Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
CakePhp saves session id in cookies, normally cookie named CAKEPHP contain session id
and in any other php file can start session with that id
session_id($_REQUEST['CAKEPHP']);
session_start();
my question is this a secure way of handling session id, if yes then how is it secure if now what is better solution
The session cookie will only be valid for the same domain that generated the cookie/started the session.
Although it will be possible for another php page to pick-up that session, it will only receive the cookie if it is served on the same domain, in which case it is ‘part’ of your website.
This should therefore not be a problem, because (unless you have a serious problem) only you will be able to add/upload php files to your website.
You should check where the session DATA is saved though. The default ‘php’ session settings in app/Config/core.php will write the session data to the session save path that is configured in php.ini. This may be a ‘shared’ directory that is accessible by other websites on the same server.
For better security, set the session configuration in app/config/core.php to ‘cake’. This will write the session data to app/tmp/sessions which should only be accessible by your website.