Missing Features

(This is the fourth post in a series of posts on CakePHP tips.)

Your correspondent ran into a problem with a CakePHP site where the login and sign-up pages used an SSL connection, but the rest of the site forced non-SSL connections.

Why blend SSL and non-SSL? The application itself didn’t contain any sensitive information, and SSL is a massive CPU drain. So to save cycles, we forced non-SSL for all pages but login and sign up (passwords and credit cards).

The problem was that after the user was redirected from the SSL login process page to the logged-in homepage, the cookie that stored the session reference for the user didn’t exist in the non-SSL site and thus the session didn’t exist and the user was immediately logged out.

A post over at stackoverflow and some quick Googling strongly hinted that that PHP was configured on the server to create secure cookies, that is cookies that are only accessible over SSL. However, your correspondent tried disabled secure cookies with ini_set(), to no avail.

Further digging revealed the real issue: the cookies were being created as secure cookies on login — in spite of my override setting in the bootstrap file — because the core CakePHP routine for cookie creation sets the “create secure cookies” PHP setting on-the-fly just before creating the cookie, whenever a page is running under SSL.

The solution was a foreced modification to CakePHP core, something to be avoided at all costs but something that had to be done.

The solution is to comment out this snippet in /cake/lib/session.php, around line 420:

if ($ini_set && env('HTTPS')) {
ini_set('session.cookie_secure', 1);
}

Trackback URI | Comments RSS