Hi all,

I fixed this problem and wanted to share the solution.

After reading other posts I realized this issue is similar to the one
talked about in SWFobject.swf posts on this board.  After reading
those threads fixed this by adding some text to
app/config/bootstrap.php to use an existing session, and changing
session.php to work if the user agent is flash.  I also had to change
the security to low in core.php.

Added to the bottom of app/config/bootstrap.php

if (isset($_REQUEST[CAKE_SESSION_COOKIE]))
{
 session_name(CAKE_SESSION_COOKIE);
 session_id($_REQUEST[CAKE_SESSION_COOKIE]);
}

Replaced __checkValid function in cake/session.php with

           function __checkValid() {
       if ($this->read('Config')) {
           if (($this->_userAgent == $this->read("Config.userAgent")
OR $this->__isFlashAgent()) &&
                            $this->time <= $this->read("Config.time"))
{
               $this->write("Config.time", $this->sessionTime);
               $this->valid = true;
           } else {
               $this->valid = false;
               $this->__setError(1, "Session Highjacking
Attempted !!!");
               $this->destroy();
           }
       } else {
           srand ((double)microtime() * 1000000);
           $this->write("Config.userAgent", $this->_userAgent);
           $this->write("Config.time", $this->sessionTime);
           $this->write('Config.rand', rand());
           $this->valid = true;
           $this->__setError(1, "Session is valid");
       }
   }

   function __isFlashAgent() {
       $flashAgent = array('Shockwave Flash','Adobe Flash Player
9','Adobe Flash Player 8');
       foreach ($flashAgent as $agent) {
               if (md5($agent. CAKE_SESSION_STRING) == $this-
>_userAgent)
               return true;
       }
   }

And finally changed config/core.php

define('CAKE_SECURITY', 'low');

Thanks to everyone who helped, this was a real headache for me.  Hope
it helps someone in the future.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake 
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to