I'm trying to implement a SessionProvider auth plugin for a mediawiki install.
I'm trying to integrate with an existing auth system that uses $_SESSION to indicate that a user is logged in, however any method I try, the resulting $_SESSION variable that I get inside the class' provideSessionInfo function is empty.
Previously this was done with a onUserLoadFromSession hook (that contained the bulk of the logic code below), but the update appears to have broken actually looking at the existing $_SESSION:
public function provideSessionInfo(WebRequest $request)
{
// $_SESSION is hidden away per-request, but $request->getSession likes to call this function (yay infinite loops)
if (!isset($_SESSION['memberid'])) {
return null;
}
$memberid = $_SESSION['memberid'];
$mr_user = MyRadio_User::getInstance($memberid);
$user = User::newFromName($memberid);
$dbr = wfGetDB(DB_REPLICA);
$s = $dbr->selectRow('user', ['user_id'], ['user_name' => $memberid]);
if ($s === false) {
return null;
} else {
$user->mName = $memberid;
$user->mId = $user->idForName();
$user->loadFromDatabase();
$user->saveSettings();
}
if ($mr_user->hasAuth(AUTH_WIKIADMIN) && !in_array('sysop', $user->getGroups())) {
$user->addGroup('sysop');
}
$user->mTouched = wfTimestampnow();
return new SessionInfo(SessionInfo::MAX_PRIORITY, [
'provider' => $this,
'persisted' => true,
'userInfo' => UserInfo::newFromUser($user, true),
]);
}
If I hardcode $memberid, the function and the session provider works fine, but I just can't seem to find a way to transfer the session from one PHP "application" to another.
Adding debugging shows the PHPSESSID variable still set in the cookie, but for whatever reason it can't be pulled out into an actual session object. I've tried various session_start() style methods to no effect.
I feel like I'm missing something obvious, but the documentation for this stuff is just a basic wiki page and the raw generated doxygen.
Session handling is not a good way of cross-application communication. MediaWiki uses its own session handling, which means there is no connection between $_SESSION in MediaWiki and $_SESSION in your application at all. The first will be populated from MediaWiki's object cache (as configured by $wgSessionCacheType), the other from PHP session files or whatever.
If you really do not have a better way to pass data, you'll have to write a custom access class which can be called by your provider, which will save the current session handler, install a null session handler (which restores PHP's native session handling which will hopefully be interoperable with the other application), start the session, fetch the session data, restore the original session handler, and probably start the session again.
I have recently updated form 2.2.x to 3.0.0 with following the update procedure from codeigniter's website.
I have having real issues with the new session library - heres the issue.
We have a login section which dependant on the subdomain and user/pass credentials will give you certain privileges from ADMIN / RESELLER / CLIENT / USER
In order to determine the correct privileges for the user we have built a customer LIBRARY (location:application/library) which we have called Session_management, this library DOES NOT extend the core SESSION driver/library and never has and has no extension to another class, this library is also auto-loaded, prior to CI 3.0.0 everything was working fine.
First this the Session_management does is __construct()
$this->CI =& get_instance();
$this->CI->load->model('users');
$this->CI->load->model('clients');
$this->CI->load->model('sessions');
$this->CI->load->driver('session');
$this->CI->load->library('password_hash');
$this->CI->load->helper('url');
$this->users = $this->CI->users;
$this->clients = $this->CI->clients;
$this->sessions = $this->CI->sessions;
$this->session = $this->CI->session;
$this->password_hash = $this->CI->password_hash;
Prior to CI 3.0.0 I has no issues in using the
$this->CI->load->library('session');
but for some unknown reason (to me) I HAVE to load it through the driver
$this->CI->load->diver('session');
if someone could explain why I am having to do it this way that would be great.
When a user submits their user/pass credentials a CONTROLLER session/signin is requested which runs firstly form validation, providing everything is successfully, the Session_management login method is called.
