One-time authentication on multi-install site

I have a site with a basic index.php home page, and multiple instances of cakephp v5 in subfolders, (mysite/cake_a, mysite/cake_b, mysite/cake_c) with .htaccess files set up in each to rewrite the page query paths appropriately.

The three cake instances share a users database with common login details. I have set up the authentication and authorization plugins on all three instances.

If I go to mysite/cake_a/* I am redirected to mysite/cake_a/login and I can successfully login.

The problem is that I am forced to login again separately for each subsite, e.g. if I then visit mysite/cake_b/*, even though I am logging in with the same credentials.

How might I share my logged in credentials (is it a token check at the server end?) across all three instances, so that I only have to log in once?

See the cookiePath setting in app.php. You’ll want that to point to / instead of /cake_a.

Thanks for your reply! I set the cookiePath in all three instances, in app.php

    'Session' => [
        'defaults' => 'php',
        'cookiePath' => '/'
    ],

Unfortunately there are still a couple of issues to solve.

First of all, the CSRF middleware seems to ignore the cookiePath value and always writes its cookie’s path as /myappsubfolder/, rather than /.

Second, I am using the Muffin Footprint Middleware, and after logging in to mysite/cake_a, visiting mysite/cake_b causes an exception to be thrown in FootprintMiddleware.php in cake_b, because the Authorization\Identity class is not properly formed – it is of type ‘php Incomplete Class’ when viewed in the debugger.

I’m not sure why the Identity class is not properly created when the user logs in via one of the sibling instances of cakephp?

EDIT: If I disable Muffin Footprint, the error is:
error: [Error] The script tried to call a method on an incomplete object. Please ensure that the class definition "App\Model\Entity\User" of the object you are trying to operate on was loaded _before_ unserialize() gets called or provide an autoloader to load the class definition in /var/www/html/archive/vendor/cakephp/cakephp/src/Error/Debugger.php on line 716

So the issue is that the User entity is not properly formed when logging in via another instance…

I feel like the CSRF cookie being different won’t matter? It’s just the session token you’re concerned with sharing. But I’m not an expert there.

Do your three subsites all share implementation of the User entity? In other words, it seems they will all have an App\Model\Entity\User class; is that class identical across all three?

1 Like

Good point, I have Controller and Table for Users in cake_b and cake_c but no Entity model. I will give that a go in the morning. Thanks.

Yep, it’s working now! CSRF is writing multiple cookies, one for each subfolder, and seems to be working OK, though Chrome claims that it is blocking them because they are not a match or superdirectory of the request url.