Cheers for the reply guys, I think I finally figured it out :)
On Oct 22, 6:59 am, "gobblez" <[EMAIL PROTECTED]> wrote:
> bake.php is some sort of command line script that the windows user in
> me is trying to avoid. But I think it has a wizard type thing in your
> web browser too, at least I remember something like that somewhere. I
> think it's easier to just make the classes yourself, because you have
> to go check what the script outputted anyways. "Baking" I think is
> general, making anything with cakePHP.
>
> The admin route has nothing to do with security. all it does is add
> the word "admin" in your url, with the controller and action still
> working as they should (instead of being pushed back to parameters or
> something).
>
> Here is my example use of the admin route, not sure if it's entirely
> secure:
>
> 1. I am the only person that needs to be logging in on my site. I'm
> the only admin, and users are just visitors. So I added in this to
> validate a password of my choice in the model
> var $validate = array(
> 'password' => '/^MyPaSsWoRd$/',
> );
>
> 2. Create an admin action for login. this would display the form.
> function admin_login() {
> //ask for password, create session if password is correct
> //if no session, show form so you can login
> //if yes session, you're already logged in, redirect to index
> if ($this->Session->check('Admin')) {
> //logged in, redirect to admin_index
> $this->redirect('/admin/urls/');
> } elseif($this->Url->validates($this->data) && $this->data) {
> //form was submitted, and the password matched regex
> in model. so
> lets create session
> $this->Session->write('Admin',1);
> $this->redirect('/admin/urls/');
> } else {
> //no data and no session... you probably just opened
> it!
> //do nothing, just let the view display the ... uh..
> view
> $this->validateErrors($this->Url);
> $this->render();
>
> }
> }
>
> 3. of course, you'll be putting a form with a password field named
> Url/password in views/urls/admin_login.thtml
>
> <form method="post" action="<?php echo
> $html->url('/admin/urls/login')?>">
> <b>Enter the password:</b>
> <?php
> echo $html->tagErrorMsg('Url/password', '<span class="error">Wrong
> Password</span>');
> echo $html->password('Url/password', array('size' => '20'));
> ?>
> <p>
>
> <input type="submit" value="Go!" />
> </form>
>
> 4. in admin_index(), i just check the session exists. if it does, show
> it's view, with admin related tools or stats or whatever. if not,
> redirect the user back to the login form. Urls is my controller name,
> in case you didn't catch that. Replace that with your own!
>
> 5. because i'm the only person that needs to login, i don't even
> provide a link to the login form on my site. i manually type
> example.com/admin/urls/login in my browser.
>
> 6. you could use a bit of obfuscation, by changing the word "admin" to
> something less obvious when you enable the admin routes. This would be
> good if you don't want people guessing obvious urls, and you don't want
> them to know you even have an admin section. Name it something weird,
> so the url would be example.com/lskdfjksdf/urls/login . Not really
> more secure, but it'll keep your nosey url hackers from finding the
> login form. I know this is what OsCommerce relied on for security last
> time I tried it.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/cake-php
-~----------~----~----~----~------~----~------~--~---
