I'm using Symfony Session component with NativeStorage.
The initialization is very simple (session property has type Symfony\Component\HttpFoundation\Session\Session)
$this->session->start();
I'm facing a session issue during payment redirects, my application redirects user to Paypal payment, if the user push "abort" link in Paypal page it will be redirected to the abort page of the initial application.
During this second redirect somehow the session is refreshed and a new cookie and a session-id is activated.
I'm working with Firefox without private mode. I have tried to open the page manually in a new browser tab but the session is discarded in the same way.
What can cause a session expiration during a page redirect? The cookie generated is the standard cookie made by Symfony Session class and PHP:
Domain and protocol (https) dont change. The URL path changes from initial page to abort page.
UPDATE:
The issue seems to be connected to Firefox.
I have tested it with Chrome and works, I have tested the case with Firefox in privacy mode and it works... so I guess it is something wrong with my firefox sessions.
Related
I am using a payment API. When I click on pay, it opens a new page in the browser, I do the payment on their platform and then, the user is redirected back to my website using a POST request. However, even if he was logged in when he quit my website, when he gets redirected back to my website and the origin is the payment platform, my user doesn't seem to still be logged in. He isn't logged out though, it's
Is there a way to keep the session active even when the origin is not the current website? So, I am on domain A, I click to a link to get the payment on domain B and when the payment is done, I'm redirect to domain A with my authentication (session).
Thanks a lot!
It's an issue with same site cookie configuration, mainly observed on chrome. You could try with SameSite=none with secure flag; change this in the session configuration file.
Also make sure you use https.
I am developing an webapp and have been running by some problems with the user authentication implemented in Yii2's Advanced Template.
The thing is, it runs fine locally, but on the production server the login seems to not work properly. It validates the data correctly (user and password), and if they match any entry in the database I can track via the F12 function on Chrome that I have been redirected to the index page, as expected. The problem is that, after being redirected to the index page, it redirects me back to the login page (as if I wasn't authenticated). Inspecting the browser's cookies I can see that the identity cookie used by Yii2 is already marked as 'deleted' at this point.
What may be the problem? Is Yii2 not being able to save the state of the user perhaps? How can I try to debug that?
I'm trying to add a hosted payment solution to an old Symfony 2.6 project. This is the standard hosted solution where you embed Payment Gateway's form inside an iframe, to allow user to securely submit their CC information. When payment is processed Payment Gateway redirects the user back to my site using GET request and sends me the payment token as GET param.
This all happens inside the iFrame obviously and this whole process works fine, except for the last step.
When user is redirected back to my callback URL inside the iframe, Symfony for some reason doesn't recognize user's session and redirects user to the login. I get message: security.INFO: Populated SecurityContext with an anonymous Token in the log. That happens only for that one call, user remains logged in on the rest of the site. User logins are controlled by fos_userbundle, in the standard setup.
Callback URL looks like this: http://some.site/foo?paymentToken=12345, and if I enter that url directly into the browser it works just fine. Even when I set iframe's src directly to that url it loads fine. But when user is 302 redirect-ed back to that url from the payment gateway it fails (using Chrome browser).
Payment gateway is using https, my site is using regular http, so I guess it has something to do with switching the security levels? But have no idea how to solve it.
Since the redirect comes from the 3rd party server I can't control the headers or anything else about that request.
UPDATE: I've noticed that Chrome sends the header: upgrade-insecure-requests:1, not sure if it's causing the problems?
I can confirm that this is not a Symfony problem, but an issue with how Chrome handles redirects from secure to insecure sites (possibly a bug?).
Chrome doesn't send any cookies on 302 redirect from https to http page, and that's why user is not recognized properly. Everything works fine with Firefox.
This can be also you're testing the app in app_dev.php (developing mode) and the iframe is calling the production verision (app.php). Each application manage different sessions.
This is an experiment on fresh laravel 5.3 project( default authentication) basic auth flow works perfectly
step-A :Obtain the Laravel session cookie
Open the auth url in normal browser window, After the successfull login i can see the laravel session cookie( ie laravel_session ) in browser cookies section i just copied that value
Application State:Logged in
step-B: Obtain the authentication using the same session cookie in incognito browser window
opened the http://localhost/finde/public/login in incognito window which is the login URL for the application in this I've added the Laravel_session cookie that's obtained from step-A via browser console.
Now i am able to access the http://localhost/finde/public/home URL with the session cookie obtained from step-A.
Application state:Logged in
Just go back to step-A application state and logged out from the application so the session cookie is now invalid?.
But when i come back to http://localhost/finde/public/home URL in the incognito window and refreshed it. Oops, its still accessible
But why this session cookie is still valid ??
we've recently done some installation but I'm facing issues with one pc in particular and its baffling. We have a webapplication installed on our local server which is accessed by all our workstations. FOr some reason we can't log into our webapplication using one workstation. The application is a PHP MYSQL collaboration system. I double checked and for some really odd reason whenever we login it creates a session ID but upon logging in and redirecting to another page the session is broken and a new session id is generated thus the individual is automatically logged out again.
What could be the issue here - is its a firewall thing - its not the web application as we can access it fine via the other workstations. We even disabled the firewall but in all cases that single dumb workstation seems to have an issue with maintaining the session.
Help please - I'm sure its an issue confined to that one PC - what could it be.
Update
The authentication sequence is as follows:
Login
Authenticate user
Build session
Store session variables with session ID in db
Redirect
SESSION variables are empty - a new session ID is generated
Since new session ID is not of an authenticated user - return to login
More details
SSL is not enabled
Cookies are enabled are on the problem machine
UPDATE
I don't understand how can redirection be the problem here. My redirection code is as follows I'm using the following function to redirect to the index page upon successful login.
function _redirect($url)
{
#To redirect to a specified page
if(headers_sent())
echo "<meta http-equiv=\"refresh\" content=\"0;URL=$url\">";
else
header("Location:$url");
exit;
}
Plus even if it is an issue why is it a problem on just one PC and not on the others? I don't wish to change my code just to accommodate one system as opposed to fixing whats wrong with that one system which is preventing it from behaving in the first place.
MORE UPDATE
I just double checked and found something odd. My login is ajax based i.e. a request is made via ajax if it is a success the session variables are generated and a boolean 1 is sent back upon receiving the user is redirected via a javascript call which is:
function _redirect(url)
{
window.location = url;
}
I commented out this call and instead when the user is logged in I manually go to the index page and it works fine!! What is the javascript redirect messing up in this one pc thats not messing up in the other workstations is beyond me :( How do I fix this?
It sounds like the cookie is not being set and sent back to the server properly on this machine. Verify that you have cookies enabled and that you don't have some 3rd party browser extension or other software blocking cookies.
what browser are you using on this workstation? IE? Firefox? Have you tried different web browsers? Tried checking the browser settings yet? What is the time out set to? Is the time on the server and workstartion syncing properly with ntp?
In IE you can disable accepting of sessions cookies if the security is set to high I believe.
If you're losing the session, it's likely because the session cookie is not being transmitted. Does the browser on that machine have cookies enabled? Are you using SSL for your login page? Does your login code do anything besides validate a username/password (e.g. validate an IP address or machine name)?
Edit
Can you verify with Fiddler/Wireshark that the session cookie is transmitted when you redirect? Can we see some example login code?
I misunderstood the question to begin with (hence my edit history)
What is the domain the login is on and the main site is on? If it's between domains (could be anything like sending between example.com and www.example.com)