0

I already asked a similar question, but I have a problem again with sessions in CakePHP.

The problem is: when someone gets an email with a link inside and clicks this link, the session dies.

  • If the user was logged into the site after clicking on the email's link, his session dies.

  • If the user was logged into the site and copies the email's link instead of clicking on it, then everything is okay.

I think I need some magic solution to finally solve this problem once and for all.

Community
  • 1
  • 1
sukinsan
  • 513
  • 3
  • 14

3 Answers3

0

if user was logged in on the site after clicked on the letter's link his session died

This is probably because clicking the link caused whatever browser the user's using to start a new browser instance. How this is handled will vary from browser to browser.

I would leave the behaviour as it is. Working around this would be very complex, and likely to open up security problems in the process.

Pekka
  • 442,112
  • 142
  • 972
  • 1,088
0

Do you have Security.level on "high" in config/core.php? If so, try with "medium" or "low".

Also, check that the email client isn't opening a different browser to the one the session is started in.

deizel.
  • 11,042
  • 1
  • 39
  • 50
  • But it affects the timeout only – sukinsan Sep 14 '11 at 11:28
  • It also affects [a few other things](http://stackoverflow.com/questions/1954270/what-are-the-implications-of-using-low-security-in-cakephp/1958172#1958172). Might be worth checking to see if lowering the security helps. – deizel. Sep 14 '11 at 11:36
  • ok but i didn't changed it to "hight", it is set by default "medium" right now – sukinsan Sep 14 '11 at 11:47
  • Have you tried "low" also? That is what the OP in the other question did for Hotmail/Yahoo. – deizel. Sep 14 '11 at 12:00
0

When the CakePHP 'Security.level' is set to 'high' or 'medium', CakePHP sets the PHP session.referer_check to your site hostname.

However, when the user clicks a link inside a email client, the referer check test fails and the session is marked as invalid.

What you have to do is the following:

1) Set CakePHP 'Security.level' as 'low'

OR

2) Provide a custom session configuration for CakePHP, as shown here, setting 'session.referer_check' to an empty string, this way:

ini_set('session.referer_check', '');
felipeptcho
  • 1,377
  • 2
  • 9
  • 23
  • It's considered bad to copy and paste your answers. I see you put the same answer here: http://stackoverflow.com/questions/7201576/something-very-wrong-with-sessions/8622556#8622556 – Devin Burke Dec 24 '11 at 06:32
  • Yes, I was trying to help everyone. I should have used a link. I'll do it from now on. Thanks. – felipeptcho Dec 25 '11 at 17:19