Home » Php » CakePHP session/auth logging out intermittently

CakePHP session/auth logging out intermittently

Posted by: admin February 12, 2018 Leave a comment


I’m having reports and complaints from my user that they will be using a screen and get kicked back to the login screen immediately on their next request. It doesn’t happen all the time but randomly.

I am using CakePHP and the Auth component, which seem to work well other than this issue

I got some feedback on the Cake forums once that this is sometimes caused by a 404 request that resets the session, i.e. if you have a broken image link or a missing favicon file. I have firebug open and there are no failed requests, so I ruled this out as a possibility, but the user is getting sporadically logged out. This seems to occur across browsers and operating systems.

Below is a summary of my config settings:
Security.level = high
Session.timeout = 1200 // this means my actual timeout should be 12,000 seconds
Session.save = php

I am really at a loss as to what is causing this issue…


I have also had a problem with my security set to high. When you have it set to high it regenerates the session on every request:
“CakePHP session IDs are also regenerated between requests if ‘Security.level’ is set to ‘high’.”

I had this problem cross-browser as well, so I know its not the best solution but I just changed the security setting to medium, and changed my session timeout to reflect that setting and have not had any problems since.


I had a similar problem, I found it to be the user_agent check in the core.php file, set this to false!

What was happening was after a page refresh the session id changed and I was logged out, but in the Session object there was an error saying Attempted Session Hijack!!!

Set this to false in core.php!
Configure::write(‘Session.checkAgent’, false);


Check your Auth->allow or ->deny, because it might be, that your user accesses an restricted part or action of your controller(s).

Second, check your specific Sanitize of CakePHP, because ‘high security’ options often like to cause trouble.

404 pages reset the session? I never heard about that.

I think your problem is located somewhere in the authentication routines. If you restrict too many things it can happen, that some constellations of requests will fail due to their missing attributes.

For example: UserOne tries to access your website, his user name contains some strings which cause wrong interpretation of the user name.
The name could be found within the database, but the authentication could not link it to the request.

Errors like this always hide inside your code, where you did not expect them to be.


Security.level on high will do that. set it to medium in core.php