If you’re using the 1.2 beta of CakePHP framework and played a bit with Ajax, you may have encountered that problem. For the impatient folks, one way to fix it is to set the security settings to medium (you may put that in your config/core.php) :
// Ask CakePHP to be less picky about security
// notably to session timeout
// and session hijacking checks.
Configure::write('Security.level', 'medium');
Now, here’s the reason : with high security settings, CakePHP tries to prevent session hijacking by renewing and checking session ID for every request - ajax based request or not.
The problem is that Ajax requests launched at the same time have the same session ID. CakePHP will accept the first processed request and generate a new session ID, so all the remaining Ajax requests with the previous ID won’t have a valid session : CakePHP will think they are hijacking attempts.
It is a plain classic race condition problem.
Hi,
I don’t quite understand how ‘Security.level’ affects your AJAX requests. AJAX has nothing to do with sessions as AJAX are stateless requests to the server, meaning, you wouldn’t know if the request has been received by the server. unless, you required your AJAX request to have active and valid session.
They’re HTTP requests that are sent with the cakePHP cookie so they have to do with sessions. The problem here is that a ‘Security.level’ set to high may cause multiple AJAX requests to lead to a race condition. No matter if you intended your AJAX requests to ask server to do things that have no relation to the user session, if you use cakePHP session and if you set the security level to high, if you shoot requests at the same time, you will probable face this problem.
You may look at those Ajaxian posts.
does it concern the 1.1 stable version or only the 1.2 beta ?
Yes, this problem affects to CakePHP 1.1.
Fix for Cakephp 1.1 is:
Put in your config/core.php:
define(’CAKE_SECURITY’, ‘medium’);