CakePHP Cookie/Session problems

JD Isaacks picture JD Isaacks · Nov 1, 2011 · Viewed 10.9k times · Source

I am having issues with my CakePHP application. This seems to be happenining only in IE, and only on certain computers. It is consistent on the computers where it is happening though.

Issue one: User is logged in and on the page https://example.com/users/view and clicks sign out. User is redirected to http://example.com and appears to be logged out until the user visits another https page and they are still logged in. They can click log out as many times as they want but they are always logged in on https and only get logged out on http.

Issue two: User logs in at https://example.com/users/signin they are redirected to http://example.com and now appear to be logged in. User goes to https://example.com/admin/slides and does not know it yet but is now logged out, clicking on any other page (or just refreshing their current page) will ask them to log in again.

I have no idea whats going on. I have read and tried the solutions described on both these similar issues: Session not saving when moving from ssl to non-ssl and Cookie not renewing/overwriting in IE but I am still having the same problems.

The only clue I have noticed so far, (and I don't know if this means anything) is when I debug both $_SESSION and $this->Session->read() on HTTP pages ALWAYS only $this->Session->read() returns a value. on HTTPS pages some ALWAYS return the same value for both, others ALWAYS only return a value for $this->Session->read().

For example, http://example.com and https://example.com/users never sees $_SESSION, https://example.com/carts always sees $_SESSION. I am not sure but I am thinking that maybe the secure pages are supposed to be seeing it and since some can't maybe something is wrong, however when I inspect the code I see no difference that would suggest why one does and one doesn't.

Also, if I add $this->Session->destroy() to the beforeFilter in AppController, then all pages even HTTP can see $_SESSION. I am not actually use $_SESSION in my application, I just thought this might be a clue to whats wrong.


UPDATE

I tooked Gustav Bertram's advice and looked at the user agent string. I compared the user agent string with IE on a computer that was having the issue to IE on a computer that was not having the issue. They were the same except the one that was having problems has "google chrome frame" in the user agent string. I uninstalled Google Chrome Frame from that computer, restarted, tried again and the problem seemed to be solved.

If this is the true cause, then the simple solution would be to make users uninstall Chrome frame. However I wonder if there is a work around that would allow them to have chrome frame installed and still work.

Answer

Scott Harwell picture Scott Harwell · Nov 11, 2011

Try adding the following to your core.php file:

Configure::write('Session.checkAgent', false);
Configure::write('Session.ini',array('session.cookie_secure' => false, 'session.referer_check' => false));

These parameters should force the cookie to persist even through Google Chrome Frame. This will set both PHP and CakePHP's settings to allow cookies to persist over http and https.