Cakephp cookie doesn’t expire even after browser close?

If you used CakePHP framework to build application and used Auth component for Authentication – you might face few cookie related problems. One is – If you close browser without log out – it doesn’t expire that is, browser kept cookie for ever and you never logged it. This is the very serious issue. You may updated your security level to high to solve this iisue but this causes the session id to be regenerated on every request. This does make it very easy to lose your legitimate session though, and its excessive and costly – we don’t need that though. So i was searching for a easy and cheap solution – how to solve this issue but there are very less resources related to this problem. Later i found a nice solution on cakephp site! that is –

Set security level to midium rather than high on core.php

Configure::write('Security.level', 'medium');

Define custom session handling method rather than database or php. To do this, find out the collowing line in core.php

Configure::write('Session.save', 'php');

Updated the above line to

Configure::write('Session.save', 'my_session_handler');

So you specified your custom session handling preferences, now create the custom session handling file with following contents –

// app/config/my_session_handler.php
//
// Revert value and get rid of the referrer check even when,
// Security.level is medium
ini_restore('session.referer_check');

ini_set('session.use_trans_sid', 0);
ini_set('session.name', Configure::read('Session.cookie'));

// Cookie is now destroyed when browser is closed, doesn't 
// persist for days as it does by default for security
// low and medium
ini_set('session.cookie_lifetime', 0);

// Cookie path is now '/' even if you app is within a sub 
// directory on the domain
$this->path = '/';
ini_set('session.cookie_path', $this->path);

// Session cookie now persists across all subdomains
ini_set('session.cookie_domain', env('HTTP_BASE'));

Hopefully this configuration will be ok, tweak configuration as needed.

About these ads

4 thoughts on “Cakephp cookie doesn’t expire even after browser close?

  1. In cakephp 2.x you can create a “session cookie” by setting the cookie timeout to 0 in the core.php session configuration. E.g:

    Configure::write(‘Session’, array(
    ‘checkAgent’ => false,
    ‘timeout’ => 600, // Max 10 hours
    ‘cookieTimeout’ => 0 // Delete when browser is closes
    ));

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s