Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 17 additions & 4 deletions docs/en/authenticators.md
Original file line number Diff line number Diff line change
Expand Up @@ -326,9 +326,10 @@ feature for your login forms.
Just make sure your login form has a field that matches the field name
that is configured in this authenticator.

To encrypt and decrypt your cookie make sure you added the
EncryptedCookieMiddleware to your app *before* the
AuthenticationMiddleware.
> [!WARNING]
> You must enable `EncryptedCookieMiddleware` and add the cookie authenticator `name`
> to the encrypted cookie list before using `CookieAuthenticator`.
> Without encryption, remember me cookie values can be tampered with.

Configuration options:

Expand Down Expand Up @@ -372,7 +373,19 @@ The cookie authenticator can be added to a Form & Session based
authentication system. Cookie authentication will automatically re-login users
after their session expires for as long as the cookie is valid. If a user is
explicitly logged out via `AuthenticationComponent::logout()` the
authentication cookie is **also destroyed**. An example configuration would be:
authentication cookie is **also destroyed**. Before enabling CookieAuthentication, first
enable `EncryptedCookieMiddleware`:

```php
// In Application::middleware()
use Cake\Http\Middleware\EncryptedCookieMiddleware;

$middlewareQueue->add(
new EncryptedCookieMiddleware(['CookieAuth'], Configure::read('Security.cookieKey'))
);
```

Then add `CookieAuthenticator` to your authentication service configuration:

```php
// In Application::getAuthenticationService()
Expand Down
3 changes: 3 additions & 0 deletions src/Authenticator/CookieAuthenticator.php
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,9 @@
* Cookie Authenticator
*
* Authenticates an identity based on a cookie data.
*
* You *must* enable encrypted cookies with `EncryptedCookieMiddleware` before using CookieAuthenticator.
* Without encryption remember-me cookie values can be tampered with.
*/
class CookieAuthenticator extends AbstractAuthenticator implements PersistenceInterface
{
Expand Down
Loading