#5782: Auth.redirect session value lost when linking from external site.
-----------------------------------------------------+----------------------
Reporter: pearj | Type: Bug
Status: new | Priority: Medium
Milestone: 1.2.x.x | Component: General
Version: RC3 | Severity: Normal
Keywords: session login Auth.redirect external | Php_version: PHP 5
Cake_version: |
-----------------------------------------------------+----------------------
On http://locahost/test.html
I have a link to:
http://127.0.0.1/cmhr/websites/browse/11/Drug_and_alcohol
cmhr is where cakephp is installed.
[[BR]][[BR]]
The websites controller is using the Auth component so then user is
redirected to an authentication page, but during the process the session
is lost again and cakephp no longer knows where it's supposed to redirect
to because Auth.redirect is gone so it redirects to the HTTP_REFERER which
is http://locahost/test.html after the user logs in.
[[BR]][[BR]]
I did extensive debugging both using a PHP debugger, wireshark and reading
the php source code for sessions and I found out some interesting things.
[[BR]][[BR]]
1. Go to http://locahost/test.html
[[BR]][[BR]]
2. Click on http://127.0.0.1/cmhr/websites/browse/11/Drug_and_alcohol
(with session cookie CAKEPHP=750c5ad36000dc5c773b3419e922aff1) Referer:
http://localhost/test.html
[[BR]][[BR]]
3. Cake php saves /websites/browse/11/Drug_and_alcohol into Auth.redirect
and sends a HTTP redirect (HTTP 1/1 302 Found, with Location header) to
http://127.0.0.1/cmhr/users/login (Server sets Session cookie
CAKEPHP=1f537fb5f5a1cdb3065920f05b128314)
[[BR]][[BR]]
4. Browser requests http://127.0.0.1/cmhr/users/login (with session cookie
CAKEPHP=1f537fb5f5a1cdb3065920f05b128314) Referer:
http://localhost/test.html
[[BR]][[BR]]
5. Server sends back login page amd saves http://localhost/test.html into
Auth.redirect (Server sets Session cookie
CAKEPHP=5ee7d212148b93f5ca6c343808b9690d)
[[BR]][[BR]]
6. Browser posts response to http://127.0.0.1/cmhr/users/login (with
session cookie CAKEPHP=5ee7d212148b93f5ca6c343808b9690d) Referer:
http://127.0.0.1/cmhr/users/login
[[BR]][[BR]]
7. Server (CakePHP) sends back HTTP redirect to http://locahost/test.html
[[BR]][[BR]]
And the user is back where they started.
[[BR]][[BR]]
If you look above you'll notice that on step 5 php has changed the session
key and because it did that the original Auth.redirect was lost, so when
cakephp realises that it decides to use the http referer instead which
happens to be the external website.
[[BR]][[BR]]
I also verified this bug on book.cakephp.org, if you create a link from an
external site eg http://localhost/test.html to
http://book.cakephp.org/edit/526/How-it-Works you should be presented with
a login box, and then after you login you will be redirected where you
came from. I confirmed this with my delicious account too. Eg I
bookmarked http://book.cakephp.org/edit/526/How-it-Works and then click on
the link, logged in and was redirected back to delicious.
[[BR]][[BR]]
You can confirm this bug by simply clicking on
http://book.cakephp.org/edit/526/How-it-Works right here in trac logging
in, and you should be redirected back here.
[[BR]][[BR]]
I tried all sorts of things, but couldn't get around it, and in the end I
went as far as read php source code.
In ext/session/session.c I found the following comment:
{{{
/* check whether the current request was referred to by
an external site which invalidates the previously found id */
}}}
Which explains why the session changes on steps 3 and 5.
[[BR]][[BR]]
So to retain the Auth.redirect we have to work around php killing the
sessions.
[[BR]][[BR]]
I had 3 ideas off the top of my head:
[[BR]][[BR]]
1. We set an auth_redirect cookie when we detect that the referer hostname
is different to currrent hostname. But the problem with this is that we
then loose the session flash message that says "You are not authorized to
access that location." or whatever is in $this->authError. But we could
probably get around it easily enough by adding the authError message back
in when we see the auth_redirect cookie.
[[BR]][[BR]]
2. We append the auth redirect to the login url, ie:
users/login?authRedirect=/edit/526/How-it-Works. This would probably be
more reliable especially if cookies are disabled, but it doesn't look as
good. I don't think you would need the ?authRedirect in the form action
because the auth component could just add authRedirect back into the
session when the browser requests the login page after it sends the 302
redirect.
[[BR]][[BR]]
3. Remove the http_referer, unfortunately I tried this and it didn't seem
to work for me. It seems that php can still get access to the
http_referer even if we unset it from $_SERVER.
--
Ticket URL: <https://trac.cakephp.org/ticket/5782>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
