Currently I am working on Yii2 and when I go to form submit after some time then Yii2 redirect to bad request, I think there is CSRF token expire so my question is, how increase CSRF token life in Yii2?
How can we do with form submit with long time and CSRF token also validate?
CSRF token validation disable is working fine in my code but I didn't want to disable it.
No need to code show here, I think.
You can use frontend and backend as different cookie and session
Cookie Backend
'identityCookie' => [
'name' => '_backendIdentity',
'path'=>'/admin',
'httpOnly' => true,
],
Cookie Frontend
'identityCookie' => [
'name' => '_frontendIdentity',
'path'=>'/',
'httpOnly' => true,
],
Session Backend
'session' => [
'name' => 'session_backend'
],
Session Frontend
'session' => [
'name' => 'session_frontend'
],
You can increase csrf token expiry time by adding following code in config/web.php file. From below code csrf token valid for one hour only. Can increase time as per your need.
'request' => [
// !!! insert a secret key in the following (if it is empty) - this is required by cookie validation
'cookieValidationKey' => 'Key Here',
'csrfCookie' => [
'expire' => time() + 3600,
'secure' => true,
],
],
Related
I’m having a problem, when I logout from either frontend or backend, the other one remains log in. I have been searching online for the solutions but did not find anything like this. What should I change so that when I logout from frontend or backend, the other one must logout.
Log in is working fine for both:
public function actionLogout()
{
Yii::$app->user->logout();
return $this->goHome();
}
Please update your frontend and backend main.php as below
'user' => [
'identityClass' => 'common\models\User',
'enableAutoLogin' => true,
'identityCookie' => ['name' => '_identity-auth', 'httpOnly' => true],
],
'session' => [
// this is the name of the session cookie used for login on the frontend
'name' => 'AuthSession',
],
once the identityCookie and sessions are identical, then you can manage your session from both frontend and backend.
Is there a way to destroy a session on the (Apache) server after for example one hour? Now the session stays in the Apache folder for ever, so each time i start the application the old session is picked (And i don't want that).
use Zend\Session\Storage\SessionArrayStorage;
use Zend\Session\Validator\RemoteAddr;
use Zend\Session\Validator\HttpUserAgent;
return [
// Session configuration.
'session_config' => [
// Session cookie will expire in 1 hour.
'cookie_lifetime' => 60*60,
// Store session data on server for 1 hour.
'gc_maxlifetime' => 60*60,
],
// Session manager configuration.
'session_manager' => [
// Session validators (used for security).
'validators' => [
RemoteAddr::class,
HttpUserAgent::class,
]
],
// Session storage configuration.
'session_storage' => [
'type' => SessionArrayStorage::class
],
// ...
];
How to login into an application with login credentials using guzzlehttp ? Thanks in advance.
Login into your application should be as straightforward as doing a post request to the correct endpoint with correct credentials.
eg from the docs at http://docs.guzzlephp.org/en/latest/quickstart.html
$response = $client->request('POST', 'http://httpbin.org/post', [
'form_params' => [
'field_name' => 'abc',
'other_field' => '123',
'nested_field' => [
'nested' => 'hello'
]
] ]);
However most likely the application is using cookies to maintain state. By default Guzzle doesn't store cookies, but you can enable this behaviour with the cookie plugin. http://guzzle3.readthedocs.io/plugins/cookie-plugin.html
Once