views:

1077

answers:

4

I'm having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn't happen all the time but randomly.

I am using CakePHP and the Auth component, which seem to work well other than this issue

I got some feedback on the Cake forums once that this is sometimes caused by a 404 request that resets the session, i.e. if you have a broken image link or a missing favicon file. I have firebug open and there are no failed requests, so I ruled this out as a possibility, but the user is getting sporadically logged out. This seems to occur across browsers and operating systems.

Below is a summary of my config settings: Security.level = high Session.timeout = 1200 // this means my actual timeout should be 12,000 seconds Session.save = php

I am really at a loss as to what is causing this issue...

A: 

Check your Auth->allow or ->deny, because it might be, that your user accesses an restricted part or action of your controller(s).

Second, check your specific Sanitize of CakePHP, because 'high security' options often like to cause trouble.

404 pages reset the session? I never heard about that.

I think your problem is located somewhere in the authentication routines. If you restrict too many things it can happen, that some constellations of requests will fail due to their missing attributes.

For example: UserOne tries to access your website, his user name contains some strings which cause wrong interpretation of the user name. The name could be found within the database, but the authentication could not link it to the request.

Errors like this always hide inside your code, where you did not expect them to be.

daemonfire300
Sorry, I probably needed to specify further.. the user login process with Auth is fine. When trying to access /admin/ urls I have it set to require Auth, and it does so for the correct screens. Logging in is no problem, it finds the names in the database, but the problem is that it will sporadically kick me out when I'm already in.
Nathan
The 404 request apparently can reset the Cake Auth/Session, not a generic PHP issue
Nathan
Try to set up cakephp once again including your database (etc.) this might help.
daemonfire300
+5  A: 

I have also had a problem with my security set to high. When you have it set to high it regenerates the session on every request: "CakePHP session IDs are also regenerated between requests if 'Security.level' is set to 'high'."

I had this problem cross-browser as well, so I know its not the best solution but I just changed the security setting to medium, and changed my session timeout to reflect that setting and have not had any problems since.

Matt
thanks, I'll give that a shot
Nathan
You are a lifesaver.
Michael
Thanks! 8 more to go....
Justin
A: 

Security.level on high will do that. set it to medium in core.php

dogmatic69
A: 

I had a similar problem, I found it to be the user_agent check in the core.php file, set this to false!

What was happening was after a page refresh the session id changed and I was logged out, but in the Session object there was an error saying Attempted Session Hijack!!! pr($this->Session);

Set this to false in core.php! Configure::write('Session.checkAgent', false);

Alex Payne