#5605: session.referer_check PHP ini var should be decoupled from 'High' and
'Medium' Session Security levels
-------------------------------------------+--------------------------------
Reporter: Alexbw | Type: Enhancement
Status: new | Priority: Medium
Milestone: 1.2.x.x | Component: Session
Version: RC3 | Severity: Normal
Keywords: session, referer, security | Php_version: PHP 4 >= 4.3.2
Cake_version: |
-------------------------------------------+--------------------------------
'''Background'''
[[BR]][[BR]]
When Security.level is set to 'High' or 'Medium' in cakes config the PHP
ini directive session.referer_check is set. This results in any clients
accessing the site with an external referer set to have their session
restarted/killed off.
[[BR]][[BR]]
I appreciate that this is by design. However one of the sites I've been
involved in deploying has a weekly newsletter sent out to users with links
to specific content i.e. of the form '/[controller]/[action]/[arg]'. The
site requires users to login so when a (not logged in) user clicks a link
in a webmail client such as Yahoo! this is roughly what happens:
[[BR]][[BR]]
1. session.referer_check is made and fails, users session is started
afresh[[BR]]
2. Auth identifies the user isn't logged in[[BR]]
3. Auth stores the destination URL in session (in Auth.redirect)[[BR]]
4. Auth redirects the browser to the login page[[BR]]
5. session.referer_check is made and fails, users session is started
afresh[[BR]]
6. Auth checks for Auth.redirect, not found so sets Auth.redirect to
(external) referer[[BR]]
7. User submits login[[BR]]
8. Auth authenticates and redirects to Auth.redirect[[BR]]
9. User gets sent back to news letter in web mail client[[BR]]
[[BR]]
'''The Fix'''
[[BR]][[BR]]
Setting Security.level to 'low' fixes this behaviour to what you'd expect
to happen when following a link from a newsletter to a site that requires
authentication.
[[BR]][[BR]]
'''The Request'''
[[BR]][[BR]]
My request is that the setting of session.referer_check is decoupled from
the 'medium' and 'high' security settings so that the benefits of these
settings (lower session timeouts and cake ID regeneration per request) can
still be used without breaking the user experience for sites which require
authentication.
[[BR]][[BR]]
Making it a config option in core.php would be more explicit which I think
in this case would be a good thing. I spent some time figuring out what
was going on before knowing where to look in the docs where I found the
reference to session.referer_check (I know, RTFM). A reference of the PHP
ini directives overridden by cake may also be useful, but that's a
different topic...
[[BR]][[BR]]
I hope all this makes sense.
[[BR]][[BR]]
Cheers,
[[BR]]
Alex B-W.
--
Ticket URL: <https://trac.cakephp.org/ticket/5605>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
