I crated a new project with CakePHP 4.2 and cakedc/users plugin (9.2). If I login and thick box remember me, cookie is crated but it’s not working properly as I get logged out in about an hour (session duration). Any hints where to check what can be wrong? I followed the installation instructions of plugin.
The default remember me functionality creates a cookie with the name CookieAuth
So you should have at least 3 cookies set after logging in:
- PHPSESSID
- CookieAuth
- csrfToken
If you delete the PHPSESSID cookie its like you waited 1h (or whatever your default session timeout is set therefore expiring the session)
But for me at least the CookieAuth persists which has an expire duration of month and I am still logged in
Yes, I have all the 3 cookies. If I delete PHPSESSID I get logged out.
Well my test-install is on current CakePHP 4.3 and therefore latest CakeDC/Users 11 but still its basically the same logic as in 9.2
All I can say is that in vendor/cakedc/users/src/Loader/AuthenticationServiceLoader.php function loadAuthenticators($service) the authenticators are getting added in the order they are present in the Config Key Auth.Authenticators which should be
- Session
- Form
- Token
- Cookie
- Social
- SocialPendingEmail
See users/users.php at 9.next · CakeDC/users · GitHub
Since deleting the PHPSESSID Cookie therefore prevents the SessionAuthenticator to return a successful result the next one should be the CookieAuthenticator (which is overwritten by a CakeDC Custom Authenticator Class but that part shouldn’t be affected by it)
Did you overwrite some config in your config/users.php related to the CookieAuthenticator?
No.
I checked and all authenticators get loaded.
I upgraded to last version of plugin (11) and to CakePHP 4.3, but still don’t work.
Well then let me step you through where my CookieAuthenticator succeeds
As already said above it starts with the loop of all loaded authenticators in vendor/cakedc/auth/src/Authentication/AuthenticationService.php
In there the $result = $authenticator->authenticate($request); check is if the given request is valid for the used authenticator.
When I then go into the CookieAuthenticator vendor/cakephp/authentication/src/Authenticator/CookieAuthenticator.php there is a call $identity = $this->_identifier->identify(compact('username')); which should return a valid user entity.
Also $this->_checkToken($identity, $tokenHash) should return true because the given token from the parsed cookie should be valid for the given entity.
Please check all these functions / return values of these functions and you may get more infos what is missing in your setup.
Tnx for great reply. I thing I found the problem. In cookie there is missing username (for login I use only email filed and in table I have username as NULL).
Now I need to find solution how to set username filed with email.
Did you do users/Configuration.md at master · CakeDC/users · GitHub?
To be exact: Did you add the following to your config/users.php
'Auth.Identifiers.Password.fields.username' => 'email',
'Auth.Authenticators.Form.fields.username' => 'email',
1 Like
Fixed. I just added in users.php
'Auth.Authenticators.Cookie.fields.username' => 'email',
And now it’s working fine. @KevinPfeifer tnx for great help!
That info about email only login would have been a good addition at the start 
The default install comes with both username as well as email being a valid “username” field value.