The Problem:
After successful initial "csrf-cookie" and "login" requests, the authenticated user seems to disappear from the session on all subsequent requests.
$request->user() and Auth::user() and auth()-user() all return null.
$request->session()->all() returns just a "_token" field, and $request->session()->has('users') and $request->session()->has('user') both return false.
Context:
This only occurs on my production server (I've tried both a Laravel Forge server and my own server with setting up Nginx manually).
This is a SPA backend, using Laravel 8. Using Laravel's built in Sanctum authentication. Using database session driver (although I've tried all the others, the driver does not seem to be the issue, and I can see the sessions in my database).
My session config currently (although I have tried other configs to no avail):
same_site = 'none'
domain = null
secure = true
http_only = true
What I've Tried:
Countless google searches, have not found any issues or solutions that seem to apply to my situation.
I have tried digging into the session and request objects immediately before and after the problem occurs (as described in the problem section) and have not gotten any useful information that way.
I have tried playing around with the session config... changing the "same-site", "secure", etc. variables.
I have found the problem, turned out to be extremely simple/silly: I had to add the \Illuminate\Session\Middleware\AuthenticateSession::class middleware to my route (specifically for me, in this case it was to the 'api' middleware group).
Related
I have a problem with my Laravel 9.x App (modifying from Laravel Breeze by switching from Tailwind to Bootstrap 5). Everything works fine in local, nothing serious happen. But when I deploy it on DO Server, the problem begin. The problem is, I got 419 Page Expired after doing a POST request (Login/Register/Logout) at a certain time. However, sometimes it works fine, I can register & login, but when I'm try to logout it returns 419 Page Expired. I've checked every single form to put #csrf and I still got 419 Page Expired. Then I'm trying to comment out the \App\Http\Middleware\VerifyCsrfToken::class on my live server, and every POST request works fine BUT, it didn't generate login session for me. Any ideas to fix this issue?
Then I'm trying to comment out the \App\Http\Middleware\VerifyCsrfToken::class on my live server, and every POST request works fine BUT, it didn't generate login session for me.
This sounds like you site isn't using HTTPS and the browser is discarding the cookies in between the requests. This can also happen if you are using HTTPS but posting to HTTP (or vise-versa).
This behavior is expected if the cookie is set with the Secure flag. I've also seen some browsers do this anyway even if the Secure flag is not set.
In Laravel, this feature is not enabled by default. It is enabled via the .ENV variable called SESSION_SECURE_COOKIE being set to true. You can see this yourself by checking the config/session.php file.
This is a good feature to have enabled.
If you have setup any CORS (Cross-Origin Resource Sharing) policies then you may want to make sure they are not blocking parts of the request as it can have a similar effect. Something like https://www.example.com is not considered the same as https://example.com if a wildcard was not used when defining the CORS policy. These policies are a bit in-depth, so if none of this sounds familiar then you probably don't have one at all. If unsure, an easy way to check is to look at the developer console in your browser. They typically complain in red text about something being blocked by CORS if it is happening.
some of the users on my site are experiencing
a Laravel\Socialite\Two\InvalidStateException. I've taken the steps outlined in the replies to Laravel Socialite: InvalidStateException and have not been able to resolve the issue. Only a small percentage of users seem to be experiencing this.
I have 2 fpm/nginx docker containers sitting behind an HAProxy load balancer.
This seems to be an invalid state issue in socialite package that is already resolved in this post.
Some of your users are accessing your website with a different url (https://www.example.com or https://example.com) hence causing the mismatching "state" in the sessions.
If you are on Larvel 5.3 and above... add a SESSION_DOMAIN=http://example.com in the .env file
For other versions go to your config/session.php file, and add your domain. 'domain' => 'www.example.com'
To apply changes immediately. Run 'php artisan cache:clear' and 'composer dump-autoload' Hopefully this should resolve the issue.
I bet you that the issue is appearing because of the load balancer. Here's my theory:
Sticky sessions: if your load balancer hasn't sticky session properly configured, it's possible for some users to start a new session on server 1 and on a following request it ends on server 2 which maybe is throwing the Laravel\Socialite\Two\InvalidStateException
Request timeout: I'm not sure of this but, maybe your session lifetime isn't enough to complete some process that also throws the Laravel\Socialite\Two\InvalidStateException
Maybe if you change the laravel session storage to a decentralized database instead of the default text file configuration, the exception gets solved.
In your production env file just add SESSION_DOMAIN=http://example.com to be picked up by your config/session.php. For local development, you won't need that.
replace
Socialite::driver('google')->user();
to this code
Socialite::driver('google')->stateless()->user();
any social (any social login like facebook github etc)
I have a domain and subdomain based app (all in one Laravel project). I have set up CORS and CSRF so that communication works. I've also replaced the cookie domain under session.php and now the session is shared across domain and subdomain.
I have an issue when logging in however. When I log in (either from domain or subdomain) user gets logged in. I can check that by dumping Auth::user() under my web.php. However when I try to dump it from middleware I get null.
How is that possible?
I tried clearing caches on both app and browser
You should probably check the database, I had those same problems a long time ago.
I think Laravel saves the session in the database, or in some other configuration.
Check "config/session.php"
Hope be helpfull
I found the issue.
I was calling my middleware before the session middleware under Kernel.php
NOTE
Global middleware is called before web middleware
I had an application made with Laravel 5.3 that was running fine, but after upgrading to Laravel 5.4, every time we authenticate, it goes fine and we have access to user informations :
{"id":X,"name":"Foo","email":"foo#bar.com", . . .}
The thing is, it is not really logged in as when we want to access a protected view that this user would have access to, it redirects on the login page.
I checked a fresh install of Laravel 5.4 methods of authentication and can't find any difference between application and this fresh 5.4 application.
So if someone could tell me where this problem comes from, it would be really helpful,
Thanks.
EDIT : It seems that the Auth()->user() gets null value while in the middleware that protects the routes.
I found what went wrong, but didn't wrote the answer here.
What was actually happening is that it seemed that session cookies had the encrypt config option set to false, but it was needing the EncryptCookies middleware, which was missing.
I am using laravel 5.1 with Sentinel - Cartalyst auth driver. Problem is that Laravel can't "keep" users logged in. After some time (when they visit website) it automatically kicks them out with error that they are not logged in (I have filter that checks if user is logged in for every route expect login route). It really bugs me and I can't fix it.
I tried using cookies, file and database driver for keeping login sessions and they all fail.
Does someone knows how to deal with this problem? I am bulding project for Intranet users (under local domain)... Maybe that could be problem? Also I notice that cookies expiration time is current datetime that laravels sets for max expiration time.
Are you sure you imported the correct namespace path to Cartalyst? I had an issue with sessions not persisting and it was caused by importing the native php Cartalyst class rather than the laravel one. It should be something like Cartalyst\Sentinel\Laravel\Facades\Sentinel::class