#5923: Session security check fails with reverse proxy
------------------------+---------------------------------------------------
Reporter: ablivio | Type: Bug
Status: new | Priority: Medium
Milestone: 1.2.x.x | Component: Session
Version: RC4 | Severity: Major
Keywords: session | Php_version: n/a
Cake_version: |
------------------------+---------------------------------------------------
$session->host is initialized using env('HTTP_HOST'). (session.php:142)
it is later used to check referers :
ini_set('session.referer_check', $this->host); (session.php:435 &
session.php:441)
However, when the application is on a server behind a reverse proxy,
HTTP_HOST gives the name of the actual (internal) server, which is not the
one that should be use to check referers.
As a consequence, unless Security level is set to 'low', sessions will be
invalidated because the referer is seen as wrong.
Proposed fix:
- allow the definition of a 'HOST' constant (e.g. in webroot/index.php)
- check if this constant is defined and set $session->host accordingly,
otherwise use HTTP_HOST
--
Ticket URL: <https://trac.cakephp.org/ticket/5923>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---