Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure
+---
Reporter: Ocean| Owner:
Type: RFC |Status: new
Priority: Medium | Milestone: 1.2.x.x
Component: Session | Version: 1.2 Final
Severity: Normal |Resolution:
Keywords: | Php_version: n/a
Cake_version: |
+---
Comment (by nicketr):
I was able to opt-out following ADmad's article
http://bakery.cakephp.org/articles/view/how-to-bend-cakephp-s-session-
handling-to-your-needs
I declared
{{{
Configure::write('Session.save','my_session');
}}}
inside the core.php and created a my_session.php file inside the config
directory. In the file I wrote a ini_set directive which disables the
secure cookie.
{{{
ini_set('session.cookie_secure', 0);
}}}
This method is more flexible and I don't believe there is a need for a
change.
--
Ticket URL: https://trac.cakephp.org/ticket/6271#comment:6
CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--
You received this message because you are subscribed to the Google Groups
tickets cakephp group.
To post to this group, send email to tickets-cake...@googlegroups.com.
To unsubscribe from this group, send email to
tickets-cakephp+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en.
Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure
+---
Reporter: Ocean| Owner:
Type: RFC |Status: new
Priority: Medium | Milestone: 1.2.x.x
Component: Session | Version: 1.2 Final
Severity: Normal |Resolution:
Keywords: | Php_version: n/a
Cake_version: |
+---
Comment (by Ocean):
Having read #4341, is this the correct (cake-esque) way to go? or am I
barking up the wrong tree? (answers on a postcard please)...
{{{
app/config/core.php
/**
* When set to false, cookie_secure will not automatically be set in an
HTTPS environment
* (anti Surf Jacking:
http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf)
*/
Configure::write('Session.cookieSecure', true);
}}}
{{{
cake/libs/session.php - Session::__initSession()
if ($iniSet env('HTTPS')
Configure::read('Session.cookieSecure')) {
ini_set('session.cookie_secure', 1);
}
}}}
--
Ticket URL: https://trac.cakephp.org/ticket/6271#comment:1
CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
tickets cakephp group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~--~~~~--~~--~--~---
Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure
+---
Reporter: Ocean| Owner:
Type: RFC |Status: new
Priority: Medium | Milestone: 1.2.x.x
Component: Session | Version: 1.2 Final
Severity: Normal |Resolution:
Keywords: | Php_version: n/a
Cake_version: |
+---
Comment (by Ocean):
... thought about it some more...
... the following allows you to opt-out: -
{{{
app/config/core.php
/**
* When set to false, cookie_secure will not automatically be set in an
HTTPS environment
* (anti Surf Jacking:
http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf)
*/
Configure::write('Session.cookieSecure', true);
}}}
... a method is provided to secure/un-secure a session: -
{{{
cake/libs/session.php
/**
* Helper method to secure session cookie.
*
* @return void
* @access public
*/
function cookieSecure($secure=true) {
$iniSet = function_exists('ini_set');
if ($iniSet env('HTTPS')
Configure::read('Session.cookieSecure') $secure) {
ini_set('session.cookie_secure', 1);
} elseif (!$secure) {
ini_set('session.cookie_secure', 0);
}
}
}}}
... the session is secured on logging in, and un-secured on logging out: -
{{{
function login($data = null) {
$this-__setDefaults();
$this-_loggedIn = false;
if (empty($data)) {
$data = $this-data;
}
if ($user = $this-identify($data)) {
$this-Session-secureCookie(true); // secure
cookie on logging in
$this-Session-write($this-sessionKey, $user);
$this-_loggedIn = true;
}
return $this-_loggedIn;
}
function logout() {
$this-__setDefaults();
$this-Session-del($this-sessionKey);
$this-Session-del('Auth.redirect');
$this-Session-secureCookie(false); // un-secure cookie
on logging out
$this-_loggedIn = false;
return Router::normalize($this-logoutRedirect);
}
}}}
... how's that?
--
Ticket URL: https://trac.cakephp.org/ticket/6271#comment:2
CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
tickets cakephp group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~--~~~~--~~--~--~---
Re: [CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for opting out of the security measure
#6271: Solution to #5254 does not allow for opting out of the security measure
+---
Reporter: Ocean| Owner:
Type: RFC |Status: new
Priority: Medium | Milestone: 1.2.x.x
Component: Session | Version: 1.2 Final
Severity: Normal |Resolution:
Keywords: | Php_version: n/a
Cake_version: |
+---
Comment (by Ocean):
... and session secured while logged in: -
{{{
cake/libs/controller/components/auth.php
function startup($controller) {
if($this-user()) $this-Session-cookieSecure(true);
...
}}}
--
Ticket URL: https://trac.cakephp.org/ticket/6271#comment:3
CakePHP : The Rapid Development Framework for PHP https://trac.cakephp.org/
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~-~--~~~---~--~~
You received this message because you are subscribed to the Google Groups
tickets cakephp group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~--~~~~--~~--~--~---
