Session not saving when moving from ssl to non-ssl

Question

I have a login screen that I force to be ssl, so like this: https://www.foobar.com/login then after they login, they get moved to the homepage: https://www.foobar.com/dashba

Answer 1

You can read more in documentation CakePHP at http://book.cakephp.org/2.0/en/development/sessions.html CakePHP’s defaults to setting session.cookie_secure to true, when your application is on an SSL protocol. If your application serves from both SSL and non-SSL protocols, then you might have problems with sessions being lost. If you need access to the session on both SSL and non-SSL domains you will want to disable this:

You open file Config/core.php and add as bellow

Configure::write('Session', array(
    'defaults' => 'php',
    'ini' => array(
        'session.cookie_secure' => false
    )
));

Now you can switch http and https that not lose session :)

Answer 2

Has your homepage got any flash on it that makes a subsequent request to your server? Or any Ajax loading of content?

Have you checked headers being sent from the server? In IE you can use Fiddler or in Firefox use the Live Headers addon. Check for any new cookies being set or the CAKEPHP cookie having a different value.

Answer 3

While the accepted answer meets the OP's desire to "move people off of SSL once logged in" - it's horribly insecure in that it exposes the user session to hijacking (See Firesheep for an easy exploit).

A better compromise between the default behavior of CakePHP (which requires all pages to be served SSL after a user authenticates over SSL) and the accepted answer (which serves all authenticated pages unencrypted and exposes the authenticated cookie) is to serve pages encrypted over SSL if and only if they require authentication.

An easy way to accomplish this is to maintain two session cookies - one that is served secure and holds the authentication information and another which is served insecure. A simple implementation to support such a dual-session approach will use a session_handler to override the session.name like so:

    if (env('HTTPS')) {
        ini_set('session.name', Configure::read('Session.cookie').'-SECURE');
    }else{
        ini_set('session.name', Configure::read('Session.cookie'));
    } 

One item to keep in mind with this approach is that to link from a non-SSL page directly to a page that requires authentication will require you to explicitly link using https - since you'll need to send the session cookie containing the authentication information and the browser will only do so if the link is encrypted.

Answer 4

First of all, do I understand correctly that the second login is using the exact same mechanism as the first (via HTTPS)?

Does the first hit on a unsecured page create a new session, in addition to the one created during login?

Check if, on first login, the cookie is not set with the Secure flag (that means that the cookie should only be sent over a secured (HTTPS) connection).

Answer 5

I figured this out. Cake was switching the session.cookie_secure ini value on-the-fly while under SSL connections automatically, So the cookie being created was a secure cookie, which the second page wouldn't recognize.

Solution, comment out /cake/lib/session.php line 420 ish:

ini_set('session.cookie_secure', 1);

(Just search for that to find it, as I'm sure the line # will change as releases come out.)

Answer 6

You can specify your own session handling settings in a configuration file (rather than editing the CakePHP library file.) In the configuration file you can set session.cookie_secure to 0, which will take precedence over the setting in /cake/lib/session.php. This will allow the session cookie to be used for both SSL and non-SSL connections.

Here is a blog entry on the topic: http://bakery.cakephp.org/articles/view/how-to-bend-cakephp-s-session-handling-to-your-needs

and some documentation from the Cookbook: http://book.cakephp.org/view/173/Sessions