#5985: Decouple cookie_lifetime from security level --------------------------+------------------------------------------------- Reporter: PHPdiddy | Type: Security Exploit Status: new | Priority: High Milestone: 1.2.x.x | Component: Session Version: 1.2 Final | Severity: Major Keywords: | Php_version: PHP 5 Cake_version: | --------------------------+------------------------------------------------- Since a number of hosts have issues with Security.level = high and the common fix is to set to medium, it would be nice to still have control over the cookie_lifetime independently.
I need to use Security.level = medium for my site to function properly, but doing so causes session cookies to be kept even after a browser close. This is a big security risk that could cause account hijacks on public systems. I feel this is a major problem considering that many users having session issues are advised to use security.level = medium. -- Ticket URL: <https://trac.cakephp.org/ticket/5985> CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/> Cake is a rapid development framework for PHP which uses commonly known design patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. Our primary goal is to provide a structured framework that enables PHP users at all levels to rapidly develop robust web applications, without any loss to flexibility. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "tickets cakephp" group. To post to this group, send email to tickets-cakephp@googlegroups.com To unsubscribe from this group, send email to tickets-cakephp+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/tickets-cakephp?hl=en -~----------~----~----~----~------~----~------~--~---