0

Below are two functions that I'm positive are written correctly.

Problem is, that there are times, when my Session does not time out, but the AJAX request returns 403 error (also happens with some other functions without any pattern).

Stack overflow is filled with questions asking for help with this problem, but I did not find any really good answers:

Question(s):

  1. How can you cause a 403 error by code?
  2. If I have multiple asynchronous AJAX requests running at the same time, can it cause a 403 error? ( I do fire several (max 5) ajax requests at one time )
  3. Do I have to set something about directory listing in .htaccess if I want to call AJAX requests in the form of relative_path/action instead of relative_pat/action.php?
  4. 403 can be caused, by my Session expiring, right?

AJAX:

    var root = "/test_tool";    

    function isLoggedIn()
    {
        // return if the user is in the sign in window
        if ( window.location == "http://localhost" + root +"/" )
        {
            return;
        }

        var output = "";
        $.ajax (
        {
            url: root + "/users/isLoggedIn",
            context: document.body,
            async: true
        } ).done( function( result ) 
        {
            output = result;
            if ( output == "" )
            {
                alert( " You have been logged out. " );
                window.location = "http://localhost" + root +"/";
            }
        }); 
    }

(CAKE) PHP:

public function isLoggedIn() 
{
    $this->autoRender = false;
    return ( $this->Auth->user('username') != null );
}
Community
  • 1
  • 1
Igor L.
  • 3,159
  • 7
  • 40
  • 61

2 Answers2

3

I know this question is a little bit old, but I had the same problem. In my case, the problem was caused by session_regenerate_id, so to avoid it, I used the following code in my app/Config/core.php:

Configure::write('Session', array(
    'defaults' => 'php',
    'timeout' => 480, // The session will timeout after 8 hours of inactivity
    'cookieTimeout' => 480, // The session cookie will live for at most 8 hours, this does not effect session timeouts
    'checkAgent' => false,
    'autoRegenerate' => false, // causes the session expiration time to reset on each page load, but also causes 403 errors on ajax requests, therefore disabled
));

I just set the 'autoRegenerate' parameter to false. Unfortunately, you have to avoid session fixation with other techniques, look here The problem is reported by many others too (just google 'ajax session_regenerate_id'), but I haven't found a solution to this yet.

Community
  • 1
  • 1
Daniel
  • 31
  • 1
  • Same happened with me. I was calling the $this->response->file($path); in a loop to populate an image gallery. This caused 403 errors. As soon as I set 'autoRegenerate' => false the problem disappeared. Now I need to figure out how to make the sessions terminate only on inactivity...! – manospro Mar 29 '15 at 06:53
2

1.It is possible to get a 403 via code. Check this out from the CakePHP docs (http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#handling-unauthenticated-requests):

If authenticator returns null, AuthComponent redirects user to login action. If it’s an ajax request and AuthComponent::$ajaxLogin is specified that element is rendered else a 403 http status code is returned.

2.Multiple Ajax calls shouldn't be the causing factor of a 403 error.

3.The standard routing is handled by CakePHP itself. If you need some different routing, you should configure this in routes.php. I would say using .htaccess is only for a really extreme routing need and should be a last resort.

4.Yes that could be a cause, since you would no longer be logged in, thus get Auth 403s (see answer #1).

Rob
  • 164
  • 4