Migrating from OthAuth to CakePHP Auth

This post lists down steps for migrating from OthAuth component to CakePHP’s inbuild Authentication component (Auth Component).
Note about using these migration steps: I used OthAuth mainly for authentication purposes i.e. mainly for verifying a username and password. I never got involved with complex authorization. So, these steps are only applicable if you are using Auth component withouth ACL.
1. In AppController, comment out all the code pertaining to OthAuth component and  add a beforeFilter function, as shown below

function beforeFilter()
//Change hashing function to md5
   //Set password field as passwd

   $this->Auth->fields = array('username'=>'username', 'password'=>'passwd');
   //Explicit set session key so that we can AuthHelper (read below for more details)
   $this->Auth->sessionKey = 'SomeRandomStringValueThatMakesSenseToYou';
   //Set authSessionKey to be used by AuthHelper
   $this->set('authSessionKey', $this->Auth->sessionKey);

Few notes about the above beforeFilter() function
  • By default, OthAuth component uses md5 encryption whereas CakePHP uses SHAH1 encryption. Currently, passwords in my database are md5 encrypted, hence, I am forcing CakePHP to use md5 by calling Security::setHash method.
  • Also, note that CakePHP uses “Session.salt” value along with md5 encryption. OthAuth component had no such feature. Because of this, the encrypted password values as returned by OthAuth and Auth component, even if both the components are set to use md5 encryption, will differ. To make sure that the two password values match, change Session.salt value in app/config/core.php to an empty string.
  • The last two lines are not necessary but are important to mimize changes in Views. They are required to use AuthHelper (see below)
  • By default, CakePHP uses Auth.{$userModel} as the session key and, if not explicitly specified, it leaves the sessionKey variable as null. I guess this is a bug in Auth Component as it causes inconsistency in the logic. To overcome this inconsistency, I am explicitly setting sessionKey in line 3 and passing it to the view in line 4. Now, using this variable, AuthHelper can fetch user information.
2. In all other controllers (that are specific to your website), add following beforefunction()

function beforeFilter(){

     $this->Auth->allow = array('list of function that should be allowed to non registered users');

Also look at deny method. If you want to allow all the methods except one or two, then a better approach is to allow all and then deny only specific one. See the example code below

function beforeFilter(){
     $this->Auth->allow = array('*') // * indicates allow all
     $this->Auth->deny = array('add', 'edit') //deny add and edit methods

3. OthAuth component comes with a handy helper. This helper allowed to check whether a session is a valid or not and also fetch user information. Based on similar lines, I created a AuthHelper. To use AuthHelper, create a new PHP file in app/views/helpers/ with “auth.php” as filename. Paste the below code in auth.php

*This helper provide access to user parameters such as username, id, etc., of currently logged in user
*Send comments and feature request to ragrawal at gmail dot com
*@author – Ritesh Agrawal
*@version 0.1.0
*@license MIT
class AuthHelper extends Helper {
           var $hashKey = null;
           var $initialized = false;
           var $helpers = array (‘Session’);

           function init() {
                      if (!$this->initialized) {
                                 if (!isset ($this->view)) 
                                            $this->view = & ClassRegistry :: getObject(‘view’);
                                 if (!empty ($this->view->viewVars[‘authSessionKey’])) 
                                            $this->hashKey = $this->view->viewVars[‘authSessionKey’];
                                 $this->initialized = true;

           function sessionValid(){
                      return ($this->Session->check($this->hashKey));

           // Get User Variables
           function user($key) {
                      // does session exists
                      if ($this->sessionValid()) {
                                 $user = $this->Session->read($this->hashKey);
                                 if (isset($user[$key])) 
                                            return $user[$key];
                      return false;

Notes about AuthHelper class: As you might have noticed, init() function requires a variable “authSessionKey”. We set this variable in beforeFunction() of AppController. It provides the session key name that Auth Component used to set user values.
4. Now, you can easily replace all instances of othAuth in all views by auth. More specifically, replace $othAuth->sessionValid with $auth->sessionValid and $othAuth->user with $auth->user, etc.
5. Final step. In AppController class add “Auth” component and “Auth” helper to the list of existing components and helpers.

CakePHP cookbook has a well document section on Auth component.



2 thoughts on “Migrating from OthAuth to CakePHP Auth

  1. On prob. I don’t recommend setting the salt to an empty string. That salt does a LOT more than just Auth stuff. It handled Cookie and Session encryption, among other things.

    One option is to derive your auth CustomAuth from the AuthComponent and override the function:
    function password($password) {
    return Security::hash($password, null, true);

    return Security::hash($password, null, false);

    Or I *think*

    You can redefine the function:
    function hashPasswords($data)

    by just defining it in your Model/Controller (depending on what type of authorization you use).
    You would copy the code line for line, but instead of using the [password] function, you’d use the Security::hash as you need to.

    Sorry, they don’t make it EZ to use existing MD5 hashes.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s