SSL authentication using security component in CakePHP

SSL authentication using security component in CakePHP

 

Introduction:

We can achieve SSL authentication in CakePHP by writing own methods like ‘forceSSL’ and ‘unforceSSL’. Also there is an in-built Security Component in CakePHP to achieve SSL authentication.

  • Using Security Component we can integrate tighter security in our application.
  • Like all components it needs configurations through several parameters.
  • We can get CSRF and form tampering protection using Security Component.
  • CsrfExpires controls the form submission.

Example:

All SSL URLs will redirect to a sub-domain ‘https://app.andolacrm.com/’ and the non SSL URL will redirect to a sub-domain ‘http://www.andolacrm.com’

How to use Security Component

  • Include the security component in you AppControler.php
  •  Like as below

[sourcecode]class AppController extends Controller {
public $components =array( ‘Acl’,’Session’,’Email’,’Security’,’Cookie’ );

}[/sourcecode]

  • There are 3 configurable variable for which you need to set the values as per the requirement of your application in the beforeFilter functions of AppController.php
  • validatePost: This variable basically used to validate your post data , Set false if you want skip validating you post data or incase data coming from 3rd party Services . Default its true.
  • csrfCheck : CSRF(Cross-Site_Request_Forgery)  Used for form protection   . Set to false to skip CSRF protections.
  • CsrfUseOnce : This is used for CSRF token.If it is set as false then it will user one csrf token through out the application else it will generate new token for each form submissions.

Sample Code :

[sourcecode]function beforeFilter() {
// Codes added for SSL security
$this->Security->validatePost=false;
$this->Security->csrfCheck=false;
$this->Security->csrfUseOnce=false;
}[/sourcecode]

  • In the ‘AppController.php’ you need to define the list of URLs that doesn’t need to be checked for SSL

[sourcecode]$sslnotallowed_url=array(‘beta_user’,’terms’,’privacy’,’security’,’display’,’faq’);[/sourcecode]

  • Code to be written in your ‘beforeFilter()’ of ‘AppController.php’

[sourcecode]function beforeFilter() {
// Codes added for SSL security
$this->Security->validatePost=false;
$this->Security->csrfCheck=false;
$this->Security->csrfUseOnce=false;
$sslnotallowed_url  = array(‘beta_user’,’terms’,’privacy’,’security’);
$this->Security->blackHoleCallback = ‘forceSSL’;
if(!in_array($this->params[‘action’],$sslnotallowed_url)){
$this->Security->requireSecure(‘*’);
}
}[/sourcecode]

ForceSSL Method

[sourcecode]function forceSSL() {
$this->redirect(‘https://app.andolacrm.com’ . $this->here);
}[/sourcecode]

NOTE: Security Component can only be used for the forms create using FormHelper.

Conclusion:

Using the steps as described above would facilitate you to successfully implement the SSL in CakePHP. But you need to be more careful while using security component for your application i.e. it may cause ‘blackhole’ error if there is any kind of security hole in your application. However, you could avoid such errors by setting above described variable to ‘false’.

Tags:
,
Avatar
Lopamudra M. Mishra
lopamudra.mishra@andolasoft.co.in