Geek Answers Handbook

What are the implications of using "low" security in cakephp?

I had an authentication problem in cakephp when you set credentials from an external site and the authentication worked and then was lost right away and the site again requested login information.

This guy determined that the cakephp session cookie is changing. His solution was to set security to a low level.

It seems like in medium or high security Cake does double referer checking ... but with low security it works fine when you click auth-protected links from external sites like hotmail or yahoo

This solution also worked for me, but what am I losing by setting cakephp to "low" security?

+7
security cakephp
source share
4 answers

When security is high, a new session identifier is generated with every request. In this case, it is practically impossible to create a one-time solution between the two applications by sharing the session cookie, since Cake will constantly change the session identifier without notifying the other application.

When the security environment (or higher), session.referer_check is enabled.

When security is low, you do not have any of the above functions, but it is still as secure as any regular PHP / CMS website.

+7
source share

The main thing I know is the session timeout, according to the comments of app / config / core.php, in which your session timeout will be multiplied by a smaller number.

The book supports this,

CakePHP Security Level. The session timeout time defined in "Session.timeout" is multiplied according to the settings here. Valid values: 'high' = x 10 'medium' = x 100 'low' = x 300 “high” and “medium” also allow session.referer_check CakePHP session identifiers are also restored between requests if Security.level is set the value is high.

Link: http://book.cakephp.org/view/44/CakePHP-Core-Configuration-Variables

So, another thing looks like a referrer check.

session.referer_check contains the substring for which you want to check each HTTP referent. If the Referer was sent by the client and the substring was not found, the embedded session identifier will be marked as invalid. The default is an empty string.

Thus, the appearance of this, the things that you lose, is the ability to determine exactly with whom and with what sessions you are dealing.

I had a similar problem with session loss, and many answers pointed to the use of $ this-> requestAction (), since it will basically curl the request from the application, so it might look like another session created with a high degree of security.

Another thing is that many google responders responded by disabling Session.checkAgent in your /config/core.php application, as this meant that the session would not be verified. This at least prevented me from losing session information between page requests.

:)

+2
source share

two things happen when set to low

1) timeout longer

2) if the highjacking session is simple, then it will be easier! since the session dispenser is regenerated between requests, as if set to "high"!

and nothing more.

since you can change the security level or timeout of a session for a specific page, or both ... therefore it is not an excellent choice

+1
source share

I believe that the only consequences of setting this minimum is that the session time is multiplied by 300, not 10 or 100 for high and medium, respectively, and the session refers to checking that you have a problem.

Update: If you previously set this parameter to high, you would also lose the regeneration of the session identifier between requests.

0
source share

More articles:


All Articles