search

cakephp / authentication

Authentication plugin for CakePHP. Can also be used in PSR7 based applications.
MIT License
116 stars 100 forks source link

Authentication->setIdentity isn't respecting Session.ini.session.cookie_path #558

Open patrickconroy opened 2 years ago

patrickconroy commented 2 years ago

Hello. I'm seeing something weird in my app right now when calling Authentication->setIdentity. The Session.ini.session.cookie_path is getting overriden with /. In Cake\Http\Session I can see an empty array sent to __construct which means this evaluates to that /.

$cookiePath = empty($config['cookiePath']) ? '/' : $config['cookiePath'];

My cookie will respect all the other ini options I'm setting in my config (cookie_samesite, cookie_lifetime), but not cookie_path.

return [
    'Session' => [
        'cookie' => 'cookiename.....',
        'defaults' => 'database',
        'ini' => [
            'session.cookie_path' => "/path/",
            'session.cookie_lifetime' => 60 * 60 * 24 * 3,
            'session.cookie_samesite' => 'Lax',
        ]
    ]
];

cakephp/cakephp version: 4.3.10 cakephp/authentication version: 2.9.0

markstory commented 2 years ago

Since you tracked down the session construction, what is the stacktrace for the session creation? Generally it is supposed to happen during ServerRequestFactory::fromGlobals() during Http server setup, so the configuration should be present unless you are setting configuration after the request has been made.

othercorey commented 1 year ago

@patrickconroy Can you follow up on this?

github-actions[bot] commented 1 year ago

This issue is stale because it has been open for 120 days with no activity. Remove the stale label or comment or this will be closed in 15 days