This often times has to do with how PHP's session is setup. The Cake Session object is a wrapper class around the PHP Session so your still using the servers session if you want to understand Cake's Session it would be worth your time to learn the basics of php $_SESSION and what can be done with it.
One common problem is if the link you are following is from a different HOST the php session has a session.referer_check which is set to the HTTPS_HOST for security high and to HTTP_HOST for security medium, it is not set for security low. This causes the session to be reset if the referer is not the host that is being called. In other words if you followed a link from an email or some other server that points to your app. This also presents when going back and forth between the root app/domain and a root/sub app/domain because the the HTTP_HOST can changes (if one site is using blah.blah.com and the other is using localhost or ip address) Often we all have code to read in a cookie to remember a user that has previously logged in. This often just masks and hides the problem. So we don't notice most of the time when the session was dropped until we start to rely on a saved value that we thought we saved to the session or when the user cookie expires and we are redirected to the login page. So these often times appear very random when in reality they are not. If your having what appears to be intermediate session lost, its very likely its occurring more than you think. Some debugging is needed. The only difference I can determine between security medium and security low is timeout duration and setting the php session.referer_check. I was always concerned about using low, but I've learned that medium and high only get in the way. So I use low and deal with security measures in my app_controller to control which referer I allow to access specific controller actions. This is better anyway (for my app) as before it was all or nothing. To monitor your session info and see when its changing I place some log statements in my app_controller beforeFilter and or beforeRender. $this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.', request:'. $this->name.'.'.$this->action,LOG_DEBUG); $this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.', Session.id:'.$this->Session->id(),LOG_DEBUG); $this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.', Session.error:'.print_r($this->Session,true),LOG_DEBUG); I use the third line to get some detailed debugging, one thing you'll notice is the sessions error will be set to "Config doesn't exist" and the Session will still be valid. With referer_check set or security set to medium or high, any link pointing to your site from another host will have this error and the session will restart on the following redirect (which is valid behavior most of the time). This was a problem for me as I was passing control from an asp server to a cakephp server using a user token and telling Auth to log the user in. The user would get logged in and then I would redirect to the intended controller action at which point the session would reset and the user would be asked to login anyways. Setting security to low cleared this up. I hope this helps some of you I know I spent two days debugging and trying to understand exactly what was going on with my session. The loggin mentioned above proved to be the most help. Be concerned if you see alot of sessions with the error "Config doesn't exist" and try setting security to low. LunarDraco Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions. You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
