Session high security

57 views
Skip to first unread message

Grant Cox

unread,
Nov 8, 2007, 12:21:01 AM11/8/07
to CakePHP Bleeding Edge
As many of you would be aware setting the Session Security.level to
'high' causes the session id to be regenerated on every request. This
does make it very easy to lose your legitimate session though, as it
will be lost for any browser request that goes through cake, but does
not update the browser's cookie (ie loading images, css, js, iframes -
if any of these use a cake action).

Now there are already tickets logged on trac about this, but the
session class in Cake has been the one thing that I've consistently
hacked over the last year or two - so perhaps it is worth discussing
what people's priorities are.

Focus 1: What are your priorities for the session, particularly with
regards to "high" security.

Focus 2: Can you think of any tricks so that regenerating the session
id could work even with media loading from cake actions (ie css, js,
iframes).

Grant Cox

unread,
Nov 8, 2007, 12:59:00 AM11/8/07
to CakePHP Bleeding Edge
1. For our own sites, I don't think we want / need "high" security
for sessions. The one thing that I feel is mandatory is for the
session to expire when the browser is closed, or after some period of
inactivity. I just don't trust a session lasting for days, unless the
user has specifically requested to do so (ie ticked a box "remember me
for 14 days"). But I think this expiry should also apply for "medium"
too.

One other requirement for many of our sites is to share the session
between both Flash and HTML clients, which means the user agent needs
to be ignored. Definitely not "high" security doing this.


2. The only thing I can think of is if the developer were able to
identify specific actions that do not cause a session refresh.
Usually you will know which actions are used for dynamic content (ie
css / js / images), or may be included in iframes etc.

In fact it would be good to allow the application to decide this - as
I would not necessarily expect sending three session headers (new,
old, new) to some mobile devices to work consistently. So it would be
neat to have a beforeFilter / afterRender decide whether the session
needs to change (could check user agent etc).

chad

unread,
Nov 8, 2007, 1:58:44 AM11/8/07
to CakePHP Bleeding Edge
Hi Grant -
I don't necessarily have anything to add to the conversation, other
than "yeah", completely agree with #1 in your follow up post. I've
got a production site going with about 100 users, and have my
Security.level = 'low'. I've found the high setting to be a little
excessive, and just not worth the trouble for my needs. It would be
cool, however to have a beforeFilter() that decides when the session
should be refreshed in 'high' mode.
-Chad

cakeFreak

unread,
Nov 8, 2007, 6:54:34 AM11/8/07
to CakePHP Bleeding Edge

Thumb up for Grant suggestions!

Dan

Reply all
Reply to author
Forward
0 new messages