Moving tests from SessionComponent to CakeSession, as that is where the features actually are. Removing Security.level/Security::inactiveMins() calculations.

Author: markstory

cake/libs/cake_session.php

@@ -125,6 +125,15 @@ class CakeSession {
  */
 	public static $timeout = null;
 
+/**
+ * Number of requests that can occur during a session time without the session being renewed.
+ * This feature is only used when `Session.harden` is set to true.
+ *
+ * @var integer
+ * @see CakeSession::_checkValid()
+ */
+	public static $requestCountdown = 10;
+
 /**
  * Constructor.
  *
@@ -147,8 +156,7 @@ public static function init($base = null, $start = true) {
 			self::start();
 		}
 		if (isset($_SESSION) || $start === true) {
-			self::$sessionTime = self::$time + (Security::inactiveMins() * Configure::read('Session.timeout'));
-			self::$security = Configure::read('Security.level');
+			self::$sessionTime = self::$time + (Configure::read('Session.timeout') * 60);
 		}
 	}
 
@@ -230,7 +238,7 @@ public static function start() {
 		self::_configureSession();
 		self::_startSession();
 		$started = self::started();
-		
+
 		if (!self::id() && $started) {
 			self::_checkValid();
 		}
@@ -583,7 +591,7 @@ protected static function _getHandler($handler) {
 		}
 		$reflect = new ReflectionClass($class);
 		if (!$reflect->implementsInterface('CakeSessionHandlerInterface')) {
-			throw new Exception(__('Chosen SessionHandler does not implement CakeSessionHandlerInterface'));
+			throw new Exception(__('Chosen SessionHandler does not implement CakeSessionHandlerInterface it cannot be used with an engine key.'));
 		}
 		return $class;
 	}
@@ -689,17 +697,22 @@ protected function _startSession() {
  */
 	protected static function _checkValid() {
 		if (self::read('Config')) {
-			if ((Configure::read('Session.checkAgent') === false || self::$_userAgent == self::read('Config.userAgent')) && self::$time <= self::read('Config.time')) {
+			$sessionConfig = Configure::read('Session');
+			$checkAgent = isset($sessionConfig['checkAgent']) && $sessionConfig['checkAgent'] === true;
+			if (
+				($checkAgent && self::$_userAgent == self::read('Config.userAgent')) &&
+				self::$time <= self::read('Config.time')
+			) {
 				$time = self::read('Config.time');
 				self::write('Config.time', self::$sessionTime);
-				if (Configure::read('Security.level') === 'high') {
-					$check = self::read('Config.timeout');
+				if (isset($sessionConfig['harden']) && $sessionConfig['harden'] === true) {
+					$check = self::read('Config.countdown');
 					$check -= 1;
-					self::write('Config.timeout', $check);
+					self::write('Config.countdown', $check);
 
-					if (time() > ($time - (Security::inactiveMins() * Configure::read('Session.timeout')) + 2) || $check < 1) {
+					if (time() > ($time - ($sessionConfig['timeout'] * 60) + 2) || $check < 1) {
 						self::renew();
-						self::write('Config.timeout', Security::inactiveMins());
+						self::write('Config.countdown', self::$requestCountdown);
 					}
 				}
 				self::$valid = true;
@@ -711,7 +724,7 @@ protected static function _checkValid() {
 		} else {
 			self::write('Config.userAgent', self::$_userAgent);
 			self::write('Config.time', self::$sessionTime);
-			self::write('Config.timeout', Security::inactiveMins());
+			self::write('Config.countdown', self::$requestCountdown);
 			self::$valid = true;
 			self::__setError(1, 'Session is valid');
 		}

cake/libs/controller/components/session.php

@@ -49,16 +49,6 @@ class SessionComponent extends Object {
  */
 	private $__bare = 0;
 