$success = $this->session_management->login
($this->input->post('email'), $this->input->post('password'));
In the LOGIN method in the Session_management class a bunch of sessions are set using
$this->session->set_userdata();
$this->session->set_userdata('user_id', 0);
$this->session->set_userdata('user_name', '');
$this->session->set_userdata('client_id', 0);
$this->session->set_userdata('client_administrator', 0);
$this->session->set_userdata('reseller_administrator', 0);
However when I var_dump() the session for all its session data it has NOTHING and I can't why this is, no session data is there except my protected fields form the config, which I have double checked and triple checked and are working fine, my sess_save_path is storing the session files correctly, and the rest of the sess configs are also correct.
$config['sess_driver'] = 'files';
$config['sess_cookie_name'] = 'ci_session';
$config['sess_expiration'] = 7200;
$config['sess_save_path'] = '/Users/******/Sites/********/tmp';
$config['sess_match_ip'] = FALSE;
$config['sess_time_to_update'] = 300;
$config['sess_regenerate_destroy'] = FALSE;
This is a development website on my local OS X iMac, as I say prior to CI 3.0.0 everything was working fine.
Just to add before I get reply's saying "you need to use"
$this->load->library('session');
I have "HAD" to load it as a driver, I don't have a choice, I have read the documentation and have seen how to initialise the session library.
If I do attempt to load it as a library
$this->load->library('session');
This is what I get
A PHP Error was encountered
Severity: Notice
Message: Undefined property: Session::$session
Filename: libraries/Session_management.php
Line Number: 38
For your ref: line 38 is:
$this->session = $this->CI->session;
This is after trying to load the session library
$this->CI->load->library('session');
Also to add to this message re: Database sessions / File session.
Database sessions were my first option, a have revamp the database columns and indexes to suit CI 3.0.0 as the documentation mentions and session were and are storing in the database table when I change my config to use the database, however reading the performance differences between File sessions against Database sessions under high load, File sessions will out perform database session and since the website / platform I am creating will be under high load, database sessions aren't the way forward.
As a note: The website runs under a subdomain.domain.*** structure where subdomain is registered as a company name upon a company registration i.e
mycompany.mywebsiteurl.com
anothercompany.mywebsiteurl.com
As previously mention - prior to my update to CI 3.0.0 it was working fine.
Might I also add: I have checked my log files, I am running tail -f for live log updates - and it don't see any log issues.
Any help, information or anything that could possible put me in the right direction would be appreciated.
I have also posted on the CI forum.
A fresh copy of CI 3.0.0 with necessary files and configs transferred across didn't solve my problem/issue.
What seems to be the whole cause of the problem was the fact I had a controller call Sesssion.php which is named the same as the Driver file.
When CI (Codeigniter) calls
$this->load->library('session')
there are a few checks done before CI knows that you want to actually load the CI_Session class ... class_exists('Session') returns TRUE and it stops there in order to avoid a fatal error.
Hope this helps others too.
I recently created a new symfony application on the existing website. Then, in this new application, I want to read the session of old applications(something like login user id). Unfortunately, in each application, the session are completely separate(I mean the symfony session, something like $this->getUser()->getAttribute("userSession")).
I guess the symfony session is implemented using $_SESSION like:
$_SESSION = array("symfonyapp1" => array(....), "symfonyapp2" => array(....));
So I wrote $_SESSION["test"] = "testStr" in the old application and wrote var_dump($_SESSION["test"]);. The screen simply prints "null", so my guess is wrong.
Then I think maybe I can read the configuration of a certain application and then get the user of that application. So I wrote the following code in my new application:
require_once($_SERVER['DOCUMENT_ROOT'].'/../config/ProjectConfiguration.class.php');
$configuration = ProjectConfiguration::getApplicationConfiguration('frontend', 'prod', false);
$context = sfContext::createInstance($configuration);
var_dump($context->getUser()->getAttribute("userId"));
Unfortunately again, it prints "null".
