I am trying to make a login system using a series of methods and sessions. This is how it works:
User makes POST request via XHR to domain.com/api/login
Nginx does a rewrite to domain.com/api.php?request=url
File runs some validations, and if everything is good, it instantiates the target class and then uses call_user_func_array to call the target method with the newly instantiated object.
Method called is UsersController->logIn, this method runs some validations, and then calls UsersModel::Condition which in simplest terms selects the user and returns an object with the user's properties and a few methods.
Then, we run $instanceOfUserRow->LogIn(), which updates the last_logged column of that user and also instantiates the session doing $_SESSION['user_id'] = $this->user_id.
However, no matter what I try, it just will not set the session variable. I tried the following:
Naming the variable different, from user_id to identifier, to id_test, etc.
Instead of setting it in the UserRow->LogIn method, set it instead in the UsersController->logIn directly, which also didn't work
Created a session variable in my framework's main file (Called Init.php) called test.
This session variable was set successfully and behaved correctly, and the behavior was the same if I renamed it to user_id, which I thought was weird.
Created a simple function that was declared right after the session_start in the Init.php file called set_session that simply took the name and value and set a session like this: $_SESSION[$name] = $value;. This also didn't work.
At this point I have no idea what to do, I did verify that the session was active using session_status before setting any new variable. Classes are loaded using a custom autoload. I am not sure if the culprit is either how many files we are layering through (From the original request being API/login, then rewriting to api.php, then UsersController.php, then UsersModel.php and then UserRow.php) or if it could be just the fact that it is being called via call_user_func_array.
Any help or leads would really help out. Thank you.
Turns out even though nearly everything was the same, I was querying the API using HTTPS, but the request was being made from a page that was not over TLS.
So requests were being made from http://website.lan to https://website.lan/api and that caused the session to change across requests.
Related
I have two branches of the same project. There are minor differences between these two branches but something in the one branch is causing my SESSION entry (which I store in the DB) to be deleted on any kind of "GET" or "POST" request - whether it's clicking a link or simply performing a browser refresh. I do not experience this behaviour in the other branch.
I have not altered any permissions.
I have not added extra actions in my controller that I would need to add permissions for.
There are exactly three files that differ from the one branch to the other - a view, a controller, and a model.
The view differs only in changed variable names - for which I do not get an undefined error in the browser so that should be fine.
In the controller I have only broken up the processes one of the action methods so that other methods are called to process difference bit of code, but always returning to the same action to render the said view.
I do not empty the session at any point in any other part of my code.
I do set session variables but they are all correctly stored in the same __flash entry in the db - up until the point where that entry is whacked from the DB.
The effect of having my SESSION entry deleted from the DB is that it then causes a check for adminId in the $_SESSION to fail which fires a denyCallback redirecting me to localhost.
I have debugged almost everywhere where there is mention of $_SESSION or Yii::$app->session, as well as everywhere in yii2/web/Session.php. And after hours I could not find a single instance where it actively empties the $_SESSION variable and then saving it to the DB.
I thought it might be something to do with pjax calls, but that cannot be as I have those same calls in the one branch where the session entry is always preserved.
It seems to be that something is failing on the requests and the browser just keeps on retrying until it eventually gives up and then somehow, somewhere deletes my SESSION from the db. I'm out of theories.
Any guidance would be much appreciated!
I debugged and searched for quite a while and I can't figure out what is happening. This is my first time doing a custom session handler, so I'm afraid I'm overlooking something painfully obvious. I want to implement a custom session handler so I can store additional information with the sessions and be able to temporarily disable access to protected areas of the site for certain groups of users.
My login page (which was working fine with basic file-based php sessions), includes a php file with a lot of functions including the session handler functions and my error handler. That included file includes a third file that does the database connection. The connection is made using mysqli_connect() and the resulting link is stored in a variable, $dbc. That same connection is used throughout the site for logging errors, loading/editing site content, etc. I decided to use the same database connection, since it is used already on every page and my session handler will need to be used on almost every page as well. Nowhere in my code do I manually close the database connection, but I think perhaps it is automatically closing somehow.
My functions access the database connection ($dbc) with a global statement. Ex:
function sess_write($id, $data)
{
global $dbc;
...
My open, read, and write functions are supposed to use the variable in this manner. I checked the database connection variable in the open and read functions and it is non-null as expected, but in my write function it suddenly shows up as null. Is PHP doing something between read and write that could potentially be closing that connection? I created a test variable in the same included file that creates the database connection, and used the same global $test; statement in the write function, and that variable appears just fine, so I'm guessing it has something to do with the database being closed. I tried using a second variable to store the database connection (to only be used by the session handler) and that didn't work either. Any ideas? Am I just being dumb as usual?
Per your note, that is correct -- objects will be disposed of before write and close. The traditional workaround for this is to use the register_shutdown_function. PHP 5.4 now has an interface you can use to write a session handler class that simplifies this process. If you implement the interface in a session class, when you pass it to session_set_save_handler() it defaults to setting things up to register the shutdown call for you.
