On Nov 11, 8:15 am, Serge Rodovnichenko <[EMAIL PROTECTED]> wrote:
> Thanks, Gwoo. This helps :-)
>
> Where to get more information about behavour of security levels?
>
> I think in 'high' level Cake performs a Referrer checks. This is why I
> lose sessions in case described above.
It does, but that probably isn't relevant. With high security the
session id changes on each request (as mentioned previously in the
thread)
So normally you would have:
GET / sessionid = void
.... sessionid #1 created
Response / sessionid = #1
GET /abc sessionid = #1
.... sessionid changed to #2
Response /abc sessionid = #2 <- updated
GET /def sessionid = #2
.... sessionid changed to #3
Response /def sessionid = #3 <- updated
GET /xyz sessionid = #3
.... sessionid changed to #4
Response /xyz sessionid = #4 <- updated
with the sessionid stored in the cookie client side (obviously). On
the server the session id changes as soon as the request is received.
Irgo if you send two or more concurrent requests without waiting for
the response e.g.:
GET / sessionid = void
.... sessionid #1 created
Response / sessionid = #1
GET /abc sessionid = #1 <- session doesn't exist
.... <- session id #2 generated, session id #1 deleted
GET /def sessionid = #1 <- session doesn't exist
.... Response /def or redirect /users/login sessionid = #new
It isn't quite so simple, but in principle that's what you're looking
at. If you set security to medium, the session id persists for the
life of your browser session, hence concurrent requests will not cause
you to loose your session.
hth,
AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
