Cakephp Remember Me with Auth

Remember me with cakephp Auth Login

I don't really understand your nested function login(), but I assume it is just sample from your /users/login action, so let me rewrite the beforeFilter method to redirect your user to /users/userhome if he hits your domain and is logged in using cookie:

public function beforeFilter() {
    $this->Cookie->httpOnly = true;
    if (!$this->Auth->loggedIn() && $this->Cookie->read('rememberMe')) {
            $cookie = $this->Cookie->read('rememberMe');
            debug($cookie); // no need to echo it, debug function does that already
            $this->loadModel('User'); // If the User model is not loaded already
            $user = $this->User->find('first', array(
                    'conditions' => array(
                            'User.username' => $cookie['username'],
                            'User.password' => $cookie['password']
                    )
            ));

        if ($user && !$this->Auth->login($user['User'])) {
            $this->redirect('/users/logout'); // destroy session &   cookie
        } else {
            $this->redirect($this->Auth->redirectUrl()); // redirect to Auth.redirect if it is set, else to Auth.loginRedirect ('/users/userhome') if it is set, else to /
        }
    }
}

FYI: $this->Auth->redirect() is deprecated as of 2.3, use $this->Auth->redirectUrl() instead

About the implementation of Remember Me using AuthenticationPlugin's Cookie Authenticator

You're not supposed to load authenticators in your controllers, authentication happens at middleware level, before any of your controllers are being invoked.

The cookie authenticator is ment to be loaded and configured just like any other authenticator, that is where you create the authentication service, usually in Application::getAuthenticationService() in src/Application.php.

By default the field in the form must be remember_me, not rememberMe, that is unless you would configure the cookie authenticator's rememberMeField option otherwise.

Furthermore the default cookie name of the cookie authenticator is CookieAuth, so if you wanted to encrypt it, you'd have to use that name in the EncryptedCookieMiddleware config accordingly.

tl;dr

Remove all cookie related code from your controller, and load the authenticator in your Application::getAuthenticationService() method:

use Authentication\Identifier\IdentifierInterface;

// ...

public function getAuthenticationService(ServerRequestInterface $request): AuthenticationServiceInterface
{
    $service = new AuthenticationService();

    // ...

    // The cookie authenticator should be loaded _after_ the session authenticator,
    // and _before_ other authenticators like the form authenticator
    $service->loadAuthenticator('Authentication.Cookie', [
        // 'rememberMeField' => 'custom_form_field_name', // if you want to change the default
        'fields' => [
            IdentifierInterface::CREDENTIAL_USERNAME => 'mail',
            IdentifierInterface::CREDENTIAL_PASSWORD => 'password',
        ],
    ]);

    // ...

    return $service;
}

set the authentication cookie name in the EncryptedCookieMiddleware config:

$cookies = new EncryptedCookieMiddleware(
    ['CookieAuth'],
    Configure::read('Security.cookieKey')
);

and change the field name in your form to remember_me if you're using the cookie authenticator's defaults:

echo $this->Form->control('remember_me', [
    'type' => 'checkbox'
]);

That's all that should be required, if you tick the checkbox in your login form, then the authentication middleware will set a cookie after successful authentication accordingly, and it will pick up the cookie if it's present on a request and no other authenticator successfully authenticates the request first (like the session authenticator for example).

How to implement Remember me in CakePHP?

Check this ready to use solution AutoLoginComponent and docs.

---

Related Topics