6

What I researched elsewhere

an answer in this question explains how to use autoRegenerate and requestCountdown to prolong the session as long as the user is active.

This question has an answer explaining what happens with ajax calls:

If you stay on the same page, JavaScript makes a request, which generates a new session_id, and doesn't record the new session_id.

All subsequent ajax requests use an old session_id, which is declared invalid, and returns an empty session.

Somewhere else it was said that some browsers send another userAgent with ajax requests, and Session.checkAgent has to be set to false if it has to be guaranteed that ajax calls work. but as those ajax calls only fail sometimes I don't think that this is the reason for the problem.

My problem is

I had set requestCountdown to 1, but then I received errors on pages that automatically perform ajax requests when the page is loaded. I increased requestCountdown to 4, which should be enough most of the times. But some users with some browsers receive error messages because one or more of the ajax calls receives a "403 Forbidden" as a response. For the same page, sometimes the error appears and sometimes not.

What I want is if the session length is e.g. 30 minutes and the user opens a page (or triggers an event that causes an ajax call) at let's says minute 29, the session should be prolonged for another 30 minutes.

But I seem to be stuck between two problems:

  1. If the countdown is set to a value greater than 1 and the user happens to visit a page that doesn't contain any ajax requests, the countdown value is decreased only by 1, it doesn't become 0, and the session is not regenerated. E.g. if the countdown is set to 10 the user will have to click 10 times in order to regenerate the session.
  2. If the countdown is set to one, the session will be regenerated with every request, but on some browsers sometimes some ajax calls will fail.

My questions

To assure that I am understanding it correctly: A session can not simply be prolonged, it has to be "regenerated", which implies that the session id is changed?

Maybe this is all conceptually correct but I wonder if I am just missing an additional setting or something to get it to work?

Exemplary request and response headers (from my test machine)

Request
-------
POST /proxies/refreshProxiesList/0 HTTP/1.1
Host: localhost:84
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0
Accept: */*
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Referer: http://localhost:84/users/home
Cookie: CakeCookie[lang]=de; CAKEPHP=b4o4ik71rven5478te1e0asjc6
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Length: 0

Response
--------
HTTP/1.1 403 Forbidden
Date: Tue, 18 Feb 2014 10:24:52 GMT
Server: Apache/2.4.4 (Win32) OpenSSL/1.0.1e PHP/5.5.3
X-Powered-By: PHP/5.5.3
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Community
  • 1
  • 1
Christian Kirchhoff
  • 285
  • 1
  • 5
  • 15
  • Try this settings in CakePHP's core.php file. [CakePHP Session Cookie Auto-Regenerate Issue](https://stackoverflow.com/a/55788888/7555293) – Abhishek Mugal Apr 22 '19 at 03:50

1 Answers1

0

CakePHP uses sessions with cookies. It sounds to me like problem is that while the session itself can be prolonged through the timeout option, the session cookie cannot easily be prolonged, so you end up losing your session anyways. The people in that thread are suggesting to refresh the session in order for it to create a new cookie.

You could, as one person suggested, extend the life of the session cookie to be much longer, though the problem will still be there, it'll just be less obvious. Maybe you could write something yourself to resave the session cookie with a new expiration time? ...Though I haven't found mentions of people doing this, so maybe not.

Googling for information about cakephp and session cookie expiration, it seems that this is a known problem CakePHP Session updates but cookie expiry doesn't that people have made workarounds for.

Community
  • 1
  • 1
Kai
  • 3,803
  • 1
  • 16
  • 33
  • Thanks, but I don't think it is a cookie problem. I set the cookie lifetime to 2 hours, the "session timeouts" appear much earlier. In addition, the session is not really timed out when the ajax request gets a 403 response. After such an error appears, the user can click and open another page and the session is still there. It must be something different… – Christian Kirchhoff Feb 15 '14 at 00:57
  • Status 403? Can you post request/response headers? It could tell us more. Also an idea - with request countdown, doesn't it count also all requests to resources? Missing images, plugin resources, I would examine also access log when you experince it next time. Is it repro on all major browsers, what kind of ajax calls do you do? – lp1051 Feb 15 '14 at 02:36
  • Request countdown: Yes, I think so. E.g. the jQuery source map is not on our server but requested by Google Chrome (unless deactivated in the options). On one page with two ajax calls I saw that the very first ajax call already produced an error. After I changed Chrome's settings to not use the source map, the first ajax call worked but the second produced an error. This could mean that requests to missing files also decrease the request countdown. – Christian Kirchhoff Feb 18 '14 at 10:21
  • "Is it repo?": It seems to happen more often in Google Chrome than in Firefox. But we also found a situation that produces the error in all browsers (visit a certain page [no error], from there get to another page through clicking a link [no error], then click browser's back button [error in all browsers]). The back button seems to be especially problematic. – Christian Kirchhoff Feb 18 '14 at 10:21
  • Ajax requests are done with jQuery.ajax, type "POST". – Christian Kirchhoff Feb 18 '14 at 10:27
  • Hi guys, have you managed to resolve this issue? I also have a similar problem. I set CakeSession::$requestCountdown = 1; and 'autoRegenerate' => true; which work for keeping the user logged in until inactivity timeout is reached. BUT this causes '403 Forbidden' errors for pages where I make alot of POST requests. eg. I have a page where every image in an image gallery is loaded using $this->response->file($path);. The first couple of images load but the others do not, and when I refresh the page I am logged out. I guess this is because of the session id changing. Any ideas? – manospro Mar 29 '15 at 07:22