Alot of my controllers have functions that look like this. What is the best measure to take with CI when a session runs out and a function like such is called?
$this->foo_model->create_bar($this->session->userdata('userid'), $bookId);
I don't fully get your question maybe, but when you call $this->session->userdata('something') for an expired session it will simply return FALSE.
So, the best method would be checking if the variable isn't FALSE? As you would do with any other variable that might not be the value you want:
if($this->session->userdata('userid')){}
//or check it into the model's method, wherever you prefer
Where and when to do that strongly depends on your design. If you always need to do the same check you might want to make it a library or a model's function, so that you just need to write your code once and just call that method. If you need it done before anything else you might consider placing it in the constructor, or as #Jordan Arsenault suggested, create a parent MY_Controller which does the check, and all your regular controllers extends it. Really, this depends on you architecture and you didn't provide enough info to answer that.
All I can say is make your methods fault tolerants, always check for the correct value before feeding the rest of your code (if an expired session breaks your workflow)
You can use cookies to revive an expired session.For example you can create a token for users when they login to your application .This token has a related userid that your application knows globally then save a cookie on the user machine that contains the token.each time the session expires ask for the client cookies and see if this cookie is available then with its userid re-create the session.if there's no token available redirect your user to a page telling him what has happened and ask him to login again.
When the user logs out delete the token and the cookie
I am working on a Web chat application. I recently ran into a problem where a particular session variable is not being saved. I have no clue why this is happening as everything else appears to work fine. Code:
This is the class that invokes the function the command is associated with. It is called like this: Command::process("whois", "username_goes_here");
What could be the possible problem and how do I fix it?
In case you need to save Objects in a session, please note, that the object's class needs to be loaded before the saved Objects get back to life from the session.
In this case, load the object's class definition first, then read the object from a session.
PS: Hopefully, the value of $command doesn't get passed directly from the HTTP request into the function...
I have an application with multiple regions and various incoming links. The premise, well it worked before, is that in the app_controller, I break out these incoming links and set them in the session.
So I have a huge beforeFilter() in my app_controller which catches these and sets two variables in the session. Viewing.region and Search.engine, no problem.
The problem arises that the session does not seem to be persistant across page requests. So for example, going to /reviews/write (userReviews/add) should have a session available which was set when the user arrived at the site. Although it seems to have vanished!
It would appear that unless $this->params is caught explicitly in the app_controller and a session variable written, it does not exist on other pages.
So far I have tried, swapping between storing session in 'cake' and 'php' both seem to exhibit the same behaviour. I use 'php' as a default. My Session.timeout is '120', Session.checkAgent is False and Security.level is 'low'. All of which should give enough leniency to the framework to allow sessions the most room to live!
I'm a bit stumped as to why the session seems to be either recreated or blanked when a new page is being requested. I have commented out the requestAction() calls to make sure that isn't confusing the session request object also, which doesn't seem to make a difference.
Any help would be great, as I don't have to have to recode the site to pass all the various variables via parameters in the url, as that would suck, and it's worked before, thus switching on $this->Session->read('Viewing.region') in all my code!
Try setting the security setting in your /app/config/core.php file to medium or low. That solved a session problem I had.
i had the solution or at least that work for me
you try to pass from controller reviews action write to controller userReviews action add right???
check that your controller userReviews must end whit php tag "?>" and NO MORE SPACE
SO if you have someting like this
line
999 //more code lines
1000 ?>
1001
your session fail
you have to had this
line
999 //more code lines
1000 ?>
sorry for my bad english
soo you
It would appear that unless
$this->params is caught explicitly in
the app_controller and a session
variable written, it does not exist on
other pages.
That sounds like the proper behavior unless you are posting data from page to page. If you want any variable to persist, it should either be set in the model (where it will persist with the association), or passed on in a function, or set in the session explicitly using the session component:
$this->Session->write('Viewing.region');
(see: http://book.cakephp.org/view/398/Methods)
On a related note, I've had most success with sessions stored in the database. Run the file from app/config and set it to db. See if that helps.
Also, do the Cake core tests for the session work?
Might it be this problem? Essentially, cake's session resets if the user-agent changes
It's a shame that I ran into this very problem you mention a few days ago and now I cannot find the link that helped me solve it.
Also: are you using database or plain php sessions?
I'm going to go out on a limb here without being able to look at your code, but might it be possible that your "reviews" controller (or whatever) has its own beforeFilter() and doesn't call its parent's beforeFilter() explicitly?
This has burned me before...
I got some issues like this. Session set using some controller was not available in another , controller . I could clear the issue after spending few hours . There was a white space afer the end of php tag at the bottom . After clearing the line and white space after the last ?>
tag worked fine .
I had this problem when moving a CakePHP site. My problem was that the session directory wasn't writeable. You should make sure the folder app/tmp and all it's subfolders (including sessions) have permission 777.