Home/ Questions/Q 7973227
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-04T08:03:14+00:00

I started trying out CakePHP a few months ago and I’m now attempting to

  • 0

I started trying out CakePHP a few months ago and I’m now attempting to create a “change password page” for logged in users. I have a form consisting of these fields: current password, new password and new password confirmation. For the current password, I want to validate that it matches the password of the logged in user, as a rule within the user Model. I know that I can get information of the logged in user with this: AuthComponent::user(). However, it provides me every field of the model except the password.

I know that Auth->login() is responsible for setting the session variables for the logged in user, but I’m not sure what I’m doing wrong here that only the password field cannot be accessed:

public function login() {

    if ($this->request->is('POST')) {
        if($this->Auth->login()) {
            $this->redirect($this->Auth->redirect());
        } else {
            $this->Session->setFlash('Your username/password combination was incorrect.');
        }
    }
}

Here’s my login view:

<h2>Login</h2>
<?php 
echo $this->Form->create('Promoter');
echo $this->Form->input('username');
echo $this->Form->input('password', array('type' => 'password'));
echo $this->Form->end('Login');?>

I’m using the Promoter model as the user, which i set in the AppController:

public $components = array(
    'Auth'=>array(
        ...
        'authenticate' => array(
            'Form' => array('userModel' => 'Promoter')
        ),
        'authorize' => array('Controller')
    )
);

I can resort to validating the password in the Controller, but that would be giving up 🙂 Please tell me if I need to provide more code to clarify the issue.

Thanks.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You’re probably not doing anything wrong, this is most likely a security feature. There is no reason to keep a password in your session.

    Secondly, even if it was in session, it would be encrypted (or at least I hope so, if it’s not you should change that immediately!). So you still couldn’t do a simple comparison.

    To compare the old password, you should query your Promoter model, and get the hashed password from there, then hash the old password from your “change password” form, and finally compare the hashed results.

    • 0