Now there are already tickets logged on trac about this, but the
session class in Cake has been the one thing that I've consistently
hacked over the last year or two - so perhaps it is worth discussing
what people's priorities are.
Focus 1: What are your priorities for the session, particularly with
regards to "high" security.
Focus 2: Can you think of any tricks so that regenerating the session
id could work even with media loading from cake actions (ie css, js,
iframes).
One other requirement for many of our sites is to share the session
between both Flash and HTML clients, which means the user agent needs
to be ignored. Definitely not "high" security doing this.
2. The only thing I can think of is if the developer were able to
identify specific actions that do not cause a session refresh.
Usually you will know which actions are used for dynamic content (ie
css / js / images), or may be included in iframes etc.
In fact it would be good to allow the application to decide this - as
I would not necessarily expect sending three session headers (new,
old, new) to some mobile devices to work consistently. So it would be
neat to have a beforeFilter / afterRender decide whether the session
needs to change (could check user agent etc).
Dan