I completely have no idea now. Any advice is greatly appreciated
Check session identifiers of your apps. Php's default session id is PHPSESSID and as far as I remember default session identifier for Symfony 1.4 apps is just symfony
You can change Symfony's session identifier by modyfing apps/YOUR_APP_NAME/config/factories.yml file, by setting:
all:
storage:
param:
session_name: PHPSESSID
By doing that your Symfony app will share the same session id as your old app and you will be able to read $_SESSION attributes in Symfony app
New to Laravel and having some problems with Sessions. Specifically, reading session data from a PHP file outside of Laravel.
For example, let's say I set the session variable like so: Session::put('isAuthorized', 'yes') - I can retrieve this just fine in the Laravel context with Session::get('isAuthorized') but the following PHP will not retrieve this session key -
<?php
session_start();
echo $_SESSION['isAuthorized'];
?>
returns
Notice: Undefined index: isAuthorized in C:\xampp\htdocs\session.php on line 3
I have tried setting the Laravel session driver to both the default cookie and file modes, same result.
You could also write a session adapter, so the $_SESSION variable will be an instance of it:
<?php
class SessionAdapter implements \ArrayAccess {
public function offsetExists($offset) {
return Session::has($offset);
}
public function offsetGet($offset) {
return Session::get($offset);
}
public function offsetSet($offset, $value) {
return Session::put($offset, $value);
}
public function offsetUnset($offset) {
return Session::forget($offset);
}
}
And then somewhere in your code:
<?php
$_SESSION = new SessionAdapter();
// or
$GLOBALS['_SESSION'] = new SessionAdapter();
This way native PHP session and Laravel session will be "the same".
Laravel uses storage drivers for its sessions, namely cookie, file, database, memory, memcached and redis (and APC in Laravel 4).
The web is a stateless environment. This means that each request to your application is considered unrelated to any previous request. However, sessions allow you to store arbitrary data for each visitor to your application. The session data for each visitor is stored on your web server, while a cookie containing a session ID is stored on the visitor's machine. This cookie allows your application to "remember" the session for that user and retrieve their session data on subsequent requests to your application.
http://laravel.com/docs/session/config
The default storage driver is Cookie, so try this:
print_r($_COOKIE);
Please note that this answer is specific to Laravel 3
Laravel doesn't use PHP sessions, so forget session_start(), $_SESSION, etc.
If you're running with file session driver, the session data is stored in a file in storage/sessions. You can obtain the name of the file by reading the Laravel session ID from the cookie. So the hacky way to solve your problem would be to write some code that obtains the session ID from the cookie and then looks for the file with that name in the storage/sessions folder, read that file in, json_decode() it and you can read the whole thing.
If you're running with cookie session driver, all of the session data is stored in the cookie, but it is encrypted, so you'd have to have a copy of the key (which should be in application/config/application.php) and then figure out what encryption method Laravel is using so you can decrypt it. Then you can read all the session variables.
To achieve what you're hoping to achieve - that is, figure out if the current person is authorized, it might be better to build an API into your app and secure it so that it can only be accessed by localhost. Not a great solution from a performance standpoint, but potentially more elegant because you're not hacking around with the internals of Laravel session management.
Session handling in Laravel is indeed different from native PHP session. To use native PHP session, set the value as below:
<?php
session_start();
$_SESSION['isAuthorized'] = 'yes';
echo $_SESSION['isAuthorized']; // output yes
?>
I am using codeigniter 2.1.0.
I am trying to do a register/login function using the session library in the codeigniter.
The register/login with the session library worked fine for localhost, but when I put it live and tried it, the session does not work.
My controller login works this way. I check the credentials, once ok I set my session data and redirect to another page.
$user_data = array(
'username' => $result->user_name,
'email' => $result->user_email,
'userid' => $result->user_id,
'role' => $result->user_role,
'login_state' => TRUE,
'lastlogin' => time(),
);
$this->session->set_userdata($user_data);
print_r( $this->session->all_userdata());
redirect(base_url('dashboard'));
at this point here when I print all my session data, they do print out. But at the dashboard controller side, when i attempt to print the session data out, they were not there anymore.
