At some point in time it was the intention that session ids would not be renewed for ajax requests. >From changeset 5982: Sessions id are not longer renewed if a request is from Ajax, or from requestAction(); When Security.level (1.2) or CAKE_SECURITY (1.1) is set the 'high' renewing of Session id only happens if request is 2 seconds after the last request.
The 2 seconds threshold is still there in 1.2 RC3. On Nov 11, 7:37 am, AD7six <[EMAIL PROTECTED]> wrote: > On Nov 11, 8:15 am, Serge Rodovnichenko <[EMAIL PROTECTED]> wrote: > > > Thanks, Gwoo. This helps :-) > > > Where to get more information about behavour of security levels? > > > I think in 'high' level Cake performs a Referrer checks. This is why I > > lose sessions in case described above. > > It does, but that probably isn't relevant. With high security the > session id changes on each request (as mentioned previously in the > thread) > > So normally you would have: > > GET / sessionid = void > .... sessionid #1 created > Response / sessionid = #1 > GET /abc sessionid = #1 > .... sessionid changed to #2 > Response /abc sessionid = #2 <- updated > GET /def sessionid = #2 > .... sessionid changed to #3 > Response /def sessionid = #3 <- updated > GET /xyz sessionid = #3 > .... sessionid changed to #4 > Response /xyz sessionid = #4 <- updated > > with the sessionid stored in the cookie client side (obviously). On > the server the session id changes as soon as the request is received. > Irgo if you send two or more concurrent requests without waiting for > the response e.g.: > > GET / sessionid = void > .... sessionid #1 created > Response / sessionid = #1 > GET /abc sessionid = #1 <- session doesn't exist > .... <- session id #2 generated, session id #1 deleted > GET /def sessionid = #1 <- session doesn't exist > .... Response /def or redirect /users/login sessionid = #new > > It isn't quite so simple, but in principle that's what you're looking > at. If you set security to medium, the session id persists for the > life of your browser session, hence concurrent requests will not cause > you to loose your session. > > hth, > > AD --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to cake-php@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
