Configuration Session.cookie with fullstop causes auth component to "forget" successful authentication attempt
Reported by Ryan Boucher | May 6th, 2010 @ 04:36 AM | in 1.2.7
When the app/core.php setting Session.cookie contains a fullstop then the auth component will be successful but as soon as the next redirect occurs the state information cannot be found and user will be logged out.
The line by default is:
Configure::write('Session.cookie', 'CAKEPHP');
and if is changed to
Configure::write('Session.cookie', 'CAKE.PHP');
Then it will fail.
This occurs in cakephp version 1.3 stable but also in RC4. I didn't check any other versions.
Any working auth setup should work for a test harness; otherwise following the auth component instructions from the cakephp book will do the same. I have attached a rar file with an app folder that contains the basic controller and view required to replicate the issue. I have not included the peripheral CakePhp files. You will need to create a database.
I had all default settings (as per the v1.3 stable); PHP for sessions and sessions were stored in a directory path on the server that was writeable.
Apart from being able to replicate the issue I have no looked at the root cause. I think it would be worthwhile adding another validation check to the list that occurs when checking the security.salt is valid, etc.
Comments and changes to this ticket
-
-
Ryan Boucher May 6th, 2010 @ 05:03 AM
-
Please cite where this is the documented.
-
If session cookies cannot have a dot in the name then why doesn't cakephp do validation to ensure that the system is configured correctly.
-
-
dogmatic69 May 6th, 2010 @ 06:06 AM
that is just the way php works, i did a quick search on google and found some sites that said session names should not contain .
http://www.clanthemes.com/tutorials-view-183-cookie-config-and-fix-...
read under "cookie name"
-
ADmad May 6th, 2010 @ 07:28 AM
- → Milestone set to “1.2.7”
- → Tag cleared.
- → State changed from “new” to “invalid”
- → Assigned user cleared.
As pointed out you can't have dot in cookie name. Here's the reference http://php.net/session_name "The session name references the session id in cookies and URLs. It should contain only alphanumeric characters;...". We can't put checks in the framework for every protocol/language restriction such as this. It would make the code base seriously bloated.
-
Ryan Boucher May 6th, 2010 @ 07:55 AM
You're building framework components on assumptions that may not be true. As a consumer of the framework I don't need to know that you are using PHP sessions to implement session management. I'm not calling session_name; I'm setting a configuration property that apparently has constraints upon it.
I'm sure you can see where I am coming from.
I think there is much that could be learned from this defect and perhaps improving the documentation around auth, sessions or configuration would be an easier solution to verifying assumptions in code.
There is a workaround for this defect and I'm not going to complain until it's fixed. It's you're framework and I've got my code working.
-
dogmatic69 May 6th, 2010 @ 08:28 AM
great attitude. the reason it is not done in cake is the same reason its not done in php. think about it. if it was such a problem the php devs would have the checks in the core php code.
the workaround is simple... dont use funny chars in the session name.
-
Predominant May 6th, 2010 @ 08:31 AM
- → Tag set to “cookie, defect, session”
- → State changed from “invalid” to “open”
- → Assigned user set to “Predominant”
I'll fix 'er up. You'll see.
-
AD7six May 6th, 2010 @ 08:32 AM
Documentation fix for those who aren't aware taht cakephp is written using.. php.
http://github.com/AD7six/cakephp1x/commit/eebe6f8a0103c7d2152730830...
-
Predominant May 6th, 2010 @ 08:39 AM
Request For Comments:
Patches for both current 1.2 and 1.3 branches.
Commit in my fork : http://github.com/predominant/cakephp1x/commit/99253c22f3a68065a37b...
-
Predominant May 6th, 2010 @ 08:49 AM
- → State changed from “open” to “resolved”
Fixed for 1.2 in [99253c22f3a68065a37b9736fd500ec42be3d3c5] and [b8a98e2989afe9c90e6959a1a1a935225a5f2efa]
Fixed for 1.3 in [a8a31899892fa0212d61d0eeab99baa2510bc39d] and [fd7c1d4f7fe0ba55f5c78617a75e31b862400d19]
-
dakota May 6th, 2010 @ 08:52 AM
So, if I understand correctly, Ryan is upset at the CakePHP project because of a limitation in the PHP language?
