Security Note When Manually Passing Data to Login

Don't pass (unhashed) passwords when manually passing data into Auth->login($data);
ekos · Jan 20, 2015 · 3e477e4 · 3e477e4
1 parent 7894785
commit 3e477e4
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/en/core-libraries/components/authentication.rst b/en/core-libraries/components/authentication.rst
@@ -496,6 +496,7 @@ calling ``$this->Auth->login()`` with the user data you want to 'login'::
                 $this->request->data['User'],
                 array('id' => $id)
             );
+            unset($this->request->data['User']['password']);
             $this->Auth->login($this->request->data['User']);
             return $this->redirect('/users/home');
         }
@@ -505,6 +506,11 @@ calling ``$this->Auth->login()`` with the user data you want to 'login'::
 
     Be sure to manually add the new User id to the array passed to the login
     method. Otherwise you won't have the user id available.
+
+.. warning::
+
+    Be sure to unset password fields before manually passing data into
+    ``$this->Auth->login()``, or it will get saved in the Session unhashed.
 
 Accessing the logged in user
 ----------------------------