PHPFixing
  • Privacy Policy
  • TOS
  • Ask Question
  • Contact Us
  • Home
  • PHP
  • Programming
  • SQL Injection
  • Web3.0

Tuesday, November 1, 2022

[FIXED] Why is the CakeDC users plugin creating an initial cookie response when I explicitly set different settings?

 November 01, 2022     cakedc, cakephp, cookies, session     No comments   

Issue

I am familiar with the cakePHP cookie and session settings but I am unsure as to why (when analyzing through the Burp Proxy Suite I am finding 2 seperate Set-Cookie responses:

Set-Cookie: DropZone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/
Set-Cookie: DropZone=spackr9fhhgod0lqk9glh3ch44; expires=Tue, 28-Jan-2014 23:01:37 GMT;path=/; secure; HttpOnly

I have taken the time to set HTTPOnly and the Secure flags. What I dont understand is the first line here:

Set-Cookie: DropZone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/

Where could this Set-Cookie Header be coming from? More importantly, could this be more than an informational security threat?

I am clearly in my app/Config/core.php file setting the Session Settings:

Configure::write('Session', array(
    'defaults' => 'php',
    'cookie' => 'DropZone',
    'timeout' => 15,
    'ini' => array(
        'session.cookie_secure' => true,
        'session.cookie_httponly' => true)
));

Solution

I've tried to reproduce your issue and I see two cookies, DropZone which is in fact the default cookie name you've configured plus the other cookie Users[rememberMe] which is used by the plugin.

http://book.cakephp.org/2.0/en/development/sessions.html#built-in-session-handlers-configuration

Mine is correctly set. Also let me explain what your Cookie string means:

Set-Cookie: DropZone=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/

This says that your cookie named DropZone has been deleted. The next line creates it with the given settings:

Set-Cookie: DropZone=spackr9fhhgod0lqk9glh3ch44; expires=Tue, 28-Jan-2014 23:01:37 GMT;path=/; secure; HttpOnly

The behaviour here is correct I think, it deletes the cookie and renews it.

This cookie is definitely not coming from the users plugin as long as you haven't changed the name in the components setting to DropZone as well. So you should see two cookies.


Here is the related Github Issue: https://github.com/CakeDC/users/issues/154



Answered By - floriank
Answer Checked By - Timothy Miller (PHPFixing Admin)
  • Share This:  
  •  Facebook
  •  Twitter
  •  Stumble
  •  Digg
Newer Post Older Post Home

0 Comments:

Post a Comment

Note: Only a member of this blog may post a comment.

Total Pageviews

Featured Post

Why Learn PHP Programming

Why Learn PHP Programming A widely-used open source scripting language PHP is one of the most popular programming languages in the world. It...

Subscribe To

Posts
Atom
Posts
Comments
Atom
Comments

Copyright © PHPFixing