#5605: session.referer_check PHP ini var should be decoupled from 'High' and 'Medium' Session Security levels -------------------------------------------+-------------------------------- Reporter: Alexbw | Type: Enhancement Status: new | Priority: Medium Milestone: 1.2.x.x | Component: Session Version: RC3 | Severity: Normal Keywords: session, referer, security | Php_version: PHP 4 >= 4.3.2 Cake_version: | -------------------------------------------+-------------------------------- '''Background''' [[BR]][[BR]] When Security.level is set to 'High' or 'Medium' in cakes config the PHP ini directive session.referer_check is set. This results in any clients accessing the site with an external referer set to have their session restarted/killed off. [[BR]][[BR]] I appreciate that this is by design. However one of the sites I've been involved in deploying has a weekly newsletter sent out to users with links to specific content i.e. of the form '/[controller]/[action]/[arg]'. The site requires users to login so when a (not logged in) user clicks a link in a webmail client such as Yahoo! this is roughly what happens: [[BR]][[BR]] 1. session.referer_check is made and fails, users session is started afresh[[BR]] 2. Auth identifies the user isn't logged in[[BR]] 3. Auth stores the destination URL in session (in Auth.redirect)[[BR]] 4. Auth redirects the browser to the login page[[BR]] 5. session.referer_check is made and fails, users session is started afresh[[BR]] 6. Auth checks for Auth.redirect, not found so sets Auth.redirect to (external) referer[[BR]] 7. User submits login[[BR]] 8. Auth authenticates and redirects to Auth.redirect[[BR]] 9. User gets sent back to news letter in web mail client[[BR]] [[BR]]
'''The Fix''' [[BR]][[BR]] Setting Security.level to 'low' fixes this behaviour to what you'd expect to happen when following a link from a newsletter to a site that requires authentication. [[BR]][[BR]] '''The Request''' [[BR]][[BR]] My request is that the setting of session.referer_check is decoupled from the 'medium' and 'high' security settings so that the benefits of these settings (lower session timeouts and cake ID regeneration per request) can still be used without breaking the user experience for sites which require authentication. [[BR]][[BR]] Making it a config option in core.php would be more explicit which I think in this case would be a good thing. I spent some time figuring out what was going on before knowing where to look in the docs where I found the reference to session.referer_check (I know, RTFM). A reference of the PHP ini directives overridden by cake may also be useful, but that's a different topic... [[BR]][[BR]] I hope all this makes sense. [[BR]][[BR]] Cheers, [[BR]] Alex B-W. -- Ticket URL: <https://trac.cakephp.org/ticket/5605> CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/> Cake is a rapid development framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "tickets cakephp" group. To post to this group, send email to tickets-cakephp@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/tickets-cakephp?hl=en -~----------~----~----~----~------~----~------~--~---