Security issue with binary type (ver. 3.x)?

I’m currently running CakePHP 3.4.11, with sessions set to be stored in the database (MySQL). As per the CakePHP documentation, the sessions table includes a BLOB field, as in here.

I’ve found that I need to have the PHP setting allow_url_fopen set to “on” for sessions to work properly. Otherwise, I get an error on line 86 of /vendor/cakephp/cakephp/src/Database/Type/BinaryType.php along the lines of:

function.fopen: failed to open stream: no suitable wrapper could be found

And the session data isn’t retrieved from the database (which means users can’t log in, for one thing).

I’d prefer not to enable allow_url_fopen as it’s a security risk, but I can’t see a simple workaround, so long as I’m using database sessions. Has anyone else come across this and found a solution?

In general, it looks as though allow_url_fopen has to be enabled for cakephp 3 to handle binary data from most databases, which isn’t ideal.

Although I’m running CakePHP 3.4.11, I can see the issue still exists in 3.4.12 and 3.5.

Thanks for your help!