in my web application I have an action that is accessible by both logged in and "anonymous" users. The logged in user can manipulate the displayed data, e.g. delete it. The anonymous user can only view it and download a file - operations that don't require any state to be kept on the server.
The goal I want to achieve is to have no cookies created for the anonymous users when she visits the page. The page needs to be at the same URL for logged in and anonymous users.
I found out two things that trigger the session start (and the cookie) in my setup:
1. Using the Security component - it stores the CSRF token in session even if no forms are ever created.2. AuthComponent->loggedIn() (or more precisely CakeSession::check).
The Security component generates and writes a token to session in its startup method, regardless of whether it's ever going to be needed. I see a few potential options, in order of preference:
1. Decide at runtime whether the component should be enabled or not. Probably not possible but I'll be glad to be shown wrong.
2. Write two controllers and somehow choose which one to use depending on whether the user is logged in or not.
3. Rework the Security component to only generate the token if it's going to be used, e.g. on first access. This actually sounds the best but it's probably not a trivial task.
I can't just make two controllers that only differ in having (or not) the Security component enabled and putting them on different routes because the URL needs to be the same for all users.
The problem with AuthComponent->loggedIn() setting the session cookie looks a bit like a bug. The loggedIn() method calls CakeSession::check and it tries to start the session. This logic is too simplistic, the check method should not start the session if there is no session cookie because the session would be empty anyway (same goes for attempts to read a session variable).
I could make a patch for CakePHP to only create sessions when necessary but I'm new to PHP and don't know if it can be achieved in a generic way.
I know I can check isset($_COOKIE[session_name()]) if cookies are used but AFAIK PHP can also be configured to use a query argument in the URL for session IDs. And possibly there may be more I'm not aware of.
Can anyone help with the problems above?
-- Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
No comments:
Post a Comment