Any idea why? Thanks in advance for the help.
if you are working in CI 3.x and just upgraded your server php version to php 7.x
Go to system/libraries/Session/session.php at Line no 281 and replace ini_set('session.name', $params['cookie_name']); by ini_set('session.id', $params['cookie_name']);
I'm not sure what exactly is the problem. Recently I faced this too..
It was working before in my development running php7.0.
Currently it is only working in my production server running nginx and php 5.6. My development server seems to be not working and keeps on regenerate new row in sessions table. My development server is using php7.1, on homestead virtualbox development environment, usually being used for Laravel projects.
I managed to get over this by taking this step.
1) Go to system/libraries/Session/Session.php
2) Comment session_start() by adding //. We want to relocate the sessionn_start().
3) Go down to line 315 where it says Security is king, and comment out until line 351
4) Then go to your main index.php ( the root index.php )
5) Add session_start() at the top once.
6) Okay try again. Hopefully it works. My guess is that it is not working with php 7.1 and some update need to be done in this Session.php file.
My CI Version is 3.1.1
PHP 7 Upgrade - * Known SESSION / COOKIE Bug
This answer addresses the known session/cookie bug - when you upgrade to PHP7 from PHP 5.
If your CodeIgniter version is # 3.1.0 or below - and you are upgrading to PHP 7.1 - You will need to update CodeIgniter.
There is a bug with $this->session->set_userdata(); - that can be pretty annoying. It will overwrite your session as soon as you redirect or visit another page within your site structure.
Some other discussions about the bug:
https://github.com/bcit-ci/CodeIgniter/issues/4830
*Save some time and see post by See post "dyanakiev commented on Oct 23, 2016" -
"Just to confirm: Everything works perfect with 3.1.1, no more problems with sessions.
👍 Good job! 💃"
See upgrade instructions here:
https://www.codeigniter.com/use…/installation/upgrading.html
Latest CodeIgniter Download here:
https://codeigniter.com/download
*I can also confirm this as well:
Updating codeigniter to 3.1.6 fixed the session problem immediately - that had occurred after I updated server to PHP 7.1.*
In My case, after some tests (with https and http in localhost) the error comes for that issue and not having properly set the $config['cookie_secure'], so you can try changing in config.php:
$config['cookie_secure'] = FALSE; // if is not under https, or true if you use https
Cheers!
This is an addition to "edelweiss" answer but I feel like it require more attention and hence posting as answer.
CI 2.1 is infamous to have session related problems. It is better we replace the built-in Sessions.php file with the one below.
The link given by "edelweiss" is broken. The Session.php file he mentions is:
<?php if (!defined('BASEPATH')) exit('No direct script access allowed');
//> makes dw cs4 happy
/**
* Session class using native PHP session features and hardened against session fixation.
*
* #package CodeIgniter
* #subpackage Libraries
* #category Sessions
* #author Dariusz Debowczyk, Matthew Toledo
* #link http://www.philsbury.co.uk/index.php/blog/code-igniter-sessions/
*/
class CI_Session {
var $flashdata_key = 'flash'; // prefix for "flash" variables (eg. flash:new:message)
function CI_Session()
{
$this->object =& get_instance();
log_message('debug', "Native_session Class Initialized");
$this->_sess_run();
}
/**
* Regenerates session id
*/
function regenerate_id()
{
// copy old session data, including its id
$old_session_id = session_id();
$old_session_data = $_SESSION;
// regenerate session id and store it
session_regenerate_id();
$new_session_id = session_id();
// switch to the old session and destroy its storage
session_id($old_session_id);
session_destroy();
// switch back to the new session id and send the cookie
session_id($new_session_id);
session_start();
// restore the old session data into the new session
$_SESSION = $old_session_data;
// update the session creation time
$_SESSION['regenerated'] = time();
// session_write_close() patch based on this thread
// http://www.codeigniter.com/forums/viewthread/1624/
// there is a question mark ?? as to side affects
// end the current session and store session data.
session_write_close();
}
/**
* Destroys the session and erases session storage
*/
function destroy()
{
unset($_SESSION);
if ( isset( $_COOKIE[session_name()] ) )
{
setcookie(session_name(), '', time()-42000, '/');
}
session_destroy();
}
/**
* Alias for destroy(), makes 1.7.2 happy.
