CakePHP 2.0
If you use SSL (https, secure) for User login action in CakePHP, the session cookie by default works only for SSL connection.
<?php
class UsersController extends AppController {
public $components = array('Security');
function beforeFilter() {
$this->Security->blackHoleCallback = 'forceSSL';
$this->Security->requireSecure();
parent::beforeFilter();
$this->Auth->allow('login', 'logout');
}
function forceSSL() {
$this->redirect('https://' . env('SERVER_NAME') . $this->here);
}
}
So, when you do the login under a secure page/https, after a successful login CakePHP will save a session cookie under https protocol only, and by default will continue serving under https.
While this suits most requirements in practice, some people prefer redirect back to normal page/http afterwards to save server’s CPU. Using this default configuration, when you move to non-SSL (http) pages, the cookie is lost and the system will redirect you again to login screen. This may cause a loop of unsuccessful logins.
After searching for solutions from many resources, the answer is actually there in CakePHP’s Cookbook under “Session” topic.
http://book.cakephp.org/2.0/en/development/sessions.html
From the page:
CakePHP’s defaults to setting session.cookie_secure to true, when your application is on an SSL protocol. If your application serves from both SSL and non-SSL protocols, then you might have problems with sessions being lost. If you need access to the session on both SSL and non-SSL domains you will want to disable this:
<?php
Configure::write('Session', array(
'defaults' => 'php',
'ini' => array(
'session.cookie_secure' => false
)
));
Put the code above in core.php along with other directives.