We have a recurring issue related with an unexpected random User session expiration within all the applications hosted in subdomains of the same domain. Forcing us to re-authentication every time we are kicked.
Our system is:
3 Dedicated Servers run by a server provider, 3 static IPs
Each server acts as a Virtual server, we can have as many hostings as we need
200-300 different users working simultaneously in the applications
Server 1
A main domain "example.com" that points to a Wordpress website in a hosting of the server
A forum application, phpBB 3.2, hosted in "forum.example.com"
4 wiki sites in wikiX.example.com
apache 2.4.46-1~bpo9+1
PHP 7.3
mysql-server 10.1.48-0+deb9u2
PHP Session folder: /home/.example.com/tmp
Server 2
Several SugarCRM CE 6.5.15 instances in PHP 5.6 running in different subdomains sugarcrmX.example.com
apache 2.2.22-13+deb7u11
php 5.6
mysql-server 5.5.57-0+deb7u1
PHP Session folder: /home/sugarcrm.example.com/tmp
Each app with a different unique_key in config.php
Server 3
Several SuiteCRM 7.11.15 instances running in different subdomains suitecrmX.sinergiacrm.org
apache 2.4.46-1~bpo9+1
PHP 7.3
mysql-server 10.1.48-0+deb9u2
PHP Session folder: /home/suitecrmX.example.com/tmp
Each app with a different unique_key in config.php
We are working often in parallel within the different applications: SuiteCRM, SugarCRM, Forums and Wikis. Then, at some point that we can't define, the applications kick us out with the message 'You have been logged out because your session has expired.'. Redirecting us to the Login page of each of the applications that we were using in that moment. From this moment and for several hours, the situation happens again and again, kicking us out repeatably. Until a time that it seems to stop, leaving us for a couple of hours
This happens to all the members of our team: 8 people working from different locations with different devices, operating systems and browsers. Some of the users (within the 200-300 we metioned) reported this as well, but we presume isn't happening as often as us.
This issue started happening a few months after we upgraded our Wordpress, integrated the Server 3 and the SuiteCRM applications, but we can't say the exact moment it started. Before this, it never happened. So it is a bit difficult for us to find the reason right now.
We have already tried to change the PHP session parameters session.cookie_domain. Setting a different cookie_domain for each of the subdomain of each of the hosts, accordingly. Then deleting cookies of each of the browsers. At the beginning, it seemed we found the solution because our session was persisting. But after a few days, the sessions expiration issue came again.
Are we missing some crucial configuration within any service configuration?
Any idea about how to debug this?
Thanks
EDIT: We have a subdomain for each application sugarcrm1.example.com, sugarcrm2.example.com, etc... Each session is currently stored in different folder /home/sugarcrm1.example.com/tmp, /home/sugarcrm2.example.com/tmp
We don't need them to work in a common session, each application/subdomain has a different user/password management authentication.
The unique_key in config.php is a guid code used by SugarCRM Core to generate a unique user session ID.
We haven't tried changing the default session name "PHPSESSID" yet.
You need to consider the following things:
Move your session storage to a third party/mount it outside/database. I would recommend memcache for a scalable solution. Refer Is it recommended to store PHP Sessions in MemCache?
WordPress, PhpBB, Wiki, and SugarCRM have different session management mechanisms. Firstly you need to make changes to all these to work with the common session
Related
I've got 2 projects I work on right now, but the problem is that since I'm logged into one project the session for the login is saved so when I switch the other project I'm instantly logged in.
Both projects are running on the same server and I save the userID in the Session.
This could get a problematic as soon as I publish the projects and have more user accounts.
If both your projects are hosted under the same domain name and port then as far as PHP and the browser is concerned it's all one application, and therefore they will share a single Session.
Whether you logically view it as two projects is irrelevant to that. If they need to be treated as separate then host them separately e.g. on a different port or a subdomain - you can do this on your local webserver for development / testing, as well as on the live server.
I have two different projects in symfony2. I am using symfony2.3 version.
I have used fosuserbundle for user authentication.
I have one server. I have uploaded my both projects at
/var/www/html/project1
/var/www/html/project2
And i am accessing my two applications/projects like
http://202.12.0.0/project1 and
http://202.12.0.0//project2.
(IP here is given only for example. It's not my IP which i am using).
My problem is when I login in http://202.12.0.0/project1 it store session for taking http://202.12.0.0 as domain.
So when I login in http://202.12.0.0/project2, It logout from http://202.12.0.0/project1. I need to login again.
And V/S same for project2.
I have no other option for that. I mean i have no option for virtual host for this two different project. I have LAN, and every one using this project/my-application using IPaddress/project.
I Referred Session in different applications Symfony2 But it doesn't help me.
You probably should configure both projects to use different place where session files are stored.
In Symfony2 you can do that with save_path param in framework configuration
More info: http://symfony.com/doc/current/cookbook/session/sessions_directory.html
Also it can be done strictly in PHP with session_save_path function.
