement of your application in the beforeFilter functions of AppController.php
  • validatePost:

This variable basically used to validate your post data. Set false if you want skip validating you post data or in case data coming from 3rd party Services. Default its true.

  • csrfCheck :

CSRF(Cross-Site_Request_Forgery)  Used for form protection   . Set to false to skip CSRF protections.

  • CsrfUseOnce :

This is used for CSRF token.If it is set as false then it will user one csrf token through out the application else it will generate new token for each form submissions.

Sample Code :

function beforeFilter() {
// Codes added for SSL security
$this->Security->validatePost=false;
$this->Security->csrfCheck=false;
$this->Security->csrfUseOnce=false;
}
  • In the ‘AppController.php’ you need to define the list of URLs that doesn’t need to be checked for SSL
$sslnotallowed_url=array('beta_user','terms','privacy','security','display','faq');
  • Code to be written in your ‘beforeFilter()’ of ‘AppController.php’
function beforeFilter() {
// Codes added for SSL security
$this->Security->validatePost=false;
$this->Security->csrfCheck=false;
$this->Security->csrfUseOnce=false;
$sslnotallowed_url  = array('beta_user','terms','privacy','security');
$this->Security->blackHoleCallback = 'forceSSL';
if(!in_array($this->params['action'],$sslnotallowed_url)){
$this->Security->requireSecure('*');
}
}

ForceSSL Method

function forceSSL() {
$this->redirect('https://app.andolacrm.com' . $this->here);
}

NOTE: Security Component can only be used for the forms create using FormHelper.

Conclusion:

Using the steps as described above would facilitate you to successfully implement the SSL in CakePHP. But you need to be more careful while using security component for your application. It may cause ‘blackhole’ error if there is any kind of security hole in your application. However, you could avoid such errors by setting above described variable to ‘false’.

Summary
SSL Authentication Using Security Component In CakePHP
Article Name
SSL Authentication Using Security Component In CakePHP
Description
Using the steps as described would facilitate you to successfully implement the SSL in CakePHP. Subscribe our blog for latest news.
Author
Publisher Name
Andolasoft
Publisher Logo

Your recently viewed posts:

    Contact Us

    We’d love to help & work with you




    When do you want to start ?


    Enter your email address to stay up to date with the latest news.
    Holler Box

    Exit pop up

    Sad to see you leaving early...

    From "Aha" to "Oh shit" we are sharing everything on our journey.
    Enter your email address to stay up to date with the latest news.
    Holler Box