Planet CakePHP

I have my fair share of problems with session in Cake so I thought I can share the two important configurations in app/config/core.php which affects how Cake handles the session.

Session.checkAgent
Setting this to TRUE means Cake will store the user agent header of a request when a new session is created. On subsequent request, the user agent header sent is compared with the value stored in the session. If it does not match, the current session will be destroyed and a new session gets created.

This rarely causes problem unless you have embedded Flash or Java objects making separate requests to the application. You must take note to send the user agent string of the browser in that case. If you are using something like Aurigma’s Image Uploader where the user agent is not configurable, you have to set this to FALSE instead.

Security.level
Besides the session timeout, this will affect whether the session ID gets regenerated between requests and whether session.referer_check is set.

With session ID regenerated, there will be problems when your application does any Ajax calls. An Ajax request does not set the cookie as requested by the server which causes the browser to send the session ID of a previous request which will have already been destroyed.

Referrer check is done on the hostname level in Cake and in theory it should not cause any problems. Weirdly, I have a one time login link which redirects user to another location and it works in Firefox but not Internet Explorer. My guess is that Internet Explorer does not set the referrer header properly if it gets redirected. You can log the HTTP_REFERER headers to verify that though.

Anyways, the valid values:

• “high” – session ID regenerated and referrer check set
• “medium” – referrer check set
• “low” – none