I found the fail reason,
[code]
function __initSession() {
$iniSet = function_exists('ini_set');
if ($iniSet && env('HTTPS')) {
ini_set('session.cookie_secure', 1);
}
switch ($this->security) {
case 'high':
$this->cookieLifeTime = 0;
if ($iniSet) {
ini_set('session.referer_check', $this->host);
}
break;
case 'medium':
$this->cookieLifeTime = 7 * 86400;
if ($iniSet) {
ini_set('session.referer_check', $this->host);
}
break;
case 'low':
default:
$this->cookieLifeTime = 788940000;
break;
}
[/code]
If you set the security level 'high' or 'medium' , the session wil be
renewed.
A piece of comment from a guy in php.net:
If you have a value specified for session.referer_check you may run into
> difficulty when someone accesses your site and attempts to log in with a
> mis-capitalized URL. The logon will fail because any calls to
> session_start() will result in the existing session being trashed and a new
> one being created. This becomes a bigger problem when the logon is followed
> by a header("Location: ...") redirect, because the session_start() at the
> top of the page will fail.
>
>
So now , I have to avoid to use the refer_check. Is there any document for
the security level?
When I use cake firstly, I set the security level to high. And the session
will be closed if I didn't touch the cake app for a short time. That I have
to login again. So I changed it to medium. And now I have change it again. I
am wondering is it still safe with low security?
Hope there are some replies form cake developer to clarify the usage of
security level.
On Sun, Jun 14, 2009 at 10:36 AM, joshua <[email protected]> wrote:
> Hey Guys,
> Let me write down the steps to reproduce my problem:
> Reproduce steps:
> 1. Customer login my site( <http://goog_1244938295219>
> https://www.mysite.com);
> 2. Choose a product and redirect to Paypal sandbox site(
> https://developer.paypal.com/cgi-bin/devscr) to complete the payment;
> 3. After the payment, the customer will be auto redirected to my site;
> 4. And then the customer session was lost.
>
> I find the solution in Paypal forums, said that :
>
> You could pass your "session variable" Through PayPal variable "custom"
> than read it back in when the buyer is returned to your site after
> completing the PayPal payment or through the IPN POST.
>
> You could also use an authentication cookie which would stick around while
> the customer made a payment on PayPal's website and when they returned to
> your site they would still be authorized.
>
> I try to store the session in my post form and get it after the redirect
> from paypal site.
> And then I use $this->Session->id($lastSessionID) to restore it. But fail
> as before.
>
> Is there anybody has the idea how to implement it in Cake App?
> Appreciate for any reply from you.
>
> --
> Thanks
> Joshua
>
--
Thanks
Joshua
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
