CakePHP 3.7 - Problem with setUser and sessions in server

The problem is that the function setUser in usersController is returning null, and doesn’t login the user. The query to DB is getting the user, and i can see the fields without problems. The session file in /tmp/sessions is created ok, and if we change the config to php session, not cake, is creating that too.

Seems like the session has been created but apache or cake can’t read that.

The same code, in different OS and php version works fine. Can be related with some specific permissions for www-data/apache users ?

We’re running Apache2, php 7.3 and connecting to SqlServer.

Could you show us a little bit of code on how you’re doing it?

Yes;
//////////////////////////////////////
AppController.php

ini_set(‘allow_url_fopen’, ‘on’);

$this->loadComponent(‘Auth’, [
‘loginRedirect’ => [ ‘controller’ => ‘/’, ‘action’ => ‘home’],
‘logoutRedirect’ => [ ‘controller’ => ‘/’, ‘action’ => ‘login’],
‘authenticate’ => [
‘Form’ => [
‘fields’ => [‘username’ => ‘email’, ‘password’ => ‘password’],
‘userModel’ => ‘Usuarios’
]
],
‘storage’ => [‘className’ => ‘Session’, ‘key’ => ‘Auth.Usuario’],
‘loginAction’ => [ ‘controller’ => ‘/’, ‘action’ => ‘login’],
‘unauthorizedRedirect’ => $this->referer(),
‘authorize’ => ‘Controller’,
‘authError’ => false,
]);

$this->Auth->__set('sessionKey', 'Auth.Usuario');

///////////////////////////////////////
UsuariosController.php

public function login()
{
if($this->request->is(‘post’)){

    $usuario = $this->Auth->identify();

    if ($usuario) {
        if($this->Auth->setUser($usuario)){
       
       $this->Flash->sPublico(__('Ingresaste a tu cuenta.'));
       return $this->redirect([
           'controller' => 'Pages',
           'action' => 'home'
       ]);
   }else{
    $this->Flash->ePublico(__('No se pudo acceder a la sesion!.'));
   }

else{
$this->Flash->ePublico(__(‘Usuario y/o contraseña incorrectos!.’));
}
}
}

///////////////////////////////////////
$this->Auth->setUser($usuario),is the function that returns false :S

Have you looked at the definition of the setUser function? It doesn’t actually return anything.

We think that can be related with the process of hardening.
I’ll add the process at the bottom, maybe someone can detect something about that where i can’t.

Apache Webserver and PHP Hardening

  1. Apply these settings to Apache conf file /etc/httpd/conf/httpd.conf :
    a. Add these configs so remove server version banner
    i. ServerTokens Prod
    ii. ServerSignature Off
    b. Restart Apache
    c. Add this to all <Directory> to prevent server side includes and directory browser listing.
    i. Options -Indexes –Includes
    d. Restart Apache
    e. Add this to prevent remote attackers from obtaining things like inode number, multipart
    MIME boundary, and child process through Etag header.
    i. FileETag None
    f. Restart Apache
    g. Run from command line to insure all of apache is owned by apache user and group
    i. chown –R apache:apache /etc/httpd
    ii. chown –R apache:apache /var/www
    h. Lock down Apache conf directories
    i. chmod –R 750 /etc/httpd/conf
    ii. chmod –R 750 /etc/httpd/conf.d
    iii. chmod –R 750 /etc/httpd/conf.modules.d
    i. On <Directory) tags change AllowOverride. (this was backed out and set to All to allow
    for use of .htaccess)
    i. AllowOverride None
    j. Disable Trace HTTP Request to prevent Cross Site Tracing attack
    i. TracecEnable off
    k. Restart Apache
    l. Set Cookie with HttpOnly and Secure flag to mitigate Cross Site Scripting attacks
    i. Header edit Set-Cookie ^(.)$ 1;HttpOnly;Secure m. Restart Apache n. Prevent Clickjacking Attacks i. Header always append X-Frame-Options SAMEORIGIN o. Restart Apache p. X-XSS protection Cross Site Scripting (XSS) protection can be bypassed in many browsers. i. Header set X-XSS-Protection &quot;1; mode=block&quot; q. Restart Apache r. Disable HTTP 1.0 Protocol and force use of HTTP 1.1 due to security weakness related to session hijacking. i. Enable mod_rewrite ii. RewriteEngine On iii. RewriteCond %{THE_REQUEST} !HTTP/1.1
    iv. RewriteRule .
    - [F]

s. In /etc/httpd/conf/httpd.conf, comment out cgi-bin script alias
i. # ScriptAlias /cgi-bin/ "/var/www/cgi-bin"
t. In ssl.conf file set SSL Cipher for high encryption and disable old versions of SSL and use
only TLS 1.2
i. SSLCipherSuite HIGH:!MEDIUM:!aNULL:!MD5:!RC4
ii. SSLProtocol –ALL +TLSv1.2
u. Rename some conf files so they are not loaded by main conf files. These are generally
not needed.
i. cd /etc/httpd/conf.modules.d
ii. mv 00-dav.conf 00-dav.conf_na
iii. mv 00.lua.conf 00.lua.conf_na
iv. mv 01-cgi.conf 01-cgi.conf_na
v. Edit 00-base.conf to only load modules that are absolutely needed. Ensure only these
modules are loaded, comment out the rest.
i. LoadModule authz_core_module modules/mod_authz_core.so
ii. LoadModule headers_module modules/mod_headers.so
iii. LoadModule log_config_module modules/mod_log_config.so
iv. LoadModule mime_module modules/mod_mime.so
v. LoadModule rewrite_module modules/mod_rewrite.so
vi. LoadModule setenvif_module modules/mod_setenvif.so
vii. LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
viii. LoadModule unixd_module modules/mod_unixd.so
ix. LoadModule dir_module modules/mod_dir.so
w. Edit /etc/httpd/conf.modules.d/00-proxy.conf, ensure only these modules are loaded
and comment out the rest
i. LoadModule proxy_module modules/mod_proxy.so
ii. LoadModule proxy_http_module modules/mod_proxy_http.so
x. In /etc/httpd/conf.d rename these config files to prevent them from loading as they are
not needed:
i. mv autoindex.conf autoindex.conf_na
ii. mv userdir.conf userdir.conf_na
iii. mv welcome.conf welcome.conf_na

  1. Harden PHP
    a. Edit /etc/php.ini to reflect the below values:
    i. Change value of setting assert.active to Off.
    ii. Change value of setting expose_php to Off.
    iii. Change value of setting memory_limit to 8M.
    iv. Change value of setting post_max_size to 256K.
    v. Change value of setting file_uploads to Off.
    vi. Change value of setting allow_url_fopen to Off.
    vii. Change value of setting mail.add_x_header to Off.
    viii. Remove comment from setting session.use_strict_mode = 1.
    ix. Change value of setting session.cookie_secure to 1.
    x. Change value of setting session.cookie_httponly to 1.

xi. Safe files and restart apache.