Hi Developers I have built Api for Mobile devices, login and register and these Apis working fine but when i send request for logout, then logout not reset JWT token. Cakephp Official documentation just mention this $this->Authentication->logout(); method. $this->Authentication->logout() this method only for for web base not for Api’s. I am not using any plugin for JWT just follow the Cakephp Docs and create login and logout method.
Please Help how can I reset JWT token when Logout Api call.
Login Method return JWT and Third part app save that token and send back as Authorized user but logout does not work, Please Help me
JWT Tokens are stateless - meaning they don’t get saved on the server in e.g. a session or the database.
The easiest way for your application would be to just delete the JWT token on the client when the client makes the logout request. This doesn’t happen automatically because what you do with the JWT token after the user has logged in is basically up to you.
thanks @KevinPfeifer for you reply me but its not good practice to delete token from client side. Its security compromised regarding user data… suppose if token expire after one hour and a bad guy copy that token and used in different machine so he can easily access logged in user data.! he can change update profile even post unwanted posts. I choose Cakephp as more secure framework as compare to laravel but I think here is big security issue if cakephp not remove this kind of token, Laravel provide this functionality delete token even revoke new token.
You are a core developer of cakephp… please accept me suggestion do something for this authentication to logout token
suppose if token expire after one hour and a bad guy copy that token and used in different machine so he can easily access logged in user data
That’s impossible. Once a JWT expires no one can authenticate using it.
I choose Cakephp as more secure framework as compare to laravel but I think here is big security issue if cakephp not remove this kind of token, Laravel provide this functionality delete token even revoke new token.
Please don’t blame the framework for your lack of understanding of how authentication using JWT works / meant to be used. You should have done some research about JWT. If the Laravel tokens you are referring to is what’s describe here then that’s not JWT. They are random string token stored server side. All token based auth don’t work the same way.
JWT are stateless, not mean to be stored server side and there’s no login/logout for stateless auths. If that doesn’t fit your needs then you chose the wrong auth mechanism.
For server side stored token the Authentication plugin has the Token identifier. The expiry / revocation of such token have to handled at app level.
I am not blaming framework but its really annoying.
Blockquote
suppose if token expire after one hour and a bad guy copy that token and used in different machine so he can easily access logged in user data
I was saying that if you any one access this token before one hour then what? and if this is not handle by cakephp then why Cakephp Mention in Docs. Even Laravel explain how can you random string use and save in database an in other hand cakephp…bla blaa blaa…
Confusing Middleware functionality… authentication and authorization apply in middleware then there is no explanation how to skip authentication and authorization for particular plugin level controller. Your Plugins are out dated as compare to new versions mostly does support and given error when ever i installed them… so yeah cakephp framework is really horrible, I am Developer and every Developer want to save time so that way he choose framework but in cakephp thousand of time looking to docs and then go to plugins then plugin not working… so what i said wrong @ADmad.
Therefore Mostly Developers Like Laravel… Cakehphp Dose not support any kind of frontend framework even not provide any Vite or Webpack out of the box but Laravel ready to use these things… so just developer focus on their main things… My client force me to use cakephp otherwise I had choose Laravel.
Im damn sure cakephp 5 still stupid things I follow on twitter on cakephp they are going to soon launch cakephp 5, and it does provide any thing just fool the people
Blockquote
suppose if token expire after one hour and a bad guy copy that token and used in different machine so he can easily access logged in user data
Guess what: If an attacker has access to the session cookie value in the browser he can access the logged in user data without a problem. Thats expected and the reason why cookies need to be handled carefully (and why XSS attacks exist). The same goes for JWT tokens just with the additional benefit that JWT tokens are encrypted with a server-side (and therefore secure) key so users can’t easily adjust its value.
The only thing you can adjust is the expiration date for the JWT token so that you find a sweet spot between refreshing regularly and not falling into your “security problem”
No matter which system you use it always comes down to what you are used to and what you expect to get from a framework.
And its clear that you expect Laravel functionality from CakePHP which is not the case because we are more strict in how functionality can be implemented because we don’t want you to shoot yourself in the foot in the long run (and follow the standards behind those functionalities like JWT Tokens as ADmad already explained above).
