This often times has to do with how PHP's session is setup. The Cake
Session object is a wrapper class around the PHP Session so your still
using the servers session if you want to understand Cake's Session it
would be worth your time to learn the basics of php $_SESSION and what
can be done with it.
One common problem is if the link you are following is from a
different HOST the php session has a session.referer_check which is
set to the HTTPS_HOST for security high and to HTTP_HOST for security
medium, it is not set for security low. This causes the session to be
reset if the referer is not the host that is being called. In other
words if you followed a link from an email or some other server that
points to your app. This also presents when going back and forth
between the root app/domain and a root/sub app/domain because the the
HTTP_HOST can changes (if one site is using blah.blah.com and the
other is using localhost or ip address)
Often we all have code to read in a cookie to remember a user that has
previously logged in. This often just masks and hides the problem. So
we don't notice most of the time when the session was dropped until we
start to rely on a saved value that we thought we saved to the session
or when the user cookie expires and we are redirected to the login
page. So these often times appear very random when in reality they are
not. If your having what appears to be intermediate session lost, its
very likely its occurring more than you think. Some debugging is
needed.
The only difference I can determine between security medium and
security low is timeout duration and setting the php
session.referer_check. I was always concerned about using low, but
I've learned that medium and high only get in the way. So I use low
and deal with security measures in my app_controller to control which
referer I allow to access specific controller actions. This is better
anyway (for my app) as before it was all or nothing.
To monitor your session info and see when its changing I place some
log statements in my app_controller beforeFilter and or beforeRender.
$this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.', request:'.
$this->name.'.'.$this->action,LOG_DEBUG);
$this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.',
Session.id:'.$this->Session->id(),LOG_DEBUG);
$this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.',
Session.error:'.print_r($this->Session,true),LOG_DEBUG);
I use the third line to get some detailed debugging, one thing you'll
notice is the sessions error will be set to "Config doesn't exist" and
the Session will still be valid. With referer_check set or security
set to medium or high, any link pointing to your site from another
host will have this error and the session will restart on the
following redirect (which is valid behavior most of the time). This
was a problem for me as I was passing control from an asp server to a
cakephp server using a user token and telling Auth to log the user in.
The user would get logged in and then I would redirect to the intended
controller action at which point the session would reset and the user
would be asked to login anyways. Setting security to low cleared this
up.
I hope this helps some of you I know I spent two days debugging and
trying to understand exactly what was going on with my session. The
loggin mentioned above proved to be the most help. Be concerned if you
see alot of sessions with the error "Config doesn't exist" and try
setting security to low.
LunarDraco
Check out the new CakePHP Questions site
http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to
[hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=enTo unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
Locked
