Reputation: 10822
How to allow single sign on between multiple cakephp 3 apps on the same server?
Situation
I currently have two cakephp 3 apps on the same Ubuntu server using the same MySQL with different databases.
Let's call the first app Hammy (which uses the database name hammy)
Let's call the second app Chewy (which uses the database name chewy)
Hammy was first built for a particular customer's company so there are users and groups tables in the hammy database.
Subsequently, I needed to build Chewy for the same customer and another customer.
Inside chewy, I have designed users and groups tables but with an additional column called account_id.
These are the domains I use for the above setup:
customerA.hammy.com customerA.chewy.com customerB.chewy.com
What I want
What I want is that after a user in customerA.hammy.com clicks on a link that sends her to customerA.chewy.com, she can continue to access customerA.chewy.com
Regardless if the user logins at customerA.hammy.com or customerA.chewy.com, she can access both web apps without any issues.
A single-signon basically.
My options
These are my thoughts as to how I can solve this problem.
- I can create a 3rd web app that is basically just a web service that basically handles authentication for both Hammy and Chewy.
I am familiar with building a webservice using CakePHP 3.x
However, I am not familiar with the authenticate options.
This is what I used in both Hammy and Chewy's AppController
$authOptions = [
'loginRedirect' => [
'controller' => 'Pages',
'action' => 'overview'
],
'logoutRedirect' => [
'controller' => 'Users',
'action' => 'login'
],
'authorize' => ['Controller'],
'authenticate' => [
'Form' => [
'fields' => [
'username' => 'email',
'password' => 'password'
],
],
],
'unauthorizedRedirect' => [
'controller' => 'Users',
'action' => 'login',
],
];
$this->loadComponent('Auth', $authOptions);
- use redis
The drawback is I have never tried Redis, so I do not even have a conceptual idea how to go about implementing this.
Any advice will be welcome.
Thank you.
Upvotes: 3
Views: 1049
Answers (1)
Reputation: 5894
CakePHP 3.x doc : Manually Logging Users In
With this, you can avoid the "natural" cakephp login, and force it to log your user like you want.
The big problem will be that you don't have any shared part between you Cakephp sub-domaine.
For me (but that's perfectible) :
- I'll make a shared folder/DB on the server,
- generate a token on every login (natural or auto),
- stored it in the shared part and in a user cookie,
And on change Dom, check if the cookie exist, if yes, check if it's legit, if yes, generate a new token an erase the old one and log auto my user on the new Dom.
With this, you can keep data linked to the profile in the shared part (serialised array in a file or a DB field)...
Careful with the security risk to use a token as a password :
- one use only for a token,
- erase old token,
- try to read a bit about keeping token secure on client side
BTW, It may be a stupid idea, but if you run the same cakephp version on the same server, why not using symbolic link to make a shared folder for every cakephp session ?
Upvotes: 1
Related Questions
- CakePHP 3 "Login As" wtih Multiple Auth Sessions
- implement Single sign on in CakePHP project
- CakePHP 2.x Auth with Two Separate Logins
- cakephp multiple apps with same cake library and shared session
- CakePHP session sharing between two apps, on the same domain
- Multiple CakePHP applications on the same server
- Multiple authentication systems
- Cakephp - integrating two applications
- Cakephp sharing auth between two applications
- How to deploy authorization between multiple cakephp applications?