Session timeout auth component 403 status code being dropped when request via AJAX
Reported by frankmullenger | May 2nd, 2010 @ 09:16 PM | in 1.3.0
Auth component tries to trigger a redirect with header status code 403, if the initial request was made via AJAX and the request handler component is being used the 403 status code is dropped:
If the session has timed out before an AJAX request is made the Auth component is invoked and attempts a redirect with header code 403 (Forbidden):
//Line 357 cake/libs/controller/components/auth.php $controller->redirect(null, 403);
The controller class calls the beforeRedirect() of the Component class:
//Line 542 cake/libs/controller/controller.php $response = $this->Component->beforeRedirect($this, $url, $status, $exit);
Which in turn calls the beforeRedirect() method of any loaded components:
//Line 146 cake/libs/controller/component.php $resp = $component->beforeRedirect($controller, $url, $status, $exit);
While the Auth component does not have a beforeRedirect() method if you have the Request Handler component loaded the beforeRedirect() for the Request Handler is invoked which according to the comment block:
Handles (fakes) redirects for Ajax requests using requestAction()
The beforeRedirect() calls requestAction() of the Object class and that is the problem:
//Line 234 cake/libs/controller/components/request_handler.php
echo $this->requestAction($url, array('return'));
$this->_stop();
requestAction() simply calls a controller’s method from any location, you can pass a URL or a few limited options but no header code so the 403 header code used at the beginning in the Auth component is dropped. and not returned to the browser. Execution of the script is then immediately stopped.
See blog post for more info: http://deadlytechnology.com/scripts/php/ajax-session-expire-bug/
Comments and changes to this ticket
-
Mark Story May 3rd, 2010 @ 08:35 PM
- → Milestone set to “1.3.0”
- → Tag set to “defect, header, requesthandler”
- → Assigned user cleared.
-
Mark Story May 3rd, 2010 @ 09:06 PM
- → Assigned user set to “Mark Story”
-
CakePHP May 3rd, 2010 @ 09:07 PM
- → State changed from “new” to “resolved”
(from [95dbae8acf4f87a53bc0a04147a4efe22ae91faa]) Making RequestHandler component carry along a passed status code. This fixes issues where RequestHandler hijacks an redirect(). Fixes #658 http://github.com/cakephp/cakephp1x/commit/95dbae8acf4f87a53bc0a041...
-
csrui June 23rd, 2010 @ 04:26 AM
I'm currently using version 1.3.2 and Security.level set to low and I keep getting the 403 header "randomly" when doing posts via ajax.
-
Felipe Sabino December 1st, 2010 @ 07:01 AM
I am using 1.3.3 and I am also getting 403 header randomly while making ajax calls.
I verified a "Set-Cookie" parameter in my server response header and after that the session simply died.
-
RSK January 29th, 2011 @ 12:28 AM
i am using cakePHP 1.3.2 and still the ajax request after session time out throws 403
Please Sign in or create a free account to add a new ticket.
With your very own profile, you can contribute to projects, track your activity, watch tickets, receive and update tickets through your email and much more.
Create new ticket
Create your profile
Help contribute to this project by taking a few moments to create your personal profile. Create your profile »
Source available from github
Repository is at http://github.com/cakephp/cakephp
Creating a bug report
When creating a bug report, please include as much relevant information as possible. Please include code to reproduce the issue. Or even better, make a unit test. Either change an existing test or add a new test to show that the expected behavior is not occuring.
People watching this ticket
Tags
Referenced by
-
#658 Session timeout auth component 403 status code being dropped when request via AJAX
(from [95dbae8acf4f87a53bc0a04147a4efe22ae91faa])
Making ...