Using Cake sessions outside of Cake
This article is also available in the following languages:
While recently working on a CMS tool, I needed to pass some in-session information. I was using Cake's database sessions and it wasn't playing nice with outside applications so I set this up to allow my outside application to use Cake's session handlers.
The short version is that you need to make sure all of the path's are setup correctly, which happens in index.php.
Copy your index.php file into another file (I called it cake_session.php). This file needs to be in the webroot because index.php initializes the paths based on the location of webroot.
In your cake_sessions.php file find this line (should be line 86):
And delete everything from there down. Now just add this code:
Check your $_SESSION variable to make sure everything works. You should be able to just include this file anywhere that you want to use your cake session.
Copy your index.php file into another file (I called it cake_session.php). This file needs to be in the webroot because index.php initializes the paths based on the location of webroot.
In your cake_sessions.php file find this line (should be line 86):
if (isset($_GET['url']) && $_GET['url'] === 'favicon.ico') {
And delete everything from there down. Now just add this code:
if(App::import('Core','Session')) {
$session = new CakeSession();
$session->start();
}
Check your $_SESSION variable to make sure everything works. You should be able to just include this file anywhere that you want to use your cake session.
@ My external pages I have:
Page1:
require("storev1/app/webroot/cake_session.php");
$item = array($id, $price, $name, $price);
$_SESSION['cart']=$item;
Page 2:
require("storev1/app/webroot/cake_session.php");
print_r($_SESSION);
And the output is:
Array ( [cart] => Array ( [0] => a08a40d9-081a-11df-97ae-6dad1c823895 [1] => 60 [2] => Calcas de Sarja [3] => 60 ) [oi] => oi )
In my cake pages the output of print_r($_SESSION) is:
Array ( [Config] => Array ( [userAgent] => cbad7cf5758f0f74a0172958dc10348e [time] => 1264390588 [timeout] => 3 ) )
What am I doing wrong here?
PS: If I print session_id on cake and external the output won't be the sane id :S
If the session id's aren't matching up, it sounds like the question's been answered. The first thing I'd ask is whether or not session auto-start is set turned on within Cake. I'm assuming that it is though.
Outside of that, which type of cake session are you using (database, php, etc)?
Have you tried pulling the session id from cookie used by Cake and forcing the non-cake session to start with that ID? Can you see the cookie with the cake session id from the non-cake page?
Lastly, try disabling the Cake user agent check. It's a great security measure, but it can sometimes lead to invalidating sessions. It's one that I've had issues with in the past I know.
Users do login in my cakephp web site.
CakePHP starts a session.
In my cakephp web site I have a link to my Googleapps.
GoogleApps manages access with SSO.
Pratically I would use SimpleSAML to manage SSO with my GoogleApps.
SimpleSAML should access to CakePHP session, should verify if the session is valid and returns the correct response to GoogleApps.
On top of that I would that SimpleSAML is not in "webroot".
My problem is effectively "how access session CakePHP from SimpleSAML"?
even with the solution that you proposed to me.
I have an external application (its name is SimpleSAML) that is not in "webroot" (it must be in a virtual host).
I have my cake application where I do user authentification and I start a cake session . I would share this session with the external application.
I have seen that if I put the external application in "webroot" I can see the COOKIE cake but I can't see the SESSION cake . If I put the external application outside of "webroot" I can't see neither the COOKIE cake nor the SESSION cake.
I hope you can help
For a more complex, cross-domain solution you're really looking at needing a Single Sign On system equivalent that would track the information for both systems in a single location.
Assuming your Cake site is the single sign on location, you'd do have a use-case like this:
1. user visits your other site SimpleSAML
2. site does not detect that the user is logged in
3. site redirects the user to your cake site to log in
4. cake site detects that the user is already logged in, gets the session key, and redirects the user back to SimpleSAML with the session key encrypted in the URL
5. SimpleSAML detects the session key and looks up the session from a central location (say a MySQL database), and starts a session with that information - verifying that the user is currently logged in
6. SimpleSAML redirects the user back to the original page, clearing the session key from the URL
All of that would happen transparently to the user the first time they accessed the SimpleSAML site. Once the local session was started on SimpleSAML everything would happen normally.
There's also other ways of doing it, that's just an example though.
My script is
include("webroot/cake_session.php");
session_name("CAKEPHP");
echo "SESSION-CAKE:";
echo "<pre>";
print_r($_SESSION);
echo "</pre>";
die();
But I can't read the session.
Do I make some error?
Thanks
Try removing 'session_name("CAKEPHP");' and change the include to a require just to make sure that it's reading the file.
The session name is already handled automatically if you've used the instructions from above.
If someone steals the url (webroot/cake_session.php) if he include the file he can get the session or I wrong something ?
Unless somebody was able to include the file and run it locally there is no way for them to steal and access the session. It's no different that the session logic that is run every time a page loads in Cake.
So, really, they would have to have access to a script running on your server, that a user who already had an active session in your app was looking at, that was able to include the file and execute the code.
Which basically means, only people that could actually access and run code on your server could access the session.
session_name("CAKEPHP"); //Same as the value you have for 'Session.cookie' in core.php
session_start();
However, when you're using Cake's database sessions the session handler has to set all of PHP's session handling functions as well as establish Cake's database connection in order to use them.
For the default PHP based sessions, that would be fine but anytime that you need session handling that cake (cake, database, cache, etc) has taken over it won't do the job.
Comments are closed for articles over a year old