*/
function sess_destroy()
{
$this->destroy();
}
/**
* Reads given session attribute value
*/
function userdata($item)
{
if($item == 'session_id'){ //added for backward-compatibility
return session_id();
}else{
return ( ! isset($_SESSION[$item])) ? false : $_SESSION[$item];
}
}
/**
* Sets session attributes to the given values
*/
function set_userdata($newdata = array(), $newval = '')
{
if (is_string($newdata))
{
$newdata = array($newdata => $newval);
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
$_SESSION[$key] = $val;
}
}
}
/**
* Erases given session attributes
*/
function unset_userdata($newdata = array())
{
if (is_string($newdata))
{
$newdata = array($newdata => '');
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
unset($_SESSION[$key]);
}
}
}
/**
* Starts up the session system for current request
*/
function _sess_run()
{
session_start();
$session_id_ttl = $this->object->config->item('sess_expiration');
if (is_numeric($session_id_ttl))
{
if ($session_id_ttl > 0)
{
$this->session_id_ttl = $this->object->config->item('sess_expiration');
}
else
{
$this->session_id_ttl = (60*60*24*365*2);
}
}
// check if session id needs regeneration
if ( $this->_session_id_expired() )
{
// regenerate session id (session data stays the
// same, but old session storage is destroyed)
$this->regenerate_id();
}
// delete old flashdata (from last request)
$this->_flashdata_sweep();
// mark all new flashdata as old (data will be deleted before next request)
$this->_flashdata_mark();
}
/**
* Checks if session has expired
*/
function _session_id_expired()
{
if ( !isset( $_SESSION['regenerated'] ) )
{
$_SESSION['regenerated'] = time();
return false;
}
$expiry_time = time() - $this->session_id_ttl;
if ( $_SESSION['regenerated'] <= $expiry_time )
{
return true;
}
return false;
}
/**
* Sets "flash" data which will be available only in next request (then it will
* be deleted from session). You can use it to implement "Save succeeded" messages
* after redirect.
*/
function set_flashdata($newdata = array(), $newval = '')
{
if (is_string($newdata))
{
$newdata = array($newdata => $newval);
}
if (count($newdata) > 0)
{
foreach ($newdata as $key => $val)
{
$flashdata_key = $this->flashdata_key.':new:'.$key;
$this->set_userdata($flashdata_key, $val);
}
}
}
/**
* Keeps existing "flash" data available to next request.
*/
function keep_flashdata($key)
{
$old_flashdata_key = $this->flashdata_key.':old:'.$key;
$value = $this->userdata($old_flashdata_key);
$new_flashdata_key = $this->flashdata_key.':new:'.$key;
$this->set_userdata($new_flashdata_key, $value);
}
/**
* Returns "flash" data for the given key.
*/
function flashdata($key)
{
$flashdata_key = $this->flashdata_key.':old:'.$key;
return $this->userdata($flashdata_key);
}
/**
* PRIVATE: Internal method - marks "flash" session attributes as 'old'
*/
function _flashdata_mark()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':new:', $name);
if (is_array($parts) && count($parts) == 2)
{
$new_name = $this->flashdata_key.':old:'.$parts[1];
$this->set_userdata($new_name, $value);
$this->unset_userdata($name);
}
}
}
/**
* PRIVATE: Internal method - removes "flash" session marked as 'old'
*/
function _flashdata_sweep()
{
foreach ($_SESSION as $name => $value)
{
$parts = explode(':old:', $name);
if (is_array($parts) && count($parts) == 2 && $parts[0] == $this->flashdata_key)
{
$this->unset_userdata($name);
}
}
}
}
Maybe you not automatic load library session.
