#5985: Decouple cookie_lifetime from security level
--------------------------+-------------------------------------------------
Reporter: PHPdiddy | Type: Security Exploit
Status: new | Priority: High
Milestone: 1.2.x.x | Component: Session
Version: 1.2 Final | Severity: Major
Keywords: | Php_version: PHP 5
Cake_version: |
--------------------------+-------------------------------------------------
Since a number of hosts have issues with Security.level = high and the
common fix is to set to medium, it would be nice to still have control
over the cookie_lifetime independently.
I need to use Security.level = medium for my site to function properly,
but doing so causes session cookies to be kept even after a browser close.
This is a big security risk that could cause account hijacks on public
systems.
I feel this is a major problem considering that many users having session
issues are advised to use security.level = medium.
--
Ticket URL: <https://trac.cakephp.org/ticket/5985>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
