I enabled admin routing in CakePHP and put all the back-end code into admin_* functions in my controller which are accessible via /admin/controller/action. I wanted to enable some form of access control but without utilising a full user management system which would have been overkill.

The /admin/ directory only exists through some mod_rewrite magic so I couldn’t just use a simple .htaccess file. After much head-scratching and reading of documentation I arrived at a simple solution:

1. I created a .htaccess protected directory, /adminauth/
2. in this directory I created an index.php file which redirected to a URL passed to it via HTTP GET
3. in /app/app_controller.php I defined a beforeFilter() function which uses a regular expression to determine if the called action contained “admin_” in its name
4. if so, check if the $_SERVER['AUTH_TYPE'] variable is set
5. redirect to /adminauth/, passing the current URL, if it isn’t set
6. let mod_auth take care of the rest

This worked a charm on my home Linux box, but when it came to testing the code on the iMac the site is being developed on, the script couldn’t detect the server variable and was thrown into an infinite loop of redirects, doh!

The same result was had when I uploaded the code to the FreeBSD web-host the site will be deployed to, so I had no choice but to rethink my solution.

It was either going to be sessions or cookies and in the moment cookies seemed appealing. I changed the controller to check $_COOKIE[] instead of $_SERVER[] and /adminauth/index.php to call setcookie() . It seems to be working so far, fingers crossed it’ll be suitable for production purposes!