Regarding the Vite/Webpack topic: There is GitHub - ishanvyas22/asset-mix: Provides helpers functions for CakePHP to use Laravel Mix. which you can install to get a more “modern” frontend working instead of the default PHP templates. We leave the default template as it is (with no JS framework and a very simple CSS framework) because we don’t want to burden a lot of users with complicated NodeJS build systems if they don’t need them.
But in the end no matter what we do we surely can’t make you happy so what’s the point in even arguing now… Guess you shouldn’t have accepted a project for a framework which you can’t work with.
Hi @KevinPfeifer thanks for your valuable feed back, and I already check that plugins
Blockquote Regarding the Vite/Webpack topic: There is GitHub - ishanvyas22/asset-mix: Provides helpers functions for CakePHP to use Laravel Mix.
its very funny thing… you are using Laravel Mix build in cakephp… from here We can see What is LARAVEL… you cannot build your own system for handle this kind of things.
Blockquotewe don’t want to burden a lot of users with complicated NodeJS build systems if they don’t need them.
this is necessary for today world @KevinPfeifer Nodejs is different and frontend frameworks are too. I know we can easily write code for reactjs and vuejs or Svelte in cakephp… but why do we do this things. first I have to install supporting modules and then configure the template thing for for frontend framework and the after 3 hours all setup and start main coding for project. why do not cakephp provide this thing during the installing time? otherwise i am ok i will find another solution for my issue,
Thank’s for you reply all
You do know you can easily fork GitHub - cakephp/app: CakePHP application template and create your own app template so you can use it more easily in your projects with all the presets you want… google is your friend
To be clear: GitHub - ishanvyas22/asset-mix: Provides helpers functions for CakePHP to use Laravel Mix. is a third party plugin which integrates the functionality of Laravel Mix in CakePHP. Why should we build something that already exists and works fine in other projects? We also re-use other parts of the PHP ecosystem as you can see here. Thats the beauty of open source.
Also yes, I know NodeJS is necessary for many current frontend templates and I also use NodeJS for my apps. But guess what - I just build my own system that fits exactly what I need instead of bitching on framework devs to support whatever I need or have seen in other frameworks.
But again you clearly are so Laravel focused that you just can’t accept anything else existing which is not laravel adjacent, so good luck with your endeavours - you won’t get any more support for me anyway.
Aw!.. hahahahah…hold on hold on @daryl I can understand your frustration man. Ok so I am here and I assume that you had created a login method in your Api controller and when user send request for login than your login method return response regarding request , if its would success it generate a token and that token you assign to your users device and then user device connected your application and return any kind of data which you want to show after authentication… am I right here?
Ok so now the problem is that you want to destroy this token when user hit your logout Api. let me explain you what’s going here, we can destroy any session value and cookies value even we can unset the variable value from the server side but you want to destory JWT token… so its not possible @daryl . you have to find another solution for this task… and trust me there are many ways we sort out this problem.
You can discuss your team who handle the Mobile application or others who want to use your Api tell them destroy token your local machine. In My suggestion you can use time addition when ever Api hit you can set new time into your token like 5mint and if Api not hit then token itself destroy because you just expire time less then 5 to 10 mint during the login time, I hope you got my point.
And please do not compare Cakephp with laravel. Cakephp has own space @daryl . I have many thing if you want to argue about cakephp vs laravel 
Blockquote
To be clear: GitHub - ishanvyas22/asset-mix: Provides helpers functions for CakePHP to use Laravel Mix.
Though Laravel Mix was originally built for Laravel projects, it of course may be used for any type of application. that’s not originally for Cakephp project. that’s the things i am sayaing @KevinPfeifer your framework behind the scene use the Laravel tools…heheheh. Cakephp have not originally this kind of tool. creative and convenience packages build for laravel and laravel echo system which make easy life for developers and cakephp use this plugins and tool which developed by laravel… so what have cakephp own original
yes i am little annoyed @shaan007 my project has stuck and worst coding. Yes you are right suppose about my Api’s flow there is a login function which return token and that token send in header but you all explain here its not possible on the server side ok i will try to apply you idea about increment time with every request. @shaan007 can you show me code how can i write code for this during the login and after login success.?
