1

I am developing using CakePHP 2.5.6, and I am having an issue with users getting access to other users' info.

When a user (let's say User1) registers and fills out some optional fields in their profile, and from the same IP another user (User2) registers/logs in, whilst not having filled out the optional info, then User2 will see the User1's optional info (fields that are left empty). It doesn't seem to make a difference if User1 clicks logout or not. I am storing some primary cross-site information in the session, like user's name, email, profile image, etc.

In core.php I have very basic settings, like

Configure::write('Session', array(
    'defaults' => 'cake',
    'checkAgent' => true,
));
Configure::write('Security.level', 'low');

Logins go through UsersController.php, which has the separate view like

public function login() {
    // Destroy old users' data just in case
    $this->Session->destroy();
    $this->Cookie->delete('rememberMe');

    //if already logged-in, redirect
    if (AuthComponent::user('id')) {
        if (isset($this->request->data['User']['rememberMe'])) {
            if ($this->request->data['User']['rememberMe'] == "on") {
                unset($this->request->data['User']['rememberMe']);
                $cookieTime = "12 months";
                $this->request->data['User']['password'] = Security::hash($this->request->data['User']['password']);
                $this->Cookie->write('rememberMe', $this->request->data['User'], true, $cookieTime);
            }
        }

        $id = AuthComponent::user('id');
        $this->User->id = $id;
        $this->Session->write('Config.language', $this->User->field("language"));
        Configure::write('Config.language', $this->User->field("language"));

        $this->redirect(array('controller' => 'dashboard', 'action' => 'index'));
    }
    // if we get the post information, try to authenticate
    else if ($this->request->is('post')) {
        $user = $this->User->findByUsername($this->request->data['User']['username']);
        $this->Session->write('Config.language', $user['User']['language']);
        Configure::write('Config.language', $user['User']['language']);

        if ($user['User']['connected'] == null) {
            $this->Session->setFlash(__('Unverified user, please check your email and verify your account'), 'flash_error');
        } else {
            if ($user['User']['tries'] <= 7 && $this->Auth->login()) {
                if (isset($this->request->data['User']['rememberMe']) && $this->request->data['User']['rememberMe'] == "on") {
                        unset($this->request->data['User']['rememberMe']);
                    $cookieTime = "12 months";
                    $this->request->data['User']['password'] = Security::hash($this->request->data['User']['password']);
                    $this->Cookie->write('rememberMe', $this->request->data['User'], true, $cookieTime);
                }

                $this->redirect($this->Auth->redirectUrl());
            } else {
                $this->Session->setFlash(__('Invalid username or password'), 'flash_error');
            }
        }
    }

and logouts are supposed to just destroy everything

public function logout() {
    $this->Session->destroy();
    $this->Cookie->delete('rememberMe');
    $this->redirect($this->Auth->logout());
}

Now, my question is - is it something that I can change/fix in CakePHP, or does it have to be changed in php.ini or server settings? What could be causing it?

Thank you for any help and tips!

Alice
  • 142
  • 3
  • 12
  • Does that only happen with the `'defaults' => 'cake'` setting? What happens if you change that to php? Same issue? – floriank Jan 19 '15 at 16:23
  • should check into how the sessions are getting crossed like that. e.g. check what's in both users' session cookie. if they have the same value, then there's your problem. if the values are different, then something's getting crossed on the server. – Marc B Jan 19 '15 at 17:16
  • @burzum I switched to `'defaults' => 'cake'` because of this issue, it did not help; originally it was php – Alice Jan 20 '15 at 08:28
  • @MarcB I checked the sessions, and it turns out that for some reason the sessions were indeed being reused. I switched to database sessions, which worked! I'm gonna chat with my admin to see how to fix it so I could go back... Thank you! – Alice Jan 20 '15 at 08:51
  • I would need to dig in the code myself but I think the CakePHP core is not making a difference between the users from the same IP and overrides or somehow shares the session. Using the DB cache and a Redis datasource for it is anyway the better solution. – floriank Jan 20 '15 at 09:02

0 Answers0