Session data lost when autoRegenerate = true and multiple simultaneous connections #1964
Comments
|
28th May 2012, Mark Story said: I think not ever having busted images is a good solution too, as you probably screwed something else up in order to get there. If you have a patch I'm willing to review it. Leaving the old session active but auto regenerating sessions kind of defeats the point. Frequently switching tokens is generally done to prevent session snooping. A more effective way to defeat this kind of attack is to use SSL though. Marking as an enhancement as the feature works except in the case where there are compounded mistakes. |
|
28th May 2012, Simon East said: Yeah, avoiding busted images is definitely a good move, but it took me several hours to identify this as the source of the problem. Unfortunately, images do break when you have user-managed content and production/staging servers don't sync all those assets. |
|
17th Jul 2012, Simon East said: This bug also occurs in other circumstances such as when users double-click links (and yes, it surprises me how much inexperienced users do this). |
|
17th Jul 2013, Costa said: Is there a specific reason for static assets to have to touch sessions? To me static assets should be stateless. It's unintuitive for a 404 on a static asset = invalidated session. Can't the asset dispatcher bypass all the session / cookie / auth stuff? |
|
17th Jul 2013, ADmad said:
|
|
17th Jul 2013, ADmad said: Only if you have broken links to your assets the request will be handled by php. You can just update your rewrite rules to avoid that. |
|
Closing this as the autoRegenerate feature works as expected. End users need to take extra precautions in web apps using this feature to avoid any undesired behavior. Also, my vote would go to removing this feature as it only causes troubles. |
|
I think automatically rotating sessions periodically is useful for certain kinds of applications. It sounds like this was not a good place to use it. |
|
Ok, I'll just close this ticket, then. |
Created by Simon East, 28th May 2012. (originally Lighthouse ticket #2921):
What I did
Set
Configure.write('Session.autoRegenerate', true)incore.phpWhat happened
Session data gets lost.
This, however, occurs only when a browser has multiple simultaneous connections to the Cake app. This often happens when a user:
Or when a page:
What I expected to happen
Session data to be maintained.
The Problem
The problem is that
autoRegeneratedoes not work when a browser has _multiple simultaneous connections_. In the example below, four images in my page hit 404 errors and produce this bug. The process goes like this:The Fix
I can't think of an easy fix at the current time, other than to avoid
autoRegenerate. (Avoiding broken images would definitely help to some extent.)One thing that might help is if Cake didn't send a 'delete cookie' request back to the browser when it finds an outdated session ID. So, in the example above, although image #4 would still send the old sess ID cookie, the browser still retains the new cookie from image #3, and future requests would continue as expected rather than all session data being lost.
The text was updated successfully, but these errors were encountered: