Identifying users and logging them in In the past AuthComponent auto-magically logged users in.
This was confusing for many people, and made using AuthComponent a bit difficult at times. For 2.0, you’ll
need to manually call $this->Auth->login() to log a user in.
When authenticating users, attached authentication objects are checked in the order they are attached. Once
one of the objects can identify the user, no other objects are checked. A sample login function for working
with a login form could look like:
public function login() {
if ($this->request->is(’post’)) {
if ($this->Auth->login()) {
return $this->redirect($this->Auth->redirect());
} else {
$this->Session->setFlash(__(’Username or password is incorrect’), ’default’, array(), }
}
}
The above code (without any data passed to the login method), will attempt to log a user in using
the POST data, and if successful redirect the user to either the last page they were visiting, or
AuthComponent::$loginRedirect. If the login is unsuccessful, a flash message is set.
Warning: In 2.0 $this->Auth->login($this->request->data) will log the user in with
whatever data is posted, whereas in 1.3 $this->Auth->login($this->data) would try to identify
the user first and only log in when successful.
Using Digest and Basic Authentication for logging in Because basic and digest authentication don’t
require an initial POST to be performed before they initiate the login sequence, your login() function
will look a bit different than when using FormAuthentication:
public function login() {
if ($this->Auth->login()) {
return $this->redirect($this->Auth->redirect());
} else {
$this->Session->setFlash(__(’Username or password is incorrect’), ’default’, array(), }
}
Once logged in, users using digest and basic auth are not required to have cookies. In fact, all authentication
objects are able to provide stateless authentication through implementing the getUser() method. If the
client supports cookies, basic and digest auth will store a user in session much like any other authentication
object. If a client doesn’t support cookies, (such as a simple HTTP client built on top of CURL) stateless
authentication is also supported. Stateless authentication will re-verify the user’s credentials on each request,
this creates a small amount of additional overhead, but allows clients that cannot or do not support cookies
to login in.
Creating stateless authentication systems Authentication objects can implement a getUser() method
that can be used to support user login systems that don’t rely on cookies. A typical getUser method looks at