So after ripping my hair out for a good 2-3hrs trying to figure out why my Vimeo OAuth requests wasn’t returning any sessions variables, I finally figured it out.
CakePHP’s Configure::write(‘Security.level’, ‘medium’); sets PHP’s session.referer_check and denies any other hosts from setting session variables. I was wondering why half my sessions vars were gone and it would appear I was logged-out. Setting Configure::write(‘Security.level’, ‘low’); seems to have fixed the issue. But anytime you read ‘Security Low’ in the same sentence, it leaves you with some sort of uncomfortable feeling.
I’m not exactly sure what the status of this is. But I found a link that pretty much explains it all. session.referer_check PHP ini var should be decoupled from ‘High’ and ‘Medium’ Session Security levels