[CakePHP : The Rapid Development Framework for PHP] #6271: Solution to #5254 does not allow for "opting out" of the security measure

Tue, 07 Apr 2009 10:29:44 -0700 

#6271: Solution to #5254 does not allow for "opting out" of the security measure
--------------------------+-------------------------------------------------
    Reporter:  Ocean      |          Type:  RFC    
      Status:  new        |      Priority:  Medium 
   Milestone:  1.2.x.x    |     Component:  Session
     Version:  1.2 Final  |      Severity:  Normal 
    Keywords:             |   Php_version:  n/a    
Cake_version:             |  
--------------------------+-------------------------------------------------
 Hi there Gwoo,

 I probably (definately) didn't explain myself very well.

 this solution (#5254) does not allow for "opting out" of the security
 measure, or handling the issue in a more complex manner.

 Moving the fix to the security level conditional...

 switch ($this->security) {
         case 'high': // or maybe a new (even more paranoid) security level
                 $this->cookieLifeTime = 0;
                 if ($iniSet) {
                         ini_set('session.referer_check', $this->host);
                         if (env('HTTPS')) {
                                 ini_set('session.cookie_secure', 1);
                         }
                 }
 ...

 ... or adding a switch to config/core.php...

 ... would allow for a usage scenario where the session is used for storing
 non-confidential data, and not used for authentication, and the SSL
 connection is used in a stateless manner to transmit/receive confidential
 data (the connection needs to be secure, but the session does not).

 Does this make sense?

-- 
Ticket URL: <https://trac.cakephp.org/ticket/6271>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design 
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC. 
Our primary goal is to provide a structured framework that enables PHP users at 
all levels to rapidly develop robust web applications, without any loss to 
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"tickets cakephp" group.
To post to this group, send email to tickets-cakephp@googlegroups.com
To unsubscribe from this group, send email to 
tickets-cakephp+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---

Reply via email to