@Ryan: "There is a workaround for this defect and I'm not going to complain until it's fixed. It's you're framework and I've got my code working." <- That attitude is not going to get you anywhere. CakePHP is an open source project. If you have an issue and you have a workaround for it then please post a patch file, or fork the project on Github and perform a pull request. Don't come complaining that it's "you're framework" when it is also your (as in Ryan Boucher's) framework.
And the grammar Nazi in me needs to mention that it is "your" and not "you're" (you are).
-
AD7six May 6th, 2010 @ 08:55 AM
dakota you forgot to mention that there is no defect, and by consequence there can be no workaround.
-
ADmad May 6th, 2010 @ 08:58 AM
Maybe we should have a closed source version of the framework too for "consumers" who are not interested in what the framework does internally. As for a open sourced version add the following comment to each file "CakePHP is written using PHP. We can't circumvent the restrictions/short comings of the language itself."
-
dakota May 6th, 2010 @ 08:58 AM
Well, since the RFC for cookies doesn't make mention of any limits on cookie names, technically there is a defect. Only minor detail is that the defect is with the PHP project, and not with the CakePHP project.
-
Ryan Boucher May 6th, 2010 @ 05:52 PM
@dakota - good point; maybe I should make this fix myself but it would need to be approved by the CakePHP change management to be included. The consensus I am getting is that you don't want to fix this issue because it's a PHP limitation.
@dakata grammar noted.
@AD7six & @Predominant - both of those fixes are fine with the latter providing more detail.
What I am trying to illustrate here is that CakePHP is a framework that abstracts implementation details away for developers. I use CakePHP for this purpose; I am not going to change it's source for my app because then I will have two code bases to maintain; one for my app and one with changes to merge into the framework each time you release.
If you are abstracting implementation details away then you need to understand what that actually means. I may have access to the source code but that doesn't mean I must understand how it works for it work on my behalf. This is why we have layers in software design; to simplify details for consumers.
Let me provide an example. Let say that in version 8.9 of CakePHP you implement sessions using Wonkers and Wonkers don't accept Scruples in their session names. Everyone who had used a Scruple in their session name now has to change their names and then retest their application because of an implementation detail regarding Wonkers that you chose to use.
I'm aware CakePHP is written in PHP; but you need to understand the I didn't ask PHP do session management. I asked CakePHP and it happened to ask PHP and it could asked Wonkers. CakePHP needs to be aware that if it is going to consume PHP or Wonkers for sessions there are limitations and as such it needs to shield these for its consumer.
I believe this is called the Law of Leaky Abstractions.
Happy to discuss this further. All of this is based on my assumption that CakePHP is a framework and an abstraction layer for implementing software in PHP. You (the collective) may not have that goal for CakePHP as a framework.
-
Predominant May 6th, 2010 @ 06:02 PM
Thanks for your response Ryan. Very well explained there, and we understand where you are coming from.
We won't abstract away PHP in the design and creation of CakePHP completely.
CakePHP has always been and will remain a framework for PHP developers. As such, use of CakePHP does come with a few prerequisites: Programming experience, PHP knowledge (PHP4+ for CakePHP 1.x), and some patience to read through the extensive documentation and tutorials.
We have in fact made the conscious decision to implement PHP based views, as we believe that PHP itself is a great templating language for use in view creation. What we do provide, however, is a flexible and extensible framework in which you can develop and abstract PHP with template engines like Smarty, Dwoo and others. The base requirement of course being that you need an understanding of the CakePHP framework to construct these classes, and experience and understanding of PHP in order to develop these extensions.
I've extended the inline documentation for the issue you were experiencing, and we're more than happy to address similar issues through further education and instruction for users where possible to ease the development process and reduce frustrations where they exist.
I hope that explains the CakePHP approach, and why we're not hiding PHP from the developer.
-
Ryan Boucher May 6th, 2010 @ 09:27 PM
Thanks Predominant for taking the time to explain the CakePHP approach. It definitely increases the clarity around what I need to consider as a developer using CakePHP.
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
Repository is at http://github.com/cakephp/cakephp
Creating a bug report
When creating a bug report, please include as much relevant information as possible. Please include code to reproduce the issue. Or even better, make a unit test. Either change an existing test or add a new test to show that the expected behavior is not occuring.
CakePHP