Download the PHP package beskhue/cookietokenauth without Composer

On this page you can find all versions of the php package beskhue/cookietokenauth. It is possible to download/install these versions without Composer. Possible dependencies are resolved automatically.

FAQ

After the download, you have to make one include require_once('vendor/autoload.php');. After that you have to import the classes with use statements.

Example:
If you use only one package a project is not needed. But if you use more then one package, without a project it is not possible to import the classes with use statements.

In general, it is recommended to use always a project to download your libraries. In an application normally there is more than one library needed.
Some PHP packages are not free to download and because of that hosted in private repositories. In this case some credentials are needed to access such packages. Please use the auth.json textarea to insert credentials, if a package is coming from a private repository. You can look here for more information.

  • Some hosting areas are not accessible by a terminal or SSH. Then it is not possible to use Composer.
  • To use Composer is sometimes complicated. Especially for beginners.
  • Composer needs much resources. Sometimes they are not available on a simple webspace.
  • If you are using private repositories you don't need to share your credentials. You can set up everything on our site and then you provide a simple download link to your team member.
  • Simplify your Composer build process. Use our own command line tool to download the vendor folder as binary. This makes your build process faster and you don't need to expose your credentials for private repositories.
Please rate this library. Is it a good library?

Informations about the package cookietokenauth

CookieTokenAuth

This is a plugin for CakePHP to allow long-term login sessions for users using cookies. The sessions are identified by two variables: a random series variable, and a token. The sessions are stored in the database and linked to the users they belong to. The token variables are stored hashed.

Why use CookieTokenAuth?

CookieTokenAuth is more secure than storing a username and (hashed) password in a cookie.

No passwords (nor password hashes) in cookies

If a session cookie were to be leaked, the user's password hash would be available. There also would be no method of invalidating the session.

Control over sessions

This method is more secure than storing a username and a token in a cookie. Firstly, we now have distinct sessions for different browsers. When the user logs out in one browser, that session can be removed from the database. Secondly, when a session theft is attempted we'd ideally invalidate the user's sessions. Implementing this without series means that a denial of service for specific users can be performed by simply presenting cookies with their username. Here, an attacker would first have to guess the (random) series variable.

Tokens are stored securely

A valid token grants almost as much access as a valid password, and thus it should be treated as one. By storing only token hashes in the database, attackers cannot get access to user accounts when the session database is leaked.

Cookie exposure is minimized

For added security, the token cookie is only sent to the server on a special authentication page. This page is only accessed once per per session by the client. As such, opportunity for cookie theft is minimized. This behaviour can be disabled, e.g. to improve site load time for the first visit per session.

Encrypted by CakePHP

On top of all these security measures, the token cookies are naturally encrypted by CakePHP.

Installation

Place the following in your composer.json:

and run:

Database

Setup the plugin database using the official migrations plugin for CakePHP.

If you have a specific need, such as a different user model, different table name, different data type of the primary key (pay attention to signed vs. unsigned integers if migration fails), or have a different primary key altogether, you have to change the migration file located at config/Migrations/20170510221552_CreateAuthTokens.php.

Usage

Bootstrap

Place the following in your config/bootstrap.php file:

or use bake:

Set up AuthComponent

Update your AuthComponent configuration to use CookieTokenAuth. For example, if you also use the Form authentication to log users in, you could write:

If the user model or user fields are named differently than the defaults, you can configure the plugin:

Configuration

The full default configuration is as follows:

Note that hash is used only for generating tokens -- the token stored in the database is hashed with the DefaultPasswordHasher. Its value can be any PHP hash algorithm.

If minimizeCookieExposure is set to false, the client will not be redirected twice at the start of a session to attempt to log them in using a token cookie. Instead, the token cookie is now sent by the client's browser on each request. This is less secure.

Validate cookies

Next, you probably want to validate user authentication of non-logged in users in all controllers (note: authentication is only attempted once per session). This makes sure that a user with a valid token cookie will be logged in. To do that, place something like the following in your AppController's beforeFilter. Note that you might also have to make changes to the current identification method you are performing. See the next section.

Create token cookies

In most cases, CookieTokenAuth automatically generates token cookies for you. No further configuration and integration would be required.

When a user logs in with a conventional method (Form, Ldap, etc.) we need to create a token cookie such that the user can be identified by CookieTokenAuth when they return. CookieTokenAuth automatically handles identification performed by authentication adapters that are not persistent and not stateless. This means that from the included authentication adapters in CakePHP only FormAuthenticate will automatically generate a token cookie. The reason for this is that persistent or stateless identification methods identify the user each request, and would lead to the creation of a new cookie token on each request.

Handle stateless and persistent authentication

If you want to handle persistent or stateless authentication identification as well, you could do something as follows. This will create a token, add it to the database, and the user's client will receive a cookie for the token. You would probably want to make sure the user is identified only once per session.

Disable automatic generation of token cookies

You might want to create token cookies only in specific cases, such as when a user checked a "remember me" checkbox. To do this, start by setting the setCookieAfterIdentify option to false (see the Configuration section). You will now need to create token cookies manually.

To accomplish this, something like the following could be added to the login action:

And add the following to your login template:

Disable authentication redirection while minimization of cookie exposure is enabled

You might want to disable the redirection that occurs to minimize cookie exposure for a specific request. This can be done by configuring a callback.

The callback takes a Cake\Http\ServerRequest and a Cake\Http\Response as parameters, and should return a boolean indicating whether redirection should be performed. It is called when a redirect has to be performed to attempt to authenticate the user. If the callback returns true, the redirect is performed. If the callback returns false, no redirect is performed this request, and it will be called again next request.

To configure this, pass a callable object to minimizeCookieExposureRedirectCallback during configuration:

alternatively, you can provide a named function, e.g. in AppController:


All versions of cookietokenauth with dependencies

PHP Build Version
Package Version
Requires php Version >=5.6
cakephp/cakephp Version ~3.4
cakephp/migrations Version @stable
Composer command for our command line client (download client) This client runs in each environment. You don't need a specific PHP version etc. The first 20 API calls are free. Standard composer command

The package beskhue/cookietokenauth contains the following files

Loading the files please wait ....