Edit.
Also changing just session name could work too. You can do that either by framework configuration or by session_name PHP function.
I have a Laravel 4.2 application deployed on a server on our intranet called "Dashboard". It can be accessed via the URL http://dashboard.mydomain.local/ and uses the "native" driver for session storage.
I am in the process of reconfiguring the application to run in Docker containers. The new site can be accessed via http://dbdock.mydomain.local/ and is running on a different server. The new site uses "redis" for sesson storage.
Here's the problem:
If I'm signed in to one site and then sign into the other, then I get signed out of the other.
Here's what I've tried:
I updated the application URL in the config/app.php file.
I changed the the encryption key.
I changed the session cookie name in config/session.php
It seems to me that the sessions should be kept strictly separated in this case because a) the session store is different (filesystem vs. redis); b) the session store is on different servers; c) the URLs for the two sites are different; and d) the session cookie names are different.
I can't understand how these two sites are conflicting with each other. Can anyone explain to me what's going on in this case?
Edit I should mention that these two applications are using the same database server for the user database. This is for the purposes of transitioning away from the original server (which is going to be retired in the near future).
I know this is a bit old but I had the same problem with two Laravel projects and when I changed the session cookie name in config/session.php for one of them, the problem solved.
I think you should delete your browser cookies.
Here's the thing:
I have Website A in Server 1, a CakePHP 2 based website without any kind of login system.
I also have Website B in Server 2, another CakePHP website which has its login system (uses CakePHP's Auth for more details if it matters), with a login form in first page where users can enter login/password to access it.
So now what I need to do is to add a login form in website A that logs users into website B (as if they had used the form in website B).
Is that possible? If so, what approach should I take to do that securely? (By that I mean without plainly exposing the users credentials).
I assume you're doing this so that you can go between multiple sites, but only login once? I've come up with a way to do this, provided that the sites share domains, but are hosted on different subdomains by getting them to share session. The reason this only works on websites that share domains is because two completely unrelated websites cannot share cookies, which is necessary to get them to share session.
Note that since your goal is to make the two servers completely share their sessions, you will encounter some problems, like for example, flashmessages for one site will appear on both. I ended up extending the Session component so that it would automatically append to all session variables with a prefix to specify which server the session variable belongs to.
Here's an outline of the steps:
The login server will need to be able to host shared sessions, probably via memcache's session save handler, which you will need to install on both your servers. See more here: http://www.dotdeb.org/2008/08/25/storing-your-php-sessions-using-memcached/
The login server's site will need all the regular stuff for a login system, but you also need to set the server up so that it will use the shared memcache session instead of the normal way of saving session. Example once you have memcache installed, add to its php.ini file:
session.save_handler = memcache
session.save_path = "tcp://[login server ip]:11211"
The other server's site will also need to use the shared memcache session stored on the login server, so config its php.ini the same way you did for your login server. Then, set up the Auth component on this site so that it will require logins, but for actually logging in, redirect them back to your login server.
On both servers, in bootstrap.php, add the line ini_set('session.cookie_domain', '.' . ROOT_DOMAIN); Where root domain is the root domain both of them have. So if you were using test.com and subdomain.test.com, ROOT_DOMAIN would be "test". This way, the websites will also share their session cookies.
Make absolutely sure both servers are set to the same time. If their times don't match, you'll likely randomly lose your session because one of the servers will think the session is much older than the other server, and so it will delete it because it thinks the session is too old.
I have a server on which I am using dokuwiki to host both a homepage as well as a wiki. The server is available under www.domain.com and the wiki is available under wiki.domain.com. Internally both subdomains are served from different directories.
However this means, that everybody who wants to sign up has to sign up for the both domains and manage a duplicate set of user accounts for both subdomains.
What I would like is to have a system, where anybody can sign up on both pages and only has to log in in any of the domains and get access. ACL should still be managed separately for both domains, since I might use namespace names multiple times.
I looked through the list oft dokuwiki auth plugins, but I was not able to find anything usefull for this purpose. Another idea would be to just soft- or hardlink the auth data directory in the two installations. However this would still mean users would have to log in multiple times. Also I am not sure whether my hoster actually allows such directory links, or if this might mess up the two installations.
Is there any other way to create such a setup?
A DokuWiki farm setup might help with having the same user database for both sites. Symlinking the user file is another way.
More complicated is to share the cookies between both domains. I'm not sure how to approach this best. Maybe others can offer some ideas.
Well since this is on the same server just across your various subdomains I would imagine you would want to store the user info including logins in a shared database so that no matter which app/subdomain you insert their registration data and query for their login info from the same database. Then it's a matter of using PHP sessions for keeping track of if they are logged in across subdomains. There is already a length stack on how to achieve that here:
PHP Sessions across sub domains
Try setting the Cookie Domain to .yourdomain.com
This means your browser will deliver cookies to subdomains of yourdomain.com.
So cookies will beshared among www.yourdomain.com and wiki.yourdomain.com