to prevent "Surf Jacking", the following code was added to
Session::__initSession(): -
if ($ini_set && env('HTTPS')) {
ini_set('session.cookie_secure', 1);
}
https://trac.cakephp.org/ticket/5254
The implications of this (as far as I can tell) are that once an SSL
connection has been made (and the session cookie turned secure), in
order to maintain the session, all further connections must be SSL
(even in areas of the application that do not require an SSL
connection).
The solutions I have found are: -
1. Remove this security feature (http://stackoverflow.com/questions/
308659/session-not-saving-when-moving-from-ssl-to-non-ssl).
2. Force SSL connection always (via .htaccess)
The solution I would like to use is: -
3. Force SSL connection when a secure session cookie is detected
Any pointers would be greatly appreciated
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
