CakePHP authentication breaking after an incorrect login

Question

I have a simple login form, username and password. Basically, When a user is anywhere on the website, he can click a link that will take him to the login page. After login, he is redirected to the page he came from initially.

The problem:

let's say I was in the "/posts" page, and I clicked to login, so now I am on "/users/login". - if the login is correct, or the login is incorrect and nothing is filled in the username textbox, everything works as expected (if it's correct I am redirected back to "/posts" otherwise I receive the "wrong username or password" message, I try to login again correctly and then I am redirected to "/posts";

• if the login is incorrect, and some text is filled in the username textbox, after the login I receive the "wrong username or password" message, which is good, but if I fill in the form again, no matter wheather it is correct or not, I get "You are not authorized to access that location." If I try to log for the third time, the login works, but I am redirected to "/users/posts" instead of "/posts" (the value for the redirect page, which is stored in a session, is still "/posts" ).

This is the code:

    function beforeFilter () {
        parent::beforeFilter(); 
        $this->Auth->allowedActions = array( 'confirmation');

        $this->Auth->fields = array(
            'username' => 'usr_username', 
            'password' => 'usr_password'
        );
        $this->Auth->userScope = array('User.usr_confirmed' => 1);

        if($this->action == 'signup') {  
            $this->Auth->authenticate = $this->User;  
        }
    }

function login () {
    if ( $this->Auth->user() ) {
        $this->redirect($this->Session->read('page'));
        exit();
    } 
}

function logout () {
    $this->Session->destroy('username');
    $this->redirect('/');
    exit();
}

Answer 1

it sounds like your form action is redirecting to a restricted area. check the form action attribute.

Answer 2

Put this at the bottom of app/views/layouts/default.ctp to help debug the session:

<?php debug($session->read()); ?>

The Auth.User key will be filled with data when you are logged in, but, more importantly, the Auth.redirect key will containing the URL of the last restricted page visited, this is where AuthComponent plans on redirecting to once you log in.

Are you storing a restricted page's URL in the your session's page key?

If so, AuthComponent can provide that functionality already with its Auth.redirect key. All you need to do is link to the restricted page instead of the login page and AuthComponent will populate that key automatically and handle the redirect after login.

echo $html->link('Login', array('controller' => 'users', 'action' => 'profile'));

If not, then why not consider populating that key instead. Since AuthComponent already checks for and acts on this key, you might gain some free functionality.

In any event, here is what a custom login method should look like in your case, but if any of the advice above will work then you can simply leave out the login method all together and use the default functionality:

function login () {
    // log the user in
    if ($this->Auth->login()) {
        // your session redirect
        if ($this->Session->read('page')) {
            $this->redirect($this->Session->read('page'));
        }
        // auth's session redirect
        if ($this->Session->read('Auth.redirect')) {
            $this->redirect($this->Session->read('Auth.redirect'));
        }
        // default redirect
        $this->redirect($this->Auth->loginRedirect);
    }
}