Blockquote I have many thing if you want to argue about cakephp vs larave
No No Man… i am not arguing here with anyone just telling them what should be need to improve in cakehp. i am not against cakephp and its really amazing framework but in some scenario its very frustrated and annoying
So we are only allowed to exist if we provide packages which are used by other frameworks as well?
I’m sorry, but you seem to not have heard of
- GitHub - cakephp/phinx: PHP Database Migrations for Everyone
- GitHub - cakephp/chronos: A standalone DateTime library originally based off of Carbon
- Standalone Packages - 4.x
I’m sorry that we haven’t specifically created exactly the package that you expect.
that plugins are out dated @KevinPfeifer specially mixture api always give error when installing due to composer version, i am using latest version. I try all plugin and there are only few plugins work.
hey @daryl
I tried to reproduce that problem you are talking about with https://mixerapi.com/ and I feel like you ran into this, right?
-> % composer require mixerapi/mixerapi
Your requirements could not be resolved to an installable set of packages.
Problem 1
- mixerapi/mixerapi[v1.0.0, ..., v1.1.7] require mixerapi/rest ^1.0 -> satisfiable by mixerapi/rest[v1.0.0, ..., v1.1.7].
- mixerapi/mixerapi v0.3.0 requires mixerapi/rest ~0.2 -> satisfiable by mixerapi/rest[v0.2.0, ..., v0.3.0].
- mixerapi/mixerapi[v0.2.3, ..., v0.2.10] require mixerapi/rest ^0.2 -> satisfiable by mixerapi/rest[v0.2.0, ..., v0.2.10].
- mixerapi/rest[v0.2.0, ..., v0.3.0, v1.0.0, ..., v1.1.7] require thecodingmachine/class-explorer ^1.1 -> satisfiable by thecodingmachine/class-explorer[v1.1.0].
- mixerapi/mixerapi v0.2.2 requires mixerapi/json-ld-view ^0.1 -> found mixerapi/json-ld-view[dev-master, v0.2.3, ..., v0.3.0, v1.0.0, ..., v1.1.7] but it does not match the constraint.
- thecodingmachine/class-explorer v1.1.0 requires psr/simple-cache ^1 -> found psr/simple-cache[1.0.0, 1.0.1] but the package is fixed to 2.0.0 (lock file version) by a partial update and that version does not match. Make sure you list it as an argument for the update command.
- Root composer.json requires mixerapi/mixerapi * -> satisfiable by mixerapi/mixerapi[v0.2.2, ..., v0.3.0, v1.0.0, ..., v1.1.7].
Use the option --with-all-dependencies (-W) to allow upgrades, downgrades and removals for packages currently locked to specific versions.
You can also try re-running composer require with an explicit version constraint, e.g. "composer require mixerapi/mixerapi:*" to figure out if any version is installable, or "composer require mixerapi/mixerapi:^2.1" if you know which you need.
The problem here, is that a sub-package of the mixerapi plugin only support psr/simple-cache version 1 but CakePHP support version 1 and version 2
Now if you initally create a cakephp app it just uses the latest versions possible which is psr/simple-cache version 2.
When you then try to install the mixer api package as described above it won’t immediatly work because you now have psr/simple-cache version 2 installed but that sub-package only support version 1.
The simple solution to your problem would have been to just execute
composer require mixerapi/mixerapi -W
as the message says at the bottom to allow sub-packages to be up- and downgraded.
Then the plugin installs just fine. so nothing CakePHP could have done here.
1 Like
ok thanks if you really find solution but now i have been shifting my code to Laravel @KevinPfeifer, Cakephp have no enough docs and help community. whenever i search on google regarding my issue no help there, if google provide any help that was old code and mostly not working now… so why we use shit this framework No ACL easily document there
well then have fun with laravel and your project 
1 Like
I am still here because i have complete half code in cakephp and my client is not accepted my advise to shift code on laravel so my bad @KevinPfeifer