I’ve been getting ready for the deployment of wow4kids.com and one of the final features to be into place was restricting access to the administrative back-end.
I enabled admin routing in CakePHP and put all the back-end code into
admin_* functions in my controller which are accessible via /admin/controller/action. I wanted to enable some form of access control but without utilising a full user management system which would have been overkill.
/admin/ directory only exists through some mod_rewrite magic so I couldn’t just use a simple
.htaccess file. After much head-scratching and reading of documentation I arrived at a simple solution:
- I created a
- in this directory I created an
index.phpfile which redirected to a URL passed to it via HTTP GET
/app/app_controller.phpI defined a
beforeFilter()function which uses a regular expression to determine if the called action contained “admin_” in its name
- if so, check if the
$_SERVER['AUTH_TYPE']variable is set
- redirect to
/adminauth/, passing the current URL, if it isn’t set
- let mod_auth take care of the rest
This worked a charm on my home Linux box, but when it came to testing the code on the iMac the site is being developed on, the script couldn’t detect the server variable and was thrown into an infinite loop of redirects, doh!
The same result was had when I uploaded the code to the FreeBSD web-host the site will be deployed to, so I had no choice but to rethink my solution.
It was either going to be sessions or cookies and in the moment cookies seemed appealing. I changed the controller to check
$_COOKIE instead of
/adminauth/index.php to call
setcookie() . It seems to be working so far, fingers crossed it’ll be suitable for production purposes!