Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure +--- Reporter: Ocean| Owner: Type: RFC |Status: new Priority: Medium | Milestone: 1.2.x.x Component: Session | Version: 1.2 Final Severity: Normal |Resolution: Keywords: | Php_version: n/a Cake_version: | +--- Comment (by nicketr): I was able to opt-out following ADmad's article http://bakery.cakephp.org/articles/view/how-to-bend-cakephp-s-session- handling-to-your-needs I declared {{{ Configure::write('Session.save','my_session'); }}} inside the core.php and created a my_session.php file inside the config directory. In the file I wrote a ini_set directive which disables the secure cookie. {{{ ini_set('session.cookie_secure', 0); }}} This method is more flexible and I don't believe there is a need for a change. -- Ticket URL: https://trac.cakephp.org/ticket/6271#comment:6 CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/ Cake is a rapid development framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility. -- You received this message because you are subscribed to the Google Groups tickets cakephp group. To post to this group, send email to tickets-cake...@googlegroups.com. To unsubscribe from this group, send email to tickets-cakephp+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/tickets-cakephp?hl=en.
Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure +--- Reporter: Ocean| Owner: Type: RFC |Status: new Priority: Medium | Milestone: 1.2.x.x Component: Session | Version: 1.2 Final Severity: Normal |Resolution: Keywords: | Php_version: n/a Cake_version: | +--- Comment (by Ocean): Having read #4341, is this the correct (cake-esque) way to go? or am I barking up the wrong tree? (answers on a postcard please)... {{{ app/config/core.php /** * When set to false, cookie_secure will not automatically be set in an HTTPS environment * (anti Surf Jacking: http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf) */ Configure::write('Session.cookieSecure', true); }}} {{{ cake/libs/session.php - Session::__initSession() if ($iniSet env('HTTPS') Configure::read('Session.cookieSecure')) { ini_set('session.cookie_secure', 1); } }}} -- Ticket URL: https://trac.cakephp.org/ticket/6271#comment:1 CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/ Cake is a rapid development framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups tickets cakephp group. To post to this group, send email to tickets-cakephp@googlegroups.com To unsubscribe from this group, send email to tickets-cakephp+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/tickets-cakephp?hl=en -~--~~~~--~~--~--~---
Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure +--- Reporter: Ocean| Owner: Type: RFC |Status: new Priority: Medium | Milestone: 1.2.x.x Component: Session | Version: 1.2 Final Severity: Normal |Resolution: Keywords: | Php_version: n/a Cake_version: | +--- Comment (by Ocean): ... thought about it some more... ... the following allows you to opt-out: - {{{ app/config/core.php /** * When set to false, cookie_secure will not automatically be set in an HTTPS environment * (anti Surf Jacking: http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf) */ Configure::write('Session.cookieSecure', true); }}} ... a method is provided to secure/un-secure a session: - {{{ cake/libs/session.php /** * Helper method to secure session cookie. * * @return void * @access public */ function cookieSecure($secure=true) { $iniSet = function_exists('ini_set'); if ($iniSet env('HTTPS') Configure::read('Session.cookieSecure') $secure) { ini_set('session.cookie_secure', 1); } elseif (!$secure) { ini_set('session.cookie_secure', 0); } } }}} ... the session is secured on logging in, and un-secured on logging out: - {{{ function login($data = null) { $this-__setDefaults(); $this-_loggedIn = false; if (empty($data)) { $data = $this-data; } if ($user = $this-identify($data)) { $this-Session-secureCookie(true); // secure cookie on logging in $this-Session-write($this-sessionKey, $user); $this-_loggedIn = true; } return $this-_loggedIn; } function logout() { $this-__setDefaults(); $this-Session-del($this-sessionKey); $this-Session-del('Auth.redirect'); $this-Session-secureCookie(false); // un-secure cookie on logging out $this-_loggedIn = false; return Router::normalize($this-logoutRedirect); } }}} ... how's that? -- Ticket URL: https://trac.cakephp.org/ticket/6271#comment:2 CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/ Cake is a rapid development framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups tickets cakephp group. To post to this group, send email to tickets-cakephp@googlegroups.com To unsubscribe from this group, send email to tickets-cakephp+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/tickets-cakephp?hl=en -~--~~~~--~~--~--~---
Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure +--- Reporter: Ocean| Owner: Type: RFC |Status: new Priority: Medium | Milestone: 1.2.x.x Component: Session | Version: 1.2 Final Severity: Normal |Resolution: Keywords: | Php_version: n/a Cake_version: | +--- Comment (by Ocean): ... and session secured while logged in: - {{{ cake/libs/controller/components/auth.php function startup($controller) { if($this-user()) $this-Session-cookieSecure(true); ... }}} -- Ticket URL: https://trac.cakephp.org/ticket/6271#comment:3 CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/ Cake is a rapid development framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility. --~--~-~--~~~---~--~~ You received this message because you are subscribed to the Google Groups tickets cakephp group. To post to this group, send email to tickets-cakephp@googlegroups.com To unsubscribe from this group, send email to tickets-cakephp+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/tickets-cakephp?hl=en -~--~~~~--~~--~--~---