Re: A way to lost your session in Cake 1.2RC3 :-)

Tue, 11 Nov 2008 01:42:11 -0800 


On Nov 11, 10:37 am, AD7six <[EMAIL PROTECTED]> wrote:
> On Nov 11, 8:15 am, Serge Rodovnichenko <[EMAIL PROTECTED]> wrote:
>
> > Thanks, Gwoo. This helps :-)
>
> > Where to get more information about behavour of security levels?
>
> > I think in 'high' level Cake performs a Referrer checks. This is why I
> > lose sessions in case described above.
>
> It does, but that probably isn't relevant. With high security the
> session id changes on each request (as mentioned previously in the
> thread)
>
> So normally you would have:
>
> GET / sessionid = void
> .... sessionid #1 created
> Response / sessionid = #1
> GET /abc sessionid = #1
> .... sessionid changed to #2
> Response /abc sessionid = #2 <- updated
> GET /def sessionid = #2
> .... sessionid changed to #3
> Response /def sessionid = #3 <- updated
> GET /xyz sessionid = #3
> .... sessionid changed to #4
> Response /xyz sessionid = #4 <- updated
>
> with the sessionid stored in the cookie client side (obviously). On
> the server the session id changes as soon as the request is received.
> Irgo if you send two or more concurrent requests without waiting for
> the response e.g.:
>
> GET / sessionid = void
> .... sessionid #1 created
> Response / sessionid = #1
>     GET /abc sessionid = #1 <- session doesn't exist
>     .... <- session id #2 generated, session id #1 deleted
>     GET /def sessionid = #1 <- session doesn't exist
>     .... Response /def or redirect /users/login sessionid = #new

Whoops:

GET / sessionid = void
.... sessionid #1 created
Response / sessionid = #1
    GET /abc sessionid = #1 <- session exists
    .... <- session id #2 generated, session id #1 deleted
    GET /def sessionid = #1 <- session doesn't exist
    .... Response /def or redirect /users/login sessionid = #new

So if you have impatient users, Asynchronous ajax and or missing
images/css/js files - you can easily find you get "logged out" often.

hth & is clear,

AD
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
























					Reply via email to