cakephp: expired session cookie after removing csrf token
This is a (multiple allowed):
- bug
- enhancement
- feature-discussion (RFC)
- CakePHP Version: cake 3.3.3
What you did
expired cookie session after close/ re-open browser i first login in site then closed browser and see again site after open that site ,see i still logged in site but in response header cake sent expire cookie header then i refresh page, and i see am logout from site this is happend after upgrade from cake 3.2 to cake 3.3.3 also if i loggen again until i not closed browser ,my cookie not expire and work well
//
app.php
'Session' => [
'defaults' => 'cake',
'timeout'=>60*24*365,
'ini' => [
'session.cookie_lifetime' => 60*60*24*365,
]
],
//app controller
public function initialize()
{
parent::initialize();
$this->loadComponent('RequestHandler');
$this->loadComponent('Flash');
$this->loadComponent('Security');
$this->loadComponent('Csrf');
//$this->request->session()->renew();
$this->loadComponent('Auth', [
..
'storage'=>['className' => 'Session', 'key' => 'Auth.User']
]);
Expected Behavior
Actual Behavior
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Comments: 25 (24 by maintainers)
I was finally able to reproduce this issue. It has nothing to do with removing the CSRF cookie. Instead it requires:
When these 2 things are true, the new session id cookie is not set correctly, and has the incorrect expiry date that you saw. I was also able to confirm that #9517 will fix this issue.
You can try that branch out locally by using
composer require "cakephp/cakephp:dev-response-emitter as 3.3.5"I don’t think setting a cookie should rotate the session. I’ll see if I can reproduce that issue.