1

I have a Cakephp 2+ site that needs certain actions to require an SSL connection, (i.e. login, password reset, etc.), but I don't require the entire site to be secure. While implementing this I found that the Session was not being saved when moving between the SSL and non-SSL pages. I found this question on stack https://stackoverflow.com/a/12068099/1353839 that solved the issue for me, but I am wondering at what cost.

The answer in the above question required commenting out a line in lib/Cake/Model/Datasource/ as follows:

if (!isset($sessionConfig['ini']['session.cookie_secure']) && env('HTTPS')){
   // $sessionConfig['ini']['session.cookie_secure'] = 1; // <-- Commented Out
}

Are there any security ramifications to doing this? Also, is there a way to do this without affecting the cake core files since that is generally frowned upon?

Thanks in advance.

Community
  • 1
  • 1
JadedCore
  • 1,993
  • 1
  • 13
  • 20

3 Answers3

5

You are going to authenticate users over SSL so that a MITM cannot intercept the authentication but then afterwards you want to let the session cookie be sent through plaintext HTTP so that the MITM has the opportunity to pick it up and use it for themselves?

Given that, what's the point of using SSL at all?

(Yes, I know your session cookies expire so getting one of those it not as good as getting the actual credentials, but this still sounds like a terrible idea security-wise.)

Celada
  • 21,627
  • 4
  • 64
  • 78
5

First off, modifying the core file is a bad idea, you should set 'session.cookie_secure' in your configuration instead.

The purpose of a session is to store critical information on the server and associate that information with a client via a session key. The session key is typically stored in a cookie and sent to the server with every request. Using secure cookies prevents the session key from being transmitted to non-SSL pages; that is why you cannot see the session data.

Turning off secure cookies allows the session key to be sent to non-SSL pages, however, it is sent as plain text so it you will be susceptible to session hijacking. Depending on what your doing, this may or may not be a big deal. Regardless, by using SSL for login, password reset, etc... you will protect the information that your users' actually enter (i.e. username, password, etc...).

Lawrence Barsanti
  • 31,929
  • 10
  • 46
  • 68
1

Don't modify the core files. You can specify the required configuration in your app/Config/core.php. Read the comments in there above the session configuration statement and it mentions how to specify required ini setting.

ADmad
  • 8,102
  • 16
  • 18