Have you try this in controller dashboard:
$this->load->library('session');
print_r($this->session->all_userdata());
I'm facing same issue and I was working with CodeIgniter version 3.1.9. I have downloaded CodeIgniter's latest version 3.1.11 and replace my current "system" directory with new the one available with 3.1.11 version.
Above process has solved my issue and it's working fine without any issues in PHP version 7.3.12 and 7.4.0.
Make sure your app has permissions to create the session files to /tmp (where file sessions are stored) if your not using a database for the sessions.
More than likely you need to look at php.ini on the production server and verify the session save handler is defined http://devzone.zend.com/413/trick-out-your-session-handler/ explains this rather well.
I saw a similar post and was directed to here to try using his sessions.php
And it works for me!
http://www.philsbury.co.uk/blog/code-igniter-sessions
In case someone get stuck using Homestead (as I was), this is a CodeIgniter bug and is not present on newer versions (I read), you can upgrade your CI version or downgrade your PHP version "per project" with Homestead 6+, as in the example:
//Homestead.yaml
- map: myproject.test
to: /home/vagrant/Code/myproject
php: "5.6"
and then simple run homestead provision.
I solved this issue by upgrading my codeigniter.
Go to Codeigniter download
Download it and replace your project system folder with newly downloaded one.
Check on the $config['base_url'] = 'http://localhost/'; if you are working on the localhost, and change it to $config['base_url'] = 'http://localhost'; without the last /
I experienced a similar problem with CI 3.1.1. I tried most of the solutions suggested on stackoverflow most did not work for me. I had two different projects project A's sessions were working while project B's session data was losing data after redirect. By comparing the two I found what could be a solution/explanation to the problem.
My initial redirect looked like this:
redirect ('name_of_function_in_same_controller');
I changed it to:
redirect ('/name_of_controller/name_of_function_in_controller');
And it started to work. I believe the trick is including the name of the controller to in the redirect. Be sure to make provision for the controller name in routes.php
Obviously, the table i created, ci_sessions, only have max 64K of data (blob), So i change into mediumblob and it works fine now
In our case the problem was related with Chrome SameSite cookies policy.
It seems that since Chrome 76 was released, cookies without "SameSite=None" and "Secure" properties are not setted by the browser after redirect.
For people that are using CodeIgniter 3.1.6 if you are redirecting to your site from a third party (for example from OAuth login page) you must add this to your config.php:
$config['cookie_path'] = '/;SameSite=None';
$config['cookie_secure'] = TRUE;
Keep in mind that this has security implication so be careful and be sure that you are choosing the best solution for your application requirements.
Related question here: How can I redirect after OAUTH2 with SameSite=Strict and still get my cookies?
Make sure you session_start() before using $_SESSION. I had this problem, I foolishly assumed that
$this->load->library('session');
will do that for me, but not.
Check in application/config/config.php
and find $config['encryption_key'] = ''; If it is empty then set the ecryption_key.
It will definitely help if after every setting session variables not working after redirection.
For more detail:
http://codeigniter.com/user_guide/libraries/encryption.html
I was facing the same issue and after a long research I found the solution.
My session is stored in db not in files but even database is also restricted to store the size, I think..
Its not any core issue of codeigniter or something that is session destroyed automatically or something else..
It is actually the load of data amount in session, if we save the more & more data inside session with Codeigniter("I am not sure about native session but for codeigniter I can confirm this"), it will destroy the session automatically.
So what you have to do is, to go to that code that you are writing to get the data from db or somewhere else and then saving into session in userdata, try to reduce the load of data saving inside the session and exclude that data which is not needed on page from session every time.
Let me know if still there is an issue..
This might be late. But felt i should drop it. Had same issue too. I m using codeigniter and wiredesignz hmvc and i noticed the error was from the htaccess. Try adding a back slash after the rewrite base url