What are the implications of using 'low' security in cakephp?

Question

I had an authentication problem in cakephp, when positing credentials from an external site the authentication would work, and then get immediately lost, with the site prompting for login information again.

This guy determined that the cakephp session cookie was changing. His solution was to set security to low.

Seems like in medium or high security Cake makes a double check for referer... but with low security works fine when clicking auth- protected links from external sites like hotmail or yahoo

This solution also worked for me, but what I am losing by setting cakephp to 'low' security?

Answer 1

I believe the only ramifications of setting this to low are that the session time is multiplied by 300 rather than 10 or 100 for high and medium respectively and the session refer check that you are having the issue with.

Update: If you previously had this set to high, you would also loose out on the session id regeneration between requests.

Answer 2

The main thing that I know of is the session timeout, as per the app/config/core.php comments, in that your session timeout will be multiplied by a lower number.

The book backs this up,

The level of CakePHP security. The session timeout time defined in 'Session.timeout' is multiplied according to the settings here. Valid values: 'high' = x 10 'medium' = x 100 'low' = x 300 'high' and 'medium' also enable session.referer_check CakePHP session IDs are also regenerated between requests if 'Security.level' is set to 'high'.

Ref: http://book.cakephp.org/view/44/CakePHP-Core-Configuration-Variables

So the other thing looks to be the referrer checking.

session.referer_check contains the substring you want to check each HTTP Referer for. If the Referer was sent by the client and the substring was not found, the embedded session id will be marked as invalid. Defaults to the empty string.

So the looks of it, the things you are lose are the ability to accuratly determine who and which sessions you are dealing with.

I ran into a similar problem with losing sessions and many answers pointed to using $this->requestAction() as it will basically curl a request out of the app, so it can look like another session being created with a high security.

The other thing that many google answers threw up was turning off Session.checkAgent in your app/config/core.php as that meant the session would not be checked. This at least prevented me from losing the session information between page requests.

:)

Answer 3

two things happens when setting to 'low'

1)timeout is bigger

2)if session highjacking is easy, then it will be easier! since the session dosent regenerate between requests as when set to 'high'!

and nothing else.

by the way you can change for a specific page the security level or the session timeout or both... so it is not a no-undo-choice

Answer 4

hi david, you are wrong, requestAction is simulating dispatching a URL, not curling a new request, you will stay in the main browser request, so if you have million requestAction per browser request, session will not regenerate million times, unless you do it explicitly

Answer 5

When security is high, a new session ID get generated on every request. It is practically impossible to create a single-sign-on solution between two applications by sharing a session cookie in this case, since Cake will constantly change the session ID without notifying the other application.

When security is medium (or higher), session.referer_check is enabled.

When security is low, you don't have either of the above features, but it is still just as secure as any average PHP website/CMS out there.