I’ve implemented a Openlayers BBOX strategy that sends a request to my server. It’s arguments are in the URL. I reply via CakaPHP with a jsonp object.
For some reason some requests end the session and I don’t get a jsonp returend but a page which is a redirect to the login page. In the ‘NET’ tab in Firebug you can see the HTML of the login page.
Here’s the URL (of a request that goes wrong):
http://localhost/tests/poi?bbox=4.151161804326345,51.66178773716078,5.615090026982677,52.04772606902698&callback=OpenLayers.Protocol.Script.registry.c2
Firebug:
GET poi?bbox=4.1511618...Script.registry.c2, 302 Found, localhost, 0KB, 127.0.0.1:80
although the response says 0KB, the HTML view of the response shows the login page. The actual error you see in Firebug is also a:
SyntaxError: syntax error <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//E
the request headers:
GET /tests/poi?bbox=4.151161804326345,51.66178773716078,5.615090026982677,52.04772606902698&callback=OpenLayers.Protocol.Script.registry.c2 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: */*
Accept-Language: nl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Referer: http://localhost/tests/newmap
Cookie: __utma=111872281.1525876557.1329838516.1338476641.1338488176.228; __utmz=111872281.1329838516.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); _pk_id.1.1fff=00b25fc2e71f2d76.1349166387.64.1350986193.1350979575.; _pk_cvar.1.1fff=%7B%221%22%3A%5B%22User%22%2C%22Jeroen%20Bosch%22%5D%2C%222%22%3A%5B%22Relation%22%2C%22Thunderbuild%20BV%22%5D%7D; _pk_ses.1.1fff=*
the response headers:
HTTP/1.1 302 Found
Date: Tue, 23 Oct 2012 09:56:37 GMT
Server: Apache/2.2.21 (Win64) PHP/5.3.8
X-Powered-By: PHP/5.3.8
Set-Cookie: CAKEPHP=q16jb0grsk4rv3krb3rc40cj22; expires=Tue, 23-Oct-2012 13:56:37 GMT; path=/
P3P: CP="NOI ADM DEV PSAi COM NAV OUR OTRo STP IND DEM"
Location: http://localhost/users/login
Content-Length: 0
Keep-Alive: timeout=5, max=73
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
the code on the server:
public function poi() {
$this->layout = false;
if (!isset($this->request->query['bbox'])){
$this->log($this->request, 'debug');
return;
}
$bounds = $this->request->query['bbox'];
$callback = $this->request->query['callback'];
$data = $this->Location->getBoundedLocations($bounds);
$this->set('callback', $callback);
$this->set('json', $data);
$this->render('../Elements/jsonp');
}
The jsonp element is just a normal json_encode and also wraps it in the callback function.
I don’t uderstand why sometimes (actually quite often) this ends the session. I’ve no idea how to fix this.
Many thanks for your thoughts!
For some reason, some browsers send a different user agent string when sending an XMLHttpRequest. This causes CakePHP’s security to deny the request because the user agent hash for the request it’s sending via Ajax does not match the user agent that the user logged in with.
This is pretty widely known to happen in IE7 but has happened in other browsers, and can happen in other applications that make requests, such as Flash applications (multiple uploads, etc.).
To disable user agent matching, set the following configuration parameter in your
/config/core.phpfile:Security Implications
Because we’re disabling the user agent check, there’s a slightly higher possibility of session hijacking. However, if your security level is configured to be ‘medium’ or ‘high’, other security is in place to prevent session hijacking (such as regenerating the session id on each request and utilizing
session.referer_check).