Infinite Login Loop after CakePHP 3.6 update

Question

in my application, based on CakePHP, I'm using. When I'm logging in using the URL /manager/login (corresponding to LoginController, Managerr prefix) everything is OK.

When I logout or I use /manager the result is the following:

/manager/login?redirect=%2Fmanager%2Flogin%3Fredirect%3D%252Fmanager%252Flogin%253Fredirect%253D%25252Fmanager%25252Flogin%25253Fredirect%25253D%2525252Fmanager%2525252Flogin%2525253Fredirect%2525253D%252525252Fmanager%252525252Flogin%252525253Fredirect%252525253D%25252525252Fmanager%25252525252Flogin%25252525253Fredirect%25252525253D%2525252525252Fmanager%2525252525252Flogin%2525252525253Fredirect%2525252525253D%252525252525252Fmanager%252525252525252Flogin%252525252525253Fredirect%252525252525253D%25252525252525252Fmanager%25252525252525252Flogin%25252525252525253Fredirect%25252525252525253D%2525252525252525252Fmanager%2525252525252525252Flogin%2525252525252525253Fredirect%2525252525252525253D%252525252525252525252Fmanager%252525252525252525252Flogin%252525252525252525253Fredirect%252525252525252525253D%25252525252525252525252Fmanager%25252525252525252525252Flogin%25252525252525252525253Fredirect%25252525252525252525253D%2525252525252525252525252Fmanager%2525252525252525252525252Flogin%2525252525252525252525253Fredirect%2525252525252525252525253D%252525252525252525252525252Fmanager%252525252525252525252525252Flogin%252525252525252525252525253Fredirect%252525252525252525252525253D%25252525252525252525252525252Fmanager%25252525252525252525252525252Flogin%25252525252525252525252525253Fredirect%25252525252525252525252525253D%2525252525252525252525252525252Fmanager%2525252525252525252525252525252Flogin%2525252525252525252525252525253Fredirect%2525252525252525252525252525253D%252525252525252525252525252525252Fmanager%252525252525252525252525252525252Flogin%252525252525252525252525252525253Fredirect%252525252525252525252525252525253D%25252525252525252525252525252525252Fmanager%25252525252525252525252525252525252Flogin%25252525252525252525252525252525253Fredirect%25252525252525252525252525252525253D%2525252525252525252525252525252525252Fmanager%2525252525252525252525252525252525252Flogin%2525252525252525252525252525252525253Fredirect%2525252525252525252525252525252525253D%252525252525252525252525252525252525252Fmanager%252525252525252525252525252525252525252Fprofile

An infinite loop in query string and the server return a 404.15 error.

Same configuration used in 3.5

$this->loadComponent('Auth', [
            'fields' => [
                'username' => 'email',
                'password' => 'password'
            ],
            'loginAction' => [
                'prefix' => 'manager',
                'controller' => 'Login',
                'action' => 'index',
                'plugin' => false
            ],
            'loginRedirect' => [
                'prefix' => 'manager',
                'controller' => 'Managers',
                'action' => 'index',
                'plugin' => false
            ],
            'logoutRedirect' => [
                'prefix' => 'manager',
                'controller' => 'Login',
                'action' => 'index',
                'plugin' => false
            ],
            'authenticate' => [
                'Form' => [
                    'passwordHasher' => [
                        'className' => 'DressFinder'
                    ],
                    'fields' => [
                        'username' => 'email',
                        'password' => 'password'
                    ],
                    'userModel' => 'Managers'
                ]
            ],
            'authError' => __('You are not authorized to access that location.'),
            'storage' => [
                'className' => 'Session',
                'key' => 'Auth.Managers'
            ]
        ]);

No routes has been changed, and in controller without prefixes the login/logut actions work.

Thanks for any help.

Answer 1

That's a bug, the authentication component compares the login action with the current URL including the query string argument, which causes a mismatch, treating the user as unauthenticated, and thus triggering a redirect to the login action, where the same procedure then starts again.

This will be fixed in 3.6.1, if you cannot wait, apply the patch manually until the new version is available.

See

• https://github.com/cakephp/cakephp/issues/11943
• https://github.com/cakephp/cakephp/pull/11949

Answer 2

This might not an answer, i have not enough Reputation for adding comments! You could try to add these codes to routes.php

use Cake\Core\Plugin;
use Cake\Routing\RouteBuilder;
use Cake\Routing\Router;
use Cake\Routing\Route\DashedRoute;


Router::defaultRouteClass(DashedRoute::class);

Router::scope('/', function (RouteBuilder $routes) {

Router::prefix('manager', function ($routes){
    $routes->connect('/', ['controller'=>'Your_controller', 'action'=>'your_action']);
    $routes->connect('/:controller/', [], ['routeClass' => 'Cake\Routing\Route\InflectedRoute']);
    $routes->connect('/:controller/:action/*', [], ['routeClass' => 'Cake\Routing\Route\InflectedRoute']);
});
$routes->fallbacks(DashedRoute::class);
});

Plugin::routes();

Answer 3

Seems like redirect not working by default. Add/Adjust followings to initialize method in AppController should work fine.

$this->loadComponent('RequestHandler', [ 'enableBeforeRedirect' => false ]);