-/**
- * Class constructor
- *
- * @param string $base The base path for the Session
- */
-
-	public function __construct() {
-		CakeSession::begin();
-	}
-
 /**
  * Startup method.
  *

cake/tests/cases/libs/cake_session.test.php

@@ -78,7 +78,8 @@ public static function teardownAfterClass() {
  * @access public
  * @return void
  */
-	function startTest() {
+	function setup() {
+		parent::setup();
 		Configure::write('Session', array(
 			'defaults' => 'php',
 			'cookie' => 'cakephp',
@@ -98,7 +99,8 @@ function startTest() {
  * @access public
  * @return void
  */
-	function endTest() {
+	function teardown() {
+		parent::teardown();
 		unset($_SESSION);
 		@session_destroy();
 	}
@@ -641,4 +643,37 @@ function testReadAndWriteWithDatabaseStorage() {
 		session_write_close();
 	}
 
+/**
+ * testSessionTimeout method
+ *
+ * @access public
+ * @return void
+ */
+	function testSessionTimeout() {
+		Configure::write('debug', 2);
+		Configure::write('Session.harden', false);
+
+		$timeoutSeconds = Configure::read('Session.timeout') * 60;
+
+		session_destroy();
+		TestCakeSession::destroy();
+		TestCakeSession::write('Test', 'some value');
+
+		$this->assertEqual(CakeSession::$sessionTime, time() + $timeoutSeconds);
+		$this->assertEqual($_SESSION['Config']['countdown'], 10);
+		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$sessionTime);
+		$this->assertEqual(CakeSession::$time, time());
+		$this->assertEqual($_SESSION['Config']['time'], time() + $timeoutSeconds);
+
+		Configure::write('Session.harden', true);
+		TestCakeSession::destroy();
+
+		TestCakeSession::write('Test', 'some value');
+		$this->assertEqual(CakeSession::$sessionTime, time() + $timeoutSeconds);
+		$this->assertEqual($_SESSION['Config']['countdown'], 10);
+		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$sessionTime);
+		$this->assertEqual(CakeSession::$time, time());
+		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$time + $timeoutSeconds);
+	}
+
 }

cake/tests/cases/libs/controller/components/session.test.php

@@ -308,46 +308,4 @@ function testSessionDestroy() {
 		$this->assertNull($Session->read('Test'));
 	}
 
-/**
- * testSessionTimeout method
- *
- * @access public
- * @return void
- */
-	function testSessionTimeout() {
-		Configure::write('debug', 2);
-		Configure::write('Security.level', 'low');
-
-		session_destroy();
-		$Session =& new SessionComponent();
-		$Session->destroy();
-		$Session->write('Test', 'some value');
-
-		$this->assertEqual(CakeSession::$sessionTime, mktime() + (300 * Configure::read('Session.timeout')));
-		$this->assertEqual($_SESSION['Config']['timeout'], 10);
-		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$sessionTime);
-		$this->assertEqual(CakeSession::$time, mktime());
-		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$time + (Security::inactiveMins() *  Configure::read('Session.timeout')));
-
-		Configure::write('Security.level', 'medium');
-		$Session =& new SessionComponent();
-		$Session->destroy();
-		$Session->write('Test', 'some value');
-		$this->assertEqual(CakeSession::$sessionTime, mktime() + (100 * Configure::read('Session.timeout')));
-		$this->assertEqual($_SESSION['Config']['timeout'], 10);
-		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$sessionTime);
-		$this->assertEqual(CakeSession::$time, mktime());
-		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$time + (Security::inactiveMins() *  Configure::read('Session.timeout')));
-
-		Configure::write('Security.level', 'high');
-		$Session =& new SessionComponent();
-		$Session->destroy();
-		$Session->write('Test', 'some value');
-		$this->assertEqual(CakeSession::$sessionTime, mktime() + (10 * Configure::read('Session.timeout')));
-		$this->assertEqual($_SESSION['Config']['timeout'], 10);
-		$this->assertEqual($_SESSION['Config']['time'], $Session->sessionTime);
-		$this->assertEqual(CakeSession::$time, mktime());
-		$this->assertEqual($_SESSION['Config']['time'], CakeSession::$time + (Security::inactiveMins() * Configure::read('Session.timeout')));
-
-	}
 }