And today when I upgrade cake to version 1.2.3.8166 Stable. It stop to work again.I think there must be some modifications in lib/session.php. So anyone can give some suggestion of what should I do now? I have set the priority to 'low' now. I want the session to keep there after the auto redirect from Paypal Sandbox site.
On Sun, Jun 14, 2009 at 11:54 AM, joshua <[email protected]> wrote: > I found the fail reason, > [code] > function __initSession() { > $iniSet = function_exists('ini_set'); > > if ($iniSet && env('HTTPS')) { > ini_set('session.cookie_secure', 1); > } > > switch ($this->security) { > case 'high': > $this->cookieLifeTime = 0; > if ($iniSet) { > ini_set('session.referer_check', $this->host); > } > break; > case 'medium': > $this->cookieLifeTime = 7 * 86400; > if ($iniSet) { > ini_set('session.referer_check', $this->host); > } > break; > case 'low': > default: > $this->cookieLifeTime = 788940000; > break; > } > [/code] > If you set the security level 'high' or 'medium' , the session wil be > renewed. > > A piece of comment from a guy in php.net: > > If you have a value specified for session.referer_check you may run into >> difficulty when someone accesses your site and attempts to log in with a >> mis-capitalized URL. The logon will fail because any calls to >> session_start() will result in the existing session being trashed and a new >> one being created. This becomes a bigger problem when the logon is followed >> by a header("Location: ...") redirect, because the session_start() at the >> top of the page will fail. >> >> > So now , I have to avoid to use the refer_check. Is there any document for > the security level? > When I use cake firstly, I set the security level to high. And the session > will be closed if I didn't touch the cake app for a short time. That I have > to login again. So I changed it to medium. And now I have change it again. I > am wondering is it still safe with low security? > Hope there are some replies form cake developer to clarify the usage of > security level. > > > On Sun, Jun 14, 2009 at 10:36 AM, joshua <[email protected]> wrote: > >> Hey Guys, >> Let me write down the steps to reproduce my problem: >> Reproduce steps: >> 1. Customer login my site( <http://goog_1244938295219> >> https://www.mysite.com); >> 2. Choose a product and redirect to Paypal sandbox site( >> https://developer.paypal.com/cgi-bin/devscr) to complete the payment; >> 3. After the payment, the customer will be auto redirected to my site; >> 4. And then the customer session was lost. >> >> I find the solution in Paypal forums, said that : >> >> You could pass your "session variable" Through PayPal variable "custom" >> than read it back in when the buyer is returned to your site after >> completing the PayPal payment or through the IPN POST. >> >> You could also use an authentication cookie which would stick around while >> the customer made a payment on PayPal's website and when they returned to >> your site they would still be authorized. >> >> I try to store the session in my post form and get it after the redirect >> from paypal site. >> And then I use $this->Session->id($lastSessionID) to restore it. But fail >> as before. >> >> Is there anybody has the idea how to implement it in Cake App? >> Appreciate for any reply from you. >> >> -- >> Thanks >> Joshua >> > > > > -- > Thanks > Joshua > -- Thanks Joshua --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
