I'm trying to figure out CakePHP cookies and meet my slightly unusual authentication requirements.
I have a CakePHP-based data collection system that is now being integrated with a reporting system built with COTS software. The reporting system needs to be access controlled and unless I want to duplicate all user accounts in both systems I need the reporting system to be able to find out if the user is authenticated in my CakePHP system.
The reporting system permits me to load a Java class and execute a function when the client's report request first arrives. So my idea was to
- Inspect the incoming report request and extract the cookie used by my CakePHP site for authentication / session identification
- Send a request from the Java function to a 'reportauth' action within the CakePHP site with this cookie attached
- The reportauth action within CakePHP then checks if the user is logged in to the CakePHP site and returns an encrypted response to the Java function identifying the user's role
I can get the cookie, send it in a request, and separately I can share encrypted information between PHP and Java.
However, when I use a 'fresh' cookie (the cookie that my browser repeatedly sends with requests to the CakePHP site after a new login) in my Java request the response says the user is not logged-in. If I then reload the site in my browser I have been logged-out. I suspect that there may be some extra information in the cookie about user-agent (?) that causes the Java-sourced request to be thrown out and that session destroyed for safety, but I don't know the system well enough. I think I might be seeing CakePHP protecting against session hijacking (which, ordinarily, would make me happy).
Can anyone tell me if there is a way around this issue? Preferably one that doesn't involve custom auth components in CakePHP as the data collection site is already live and my reporting deadline is not far away.
Any help much appreciated.
