I just made
Configure::write('Security.level', 'low');
and now everything's working fine...
Seems like in medium or high security Cake makes a double check for
referer... but with low security works fine when clicking auth-
protected links from external sites like hotmail or yahoo
Adrianifero
On Nov 24, 1:24 am, Adrianifero <[EMAIL PROTECTED]> wrote:
> I'm night coding just bcs this behavior... Found people gets wrong
> redirected when comming from external sites...
>
> I hope your research brings new light on this topic!
>
> Adrianifero
>
> On Nov 20, 9:09 pm, Joel <[EMAIL PROTECTED]> wrote:
>
> > Hi,
>
> > I have a rather annoying problem in the last few days, after lots of
> > debugging I found it was a problem with the way php handles sessions
> > and how cakephp handles links coming in from external websites.
>
> > I created a bug in Trac here:https://trac.cakephp.org/ticket/5782
>
> > Here is the issue:
>
> > Onhttp://locahost/test.html
> > I have a link to:http://127.0.0.1/cmhr/websites/browse/11/Drug_and_alcohol
> > cmhr is where cakephp is installed.
>
> > The websites controller is using the Auth component so then user is
> > redirected to an authentication page, but during the process the
> > session is lost again and cakephp no longer knows where it's supposed
> > to redirect to because Auth.redirect is gone so it redirects to the
> > HTTP_REFERER which ishttp://locahost/test.htmlafterthe user logs
> > in.
>
> > I did extensive debugging both using a PHP debugger, wireshark and
> > reading the php source code for sessions and I found out some
> > interesting things.
>
> > 1. Go tohttp://locahost/test.html
>
> > 2. Click onhttp://127.0.0.1/cmhr/websites/browse/11/Drug_and_alcohol
> > (with session cookie CAKEPHP=750c5ad36000dc5c773b3419e922aff1)
> > Referer:http://localhost/test.html
>
> > 3. Cake php saves /websites/browse/11/Drug_and_alcohol into
> > Auth.redirect and sends a HTTP redirect (HTTP 1/1 302 Found, with
> > Location header) tohttp://127.0.0.1/cmhr/users/login(Serversets
> > Session cookie CAKEPHP=1f537fb5f5a1cdb3065920f05b128314)
>
> > 4. Browser requestshttp://127.0.0.1/cmhr/users/login(withsession
> > cookie CAKEPHP=1f537fb5f5a1cdb3065920f05b128314)
> > Referer:http://localhost/test.html
>
> > 5. Server sends back login page amd saveshttp://localhost/test.html
> > into Auth.redirect (Server sets Session cookie
> > CAKEPHP=5ee7d212148b93f5ca6c343808b9690d)
>
> > 6. Browser posts response tohttp://127.0.0.1/cmhr/users/login(with
> > session cookie CAKEPHP=5ee7d212148b93f5ca6c343808b9690d)
> > Referer:http://127.0.0.1/cmhr/users/login
>
> > 7. Server (CakePHP) sends back HTTP redirect tohttp://locahost/test.html
>
> > And the user is back where they started.
>
> > If you look above you'll notice that on step 5 php has changed the
> > session key and because it did that the original Auth.redirect was
> > lost, so when cakephp realises that it decides to use the http referer
> > instead which happens to be the external website.
>
> > I also verified this bug on book.cakephp.org, if you create a link
> > from an external site
> > eghttp://localhost/test.htmltohttp://book.cakephp.org/edit/526/How-it-W...should
> > be presented
> > with a login box, and then after you login you will be redirected
> > where you came from. I confirmed this with my delicious account too.
> > Eg I bookmarkedhttp://book.cakephp.org/edit/526/How-it-Worksandthen
> > click on the link, logged in and was redirected back to delicious.
>
> > I tried all sorts of things, but couldn't get around it, and in the
> > end I went as far as read php source code.
> > In ext/session/session.c I found the following comment:
>
> > /* check whether the current request was referred to by
> > an external site which invalidates the previously found id */
>
> > Which explains why the session changes on steps 3 and 5.
>
> > So to retain the Auth.redirect we have to work around php killing the
> > sessions.
>
> > I had 3 ideas off the top of my head:
>
> > 1. We set an auth_redirect cookie when we detect that the referer
> > hostname is different to currrent hostname. But the problem with this
> > is that we then loose the session flash message that says "You are not
> > authorized to access that location." or whatever is in $this->authError.
> > But we could probably get around it easily enough by
>
> > adding the authError message back in when we see the auth_redirect
> > cookie.
>
> > 2. We append the auth redirect to the login url, ie: users/login?
> > authRedirect=/edit/526/How-it-Works. This would probably be more
> > reliable especially if cookies are disabled, but it doesn't look as
> > good. I don't think you would need the ?authRedirect in the form
> > action because the auth component could just add authRedirect back
> > into the session when the browser requests the login page after it
> > sends the 302 redirect.
>
> > 3. Remove the http_referer, unfortunately I tried this and it didn't
> > seem to work for me. It seems that php can still get access to the
> > http_referer even if we unset it from $_SERVER.
>
> > Cheers,
>
> > -Joel
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
