session – MSDLT Blog

Something you will inevitably need to do when using the CakePHP Auth Component is to refresh the Auth user data that is stored in the session, for example after a user has updated their email address or other personal/login details. The docs don’t make it obvious how to do this, but a quick search led me to various Stackoverflow questions and this blog post by MilesJ, which is quite old, so presumably refers to CakePHP 1.3. MilesJ’s solution looked like a good one, so I thought I would use this and adapt it as necessary for Cake 2.x.

The things that needed to be changed were as follows:

To get the Auth SessionKey, you must now use AuthComponent::$sessionKey
Instead of ClassRegistry::init('User') to load the User model , you need to use $this->loadModel('User');
Rather than passing the result from read() (containing the user data array as subarray of the ‘User’ index in the array that is returned), straight to the login method, it is necessary for the user data to be at the top level of the array that passed. Therefore, it is necessary to get the user data and then pass the $user[‘User’] array to the login method. It took me a while to work this out, during which time I was getting very frustrated with being logged out whenever I updated my details, and this was why.

This gives us the following function, which seems to do the trick for me:

/**
* Refreshes the Auth session
* Modified from MilesJ: http://milesj.me/blog/read/refreshing-auth
* @param string $field
* @param string $value
* @return void
*/
protected function _refreshAuth($field = '', $value = '') {
   if (!empty($field) && !empty($value)) { //Update just a single field in the Auth session data
      $this->Session->write(AuthComponent::$sessionKey .'.'. $field, $value);
   } else {
      if (!isset($this->User)) {
         $this->loadModel('User'); //Load the User model, if it is not already loaded
      }
      $user = $this->User->read(false, $this->Auth->user('id')); //Get the user's data
      $this->Auth->login($user[User']); //Must have user data at top level of array that is passed to login method
   }
}

Having successfully enabled access using LTI to a local version of iCases – see https://learntech.medsci.ox.ac.uk/wordpress-blog/?p=229 – I got it set up on a live server, assuming that it would work without any trouble. However, I was unable to login successfully through WebLearn, which is our Tool Consumer.

It turned out that this was due to the session data being lost when redirecting from the login page within the CakePHP app to the scenario page. Authentication using LTI relies on session data, as the LTI context information is saved to the session. Therefore, when the session data was lost, the app could no longer tell that the user had accessed it through a valid LTI request, and so the user was denied access.

I fixed this by changing Security.level in core.php to ‘low’ (it had previously been medium). From the CakePHP docs, this increases the multiplier for the ‘Session.timeout’ value (from 100 to 300) and disables (or, to be pedantic, does not enable) PHP’s session.referer_check. It seems to be the latter that was the problem. However, in the php.ini file we have ‘session.referer_check = ‘, which should mean that session.referer_check is not enabled anyway. So I am not sure why changing the security level had an effect, unless setting the Security.level to medium enables session.referer_check, even if it was not already enabled.

As far as I can tell from reading around, disabling session.referer_check should not cause any problems, as it is only possible to access the LTI-ed iCases through WebLearn. Checking that the LTI launch is valid includes checking that the launch request has come from a valid location.

Tag: session

CakePHP Session data being lost on redirect