Session not saving when moving from ssl to non-ssl

Question

I have a login screen that I force to be ssl, so like this: https://www.foobar.com/login then after they login, they get moved to the homepage: https://www.foobar.com/dashbaord

However, I want to move people off of SSL once logged in (to save CPU), so just after checking that they are in fact logged in on https://www.foobar.com/dashbaord I move them to http://www.foobar.com/dashbaord

Well this always seems to wipe out the session variables, because when the page runs again, it confirms they are logged in (as all pages do) and session appears not to exist, so it moves them to the login screen.

Oddness/findings:

1. List item
2. The second login always works, and happily gets me to http://www.foobar.com/dashbaord
3. It successfully creates a cookie the first login
4. If I login twice, then logout, and login again, I don't need two logins (I seem to have traced this to the fact that the cookie exists). If I delete the cookie, I'm back to two logins.
5. After the second login, I can move from non-ssl from ssl and the session persists.
6. On the first login, the move to the non-ssl site wipes out the session entirely, manually moving back to the ssl site still forces me to login again.
7. The second login using the exact same mechanism as the first, over ssl

What I tried:

1. Playing with Cake's settings for security.level and session.checkagent - nothing
2. Having cake store the sessions in db (as opposed to file system) - nothing
3. Testing in FF, IE, Chrome on an XP machine.

So I feel like this is something related to the cookie being created but not being read.

Environment: 1. Debian 2. Apache 2 3. Mysql 4 4. PHP 5 5. CakePHP 6. Sessions are being saved PHP default, as files

Answer 1

I figured this out. Cake was switching the session.cookie_secure ini value on-the-fly while under SSL connections automatically, So the cookie being created was a secure cookie, which the second page wouldn't recognize.

Solution, comment out /cake/lib/session.php line 420 ish:

ini_set('session.cookie_secure', 1);

(Just search for that to find it, as I'm sure the line # will change as releases come out.)

Answer 2

While the accepted answer meets the OP's desire to "move people off of SSL once logged in" - it's horribly insecure in that it exposes the user session to hijacking (See Firesheep for an easy exploit).

A better compromise between the default behavior of CakePHP (which requires all pages to be served SSL after a user authenticates over SSL) and the accepted answer (which serves all authenticated pages unencrypted and exposes the authenticated cookie) is to serve pages encrypted over SSL if and only if they require authentication.

An easy way to accomplish this is to maintain two session cookies - one that is served secure and holds the authentication information and another which is served insecure. A simple implementation to support such a dual-session approach will use a session_handler to override the session.name like so:

    if (env('HTTPS')) {
        ini_set('session.name', Configure::read('Session.cookie').'-SECURE');
    }else{
        ini_set('session.name', Configure::read('Session.cookie'));
    } 

One item to keep in mind with this approach is that to link from a non-SSL page directly to a page that requires authentication will require you to explicitly link using https - since you'll need to send the session cookie containing the authentication information and the browser will only do so if the link is encrypted.

Answer 3

First of all, do I understand correctly that the second login is using the exact same mechanism as the first (via HTTPS)?

Does the first hit on a unsecured page create a new session, in addition to the one created during login?

Check if, on first login, the cookie is not set with the Secure flag (that means that the cookie should only be sent over a secured (HTTPS) connection).

Answer 4

You can read more in documentation CakePHP at http://book.cakephp.org/2.0/en/development/sessions.html CakePHP’s defaults to setting session.cookie_secure to true, when your application is on an SSL protocol. If your application serves from both SSL and non-SSL protocols, then you might have problems with sessions being lost. If you need access to the session on both SSL and non-SSL domains you will want to disable this:

You open file Config/core.php and add as bellow

Configure::write('Session', array(
    'defaults' => 'php',
    'ini' => array(
        'session.cookie_secure' => false
    )
));

Now you can switch http and https that not lose session :)

Answer 5

You can specify your own session handling settings in a configuration file (rather than editing the CakePHP library file.) In the configuration file you can set session.cookie_secure to 0, which will take precedence over the setting in /cake/lib/session.php. This will allow the session cookie to be used for both SSL and non-SSL connections.

Here is a blog entry on the topic: http://bakery.cakephp.org/articles/view/how-to-bend-cakephp-s-session-handling-to-your-needs

and some documentation from the Cookbook: http://book.cakephp.org/view/173/Sessions

Answer 6

Just bumped into this problem, I commented the following and it worked fine:

<br />ini_set('session.name', Configure::read('Session.cookie'));
<br />
from session.php (/cake/lib/session.php, line 480~)

Answer 7

Has your homepage got any flash on it that makes a subsequent request to your server? Or any Ajax loading of content?

Have you checked headers being sent from the server? In IE you can use Fiddler or in Firefox use the Live Headers addon. Check for any new cookies being set or the CAKEPHP cookie having a different value.