Session not saving when moving from ssl to non-ssl

Question

I have a login screen that I force to be ssl, so like this: https://www.foobar.com/login then after they login, they get moved to the homepage: https://www.foobar.com/dashbaord

However, I want to move people off of SSL once logged in (to save CPU), so just after checking that they are in fact logged in on https://www.foobar.com/dashbaord I move them to http://www.foobar.com/dashbaord

Well this always seems to wipe out the session variables, because when the page runs again, it confirms they are logged in (as all pages do) and session appears not to exist, so it moves them to the login screen.

Oddness/findings:

1. List item
2. The second login always works, and happily gets me to http://www.foobar.com/dashbaord
3. It successfully creates a cookie the first login
4. If I login twice, then logout, and login again, I don't need two logins (I seem to have traced this to the fact that the cookie exists). If I delete the cookie, I'm back to two logins.
5. After the second login, I can move from non-ssl from ssl and the session persists.
6. On the first login, the move to the non-ssl site wipes out the session entirely, manually moving back to the ssl site still forces me to login again.
7. The second login using the exact same mechanism as the first, over ssl

What I tried:

1. Playing with Cake's settings for security.level and session.checkagent - nothing
2. Having cake store the sessions in db (as opposed to file system) - nothing
3. Testing in FF, IE, Chrome on an XP machine.

So I feel like this is something related to the cookie being created but not being read.

Environment: 1. Debian 2. Apache 2 3. Mysql 4 4. PHP 5 5. CakePHP 6. Sessions are being saved PHP default, as files

Answer 1

First of all, do I understand correctly that the second login is using the exact same mechanism as the first (via HTTPS)?

Does the first hit on a unsecured page create a new session, in addition to the one created during login?

Check if, on first login, the cookie is not set with the Secure flag (that means that the cookie should only be sent over a secured (HTTPS) connection).

Answer 2

Has your homepage got any flash on it that makes a subsequent request to your server? Or any Ajax loading of content?

Have you checked headers being sent from the server? In IE you can use Fiddler or in Firefox use the Live Headers addon. Check for any new cookies being set or the CAKEPHP cookie having a different value.

Answer 3

I figured this out. Cake was switching the session.cookie_secure ini value on-the-fly while under SSL connections automatically, So the cookie being created was a secure cookie, which the second page wouldn't recognize.

Solution, comment out /cake/lib/session.php line 420 ish:

ini_set('session.cookie_secure', 1);

(Just search for that to find it, as I'm sure the line # will change as releases come out.)

Answer 4

just bumped into this problem, i commented
ini_set('session.name', Configure::read('Session.cookie'));
from session.php (/cake/lib/session.php, line 480~) and it worked fine.

Answer 5

You can specify your own session handling settings in a configuration file (rather than editing the CakePHP library file.) In the configuration file you can set session.cookie_secure to 0, which will take precedence over the setting in /cake/lib/session.php. This will allow the session cookie to be used for both SSL and non-SSL connections.

Here is a blog entry on the topic: http://bakery.cakephp.org/articles/view/how-to-bend-cakephp-s-session-handling-to-your-needs

and some documentation from the Cookbook: http://book.cakephp.org/view/173/Sessions