views:

504

answers:

2

Some background:

CakePHP writes it's own session id cookie besides the PHPSESSID. This is used to authenticate a request. Then an SWFupload sends a file, and that token to authenticate, and is picked up as a new user agent - so in cakephp you must disable the "check-user-agent" security feature.

On many browsers this is enough. IE7 version and SWF version seem to have no corelation to this bug. In our case IE7 was storing/sending two versions of the same cookie. So the first question is why? How?

Further explanation:

Because these duplicate cookies are stored at the beginning and end of the header string, PHP/Cake receives the one end if it's a dupe so it "chooses" one, and the manual cookie I set and send in swfobject is the other cookie. I can think of a few hacks to fix this - but really I'd like to know how this condition could arise in the first place.

CakePHP also seems to not generate unique CakeSession ids on logout and login, which might be the cause, and the solution could be to force cake to use PHPSESSID everywhere, or it may be just to make sure that swfupload sends the correct SESSID...

Edit one: The headers for cookies sent by CakePHP are:

Set-Cookie: CAKEPHP=gqlpa88blmhmdsmv9e99ga16b3; expires=Thu, 13-Aug-2009 13:21:02 GMT; path=/
Set-Cookie: CAKEPHP=deleted; expires=Wed, 06-Aug-2008 13:21:01 GMT; path=/
Set-Cookie: CAKEPHP=ob5695trnspprlohiunrpqgkm0; expires=Thu, 13-Aug-2009 13:21:02 GMT; path=/

Any ideas welcome!

+1  A: 

as far as i remember, if you set a cookie that already exists, it just overwrites the value and expiration date of the old cookie... this is per domain. means you can have 2 cookies with the same name under / and under /anything and they don't overwrite each other.

a cookie's name within it's site is unique. at least in standard. don't know whether IE7 follows this one.

or isn't it what you're asking?

regards

Atmocreations
+2  A: 

Two cookies may have the same name if they were set for different domains or paths.

For instance, if you set a cookie "ID" on "www.example.com" and also on "example.com", then two ID cookies will be sent for every request for "www.example.com" or "anything.www.example.com".

To prevent this, ensure that you're consistently setting cookies for the same domain, and if you happen to have multiple domain names aliased to the same server (e.g. www.example.com and example.com) then have one redirect to the other.

Similarly, don't set cookies of the same name with a different path value.

EricLaw -MSFT-