Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Session not saving when moving from ssl to non-ssl

I have a login screen that I force to be ssl, so like this: https://www.foobar.com/login then after they login, they get moved to the homepage: https://www.foobar.com/dashbaord

However, I want to move people off of SSL once logged in (to save CPU), so just after checking that they are in fact logged in on https://www.foobar.com/dashbaord I move them to http://www.foobar.com/dashbaord

Well this always seems to wipe out the session variables, because when the page runs again, it confirms they are logged in (as all pages do) and session appears not to exist, so it moves them to the login screen.

Oddness/findings:

  1. List item
  2. The second login always works, and happily gets me to http://www.foobar.com/dashbaord
  3. It successfully creates a cookie the first login
  4. If I login twice, then logout, and login again, I don't need two logins (I seem to have traced this to the fact that the cookie exists). If I delete the cookie, I'm back to two logins.
  5. After the second login, I can move from non-ssl from ssl and the session persists.
  6. On the first login, the move to the non-ssl site wipes out the session entirely, manually moving back to the ssl site still forces me to login again.
  7. The second login using the exact same mechanism as the first, over ssl

What I tried:

  1. Playing with Cake's settings for security.level and session.checkagent - nothing
  2. Having cake store the sessions in db (as opposed to file system) - nothing
  3. Testing in FF, IE, Chrome on an XP machine.

So I feel like this is something related to the cookie being created but not being read.

Environment: 1. Debian 2. Apache 2 3. Mysql 4 4. PHP 5 5. CakePHP 6. Sessions are being saved PHP default, as files

like image 262
Justin Avatar asked Nov 21 '08 12:11

Justin


1 Answers

I figured this out. Cake was switching the session.cookie_secure ini value on-the-fly while under SSL connections automatically, So the cookie being created was a secure cookie, which the second page wouldn't recognize.

Solution, comment out /cake/lib/session.php line 420 ish:

ini_set('session.cookie_secure', 1);

(Just search for that to find it, as I'm sure the line # will change as releases come out.)

like image 145
Justin Avatar answered Sep 30 '22 10:09

Justin