Pixelastic

You can clip our wings but we will always remember what it was like to fly.

Losing session on each request with cakePHP and Chrome

I finally found solution for one of the more tenacious bug I ever encountered. Share the joy !

I had a website working perfectly under Firefox but when browsing using Chrome, I noticed that my Session gets regenerated on each page load. Constantly. Creating hundred and hundred of useless session files.

And only with Chrome.

Since when using a browser should change the server behavior ? Well I don't exactly know what Chrome is doing with the referer but it seems that it is altering it in some ways.

And cakePHP forces the setting of session.referer_check to true, thus checking that multiple requests with the same PHPSESSID comes from the same url.

As one posted on php.net :

If you have a value specified for session.referer_check you may run into difficulty when someone accesses your site and attempts to log in with a mis-capitalized URL.  The logon will fail because any calls to session_start() will result in the existing session being trashed and a new one being created.  This becomes a bigger problem when the logon is followed by a header("Location: ...") redirect, because the session_start() at the top of the page will fail.

Those two settings combined, and you got a hell of a mess. I first found a quick fix by forcing the setting of session_start() in app/webroot/index.php. But after more reading and debugging I finally found the culprit.

Hacking your way through the fix

There is no easy way to prevent cake from setting this setting, but you can define your own session handler in the Session.save configure key.

Just create file named session_custom.php in app/config/ and set Configure::write('Session.save', 'session_custom'); in your core.php file.

And in that file, just drop the following lines (copy/paste from cake_session.php)

ini_set('session.referer_check', '');                    // Killing this f***ing config that was causing so much trouble with Chrome
ini_set('session.use_trans_sid', 0);                    // No session id in url
ini_set('session.name', Configure::read('Session.cookie'));    // Using custom cookie name instead of PHPSESSID
ini_set('session.cookie_lifetime', $this->cookieLifeTime);    // Cookie like time, depending on security level
ini_set('session.cookie_path', $this->path);                // Cookie path

 

Comments

This worked perfectly. Thanks for taking the time to write it up. I was just as frustrated with Chrome & cakephp. Hated saying, "just don't use chrome" ... which many people just say when a browser doesn't work for their application.

Thanks,

Dustin
Dustinon 10/5/11
Dustin
@Dustin : In my case, discarding such a browser wasn't an option. I'm not even sure if this is supposed to be a Chrome bug or a cakePHP bug.
Timon 10/5/11
Tim
ini_set('session.referer_check', ''); doesn't work in my case.
The login module doesn't work in Chrome. I am not use Cakephp. Using just php.
I've added above line at the top of my file but it doesn't work.
The session data is still losing in Chrome.
Can you help me?
Darbyon 3/11/11
Darby
@Darby : Can you check the referer_check property in your php.ini file and make sure it's disabled ?
Timon 9/11/11
Tim
also you can set ini_set("session.cookie_domain", ".domain.com"); for multiple sessions between domains.
bathroom remodeling
Configure::write('Session', array(
'defaults' => 'php',
'cookieTimeout'=>10000 // cookie life time in minutes
));
in config core.php and it works :)
unbornon 1/9/12
unborn
Thank you very much. i add session_start() at webroot/ index.php file. its working fine.
shunmugamon 19/1/13
shunmugam
Thanks for this fix, this bug was making me ill.
jon 17/7/13
j
... and 1648 spam blocked

Adding a comment

Leave this field empty, it is only here to defeat spam bots
Will not be published