#6271: Solution to #5254 does not allow for "opting out" of the security measure
------------------------+---------------------------------------------------
Reporter: Ocean | Owner:
Type: RFC | Status: new
Priority: Medium | Milestone: 1.2.x.x
Component: Session | Version: 1.2 Final
Severity: Normal | Resolution:
Keywords: | Php_version: n/a
Cake_version: |
------------------------+---------------------------------------------------
Comment (by Ocean):
... thought about it some more...
... the following allows you to "opt-out": -
{{{
app/config/core.php
/**
* When set to false, cookie_secure will not automatically be set in an
HTTPS environment
* (anti "Surf Jacking":
http://resources.enablesecurity.com/resources/Surf%20Jacking.pdf)
*/
Configure::write('Session.cookieSecure', true);
}}}
... a method is provided to secure/un-secure a session: -
{{{
cake/libs/session.php
/**
* Helper method to secure session cookie.
*
* @return void
* @access public
*/
function cookieSecure($secure=true) {
$iniSet = function_exists('ini_set');
if ($iniSet && env('HTTPS') &&
Configure::read('Session.cookieSecure') && $secure) {
ini_set('session.cookie_secure', 1);
} elseif (!$secure) {
ini_set('session.cookie_secure', 0);
}
}
}}}
... the session is secured on logging in, and un-secured on logging out: -
{{{
function login($data = null) {
$this->__setDefaults();
$this->_loggedIn = false;
if (empty($data)) {
$data = $this->data;
}
if ($user = $this->identify($data)) {
$this->Session->secureCookie(true); // secure
cookie on logging in
$this->Session->write($this->sessionKey, $user);
$this->_loggedIn = true;
}
return $this->_loggedIn;
}
function logout() {
$this->__setDefaults();
$this->Session->del($this->sessionKey);
$this->Session->del('Auth.redirect');
$this->Session->secureCookie(false); // un-secure cookie
on logging out
$this->_loggedIn = false;
return Router::normalize($this->logoutRedirect);
}
}}}
... how's that?
--
Ticket URL: <https://trac.cakephp.org/ticket/6271#comment:2>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
