CakePHP Losing or Missing Session?

By Derick Ng | Published: 13th December, 2008

I have my fair share of problems with session in Cake so I thought I can share the two important configurations in app/config/core.php which affects how Cake handles the session.

Session.checkAgent
Setting this to TRUE means Cake will store the user agent header of a request when a new session is created. On subsequent request, the user agent header sent is compared with the value stored in the session. If it does not match, the current session will be destroyed and a new session gets created.

This rarely causes problem unless you have embedded Flash or Java objects making separate requests to the application. You must take note to send the user agent string of the browser in that case. If you are using something like Aurigma’s Image Uploader where the user agent is not configurable, you have to set this to FALSE instead.

Security.level
Besides the session timeout, this will affect whether the session ID gets regenerated between requests and whether session.referer_check is set.

With session ID regenerated, there will be problems when your application does any Ajax calls. An Ajax request does not set the cookie as requested by the server which causes the browser to send the session ID of a previous request which will have already been destroyed.

Referrer check is done on the hostname level in Cake and in theory it should not cause any problems. Weirdly, I have a one time login link which redirects user to another location and it works in Firefox but not Internet Explorer. My guess is that Internet Explorer does not set the referrer header properly if it gets redirected. You can log the HTTP_REFERER headers to verify that though.

Anyways, the valid values:

  • high” – session ID regenerated and referrer check set
  • medium” – referrer check set
  • low” – none
Bookmark and Share
This entry was posted in Uncategorized and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.
  • Octavian
    Hi Derick,

    You reference Aurigma's image uploader in your post, did you try to integrate it in one of your apps? I'm trying to implement it but I wasn't able yet and I don't know what I'm doing wrong: http://groups.google.com/group/cake-php/browse_...

    Could you help me a bit? I'm sure it can't be that difficult, I'm obviously overlooking something, beeing a noob.

    I would appreciate your help very much!
  • Sorry for the late reply. And from the thread you linked to, I suppose everything is working fine now. Cheers. ;)
  • Jorge
    Thank you !

    We had the same problem. A very weird different behaviour when accessing the site clicking on a link and putting the site's address directly on the browser bar.

    The session was lost in cakephp 1.2 alpha

    I have one question:

    Do the 'security low' has impact in the security of our site ?

    Maybe this could be a silly answer, but I don't know if other users could access switched sessions, or the sessions will be corrupted or the site will be hacker friendly with security low setting.

    Can you help me for the peace of my dreams ?
  • If you store sensitive information on your website, I suggest using high instead. The "low" setting has implications definitely though I believe most websites run that way.

    So with the session ID regenerated, you will actually have to find workarounds for the problems with Ajax calls. E.g. you may want to make the Ajax call pass the new session ID via the response and modify the cookie on the client's computer so the next call can have the write session ID read by the server. That said, I have not try this before and am not sure if it can work. :)
  • Nick
    Great! - You're a life saver. I burned about 10 hours trying to figure out what was causing my redirects to fail. Your info above solved it in 15 seconds!
  • Glad this old piece of information still works. :)

    Cheers.
  • Dav
    Fantastic - you have solved my problem. These two settings caused me a day of pain as I kept getting kicked out of my session for the exact reason you mention (jQuery ajax request not sending correct session id)
blog comments powered by Disqus