Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Session not saving when moving from ssl to non-ssl

Tags:

php

session

cakephp

I have a login screen that I force to be ssl, so like this: https://www.foobar.com/login then after they login, they get moved to the homepage: https://www.foobar.com/dashbaord

However, I want to move people off of SSL once logged in (to save CPU), so just after checking that they are in fact logged in on https://www.foobar.com/dashbaord I move them to http://www.foobar.com/dashbaord

Well this always seems to wipe out the session variables, because when the page runs again, it confirms they are logged in (as all pages do) and session appears not to exist, so it moves them to the login screen.

Oddness/findings:

  1. List item
  2. The second login always works, and happily gets me to http://www.foobar.com/dashbaord
  3. It successfully creates a cookie the first login
  4. If I login twice, then logout, and login again, I don't need two logins (I seem to have traced this to the fact that the cookie exists). If I delete the cookie, I'm back to two logins.
  5. After the second login, I can move from non-ssl from ssl and the session persists.
  6. On the first login, the move to the non-ssl site wipes out the session entirely, manually moving back to the ssl site still forces me to login again.
  7. The second login using the exact same mechanism as the first, over ssl

What I tried:

  1. Playing with Cake's settings for security.level and session.checkagent - nothing
  2. Having cake store the sessions in db (as opposed to file system) - nothing
  3. Testing in FF, IE, Chrome on an XP machine.

So I feel like this is something related to the cookie being created but not being read.

Environment: 1. Debian 2. Apache 2 3. Mysql 4 4. PHP 5 5. CakePHP 6. Sessions are being saved PHP default, as files

like image 262
Justin Avatar asked Nov 21 '08 12:11

Justin

1 Answers

I figured this out. Cake was switching the session.cookie_secure ini value on-the-fly while under SSL connections automatically, So the cookie being created was a secure cookie, which the second page wouldn't recognize.

Solution, comment out /cake/lib/session.php line 420 ish:

ini_set('session.cookie_secure', 1);

(Just search for that to find it, as I'm sure the line # will change as releases come out.)

like image 145
Justin Avatar answered Sep 30 '22 10:09

Justin
Sign in to Comment

Related questions

PHP Ratchet and WebRTC
How can I migrate Zend Framework 1 to 3
laravel 5 query multiple constraint on eager load
Best way to reduce the size of a custom Docker image
Export All from DataTables with Server Side processing?
How to get Country Code from (intl-tel-input) plugin after submitting the form?
Laravel - Type error: Too few arguments?
Examine and replace characters at end of line or before whitespace
Laravel 5 - Conditionally append variables
PHP Curl request not working but works fine in POSTMAN
Safely decrease User balance column. Should I use optimistic locking?
Laravel: How to open multiple domains (not subdomains) to show pages (no redirection) from same server?
Upload file which contain no extension into wordpress?
how to include/exclude certain groups from test-suite via phpunit.xml
WordPress: difference between get_the_content() and the_content()
Laravel - No emails sending using mailgun
Laravel 5.8: How to resolve auth()->user() inside Global Scope's apply method?
Wordpress on Docker behind nginx reverse proxy using SSL
How to manually authenticate user after Registration with the new Symfony 5 Authenticator?
Would performance suffer using autoload in php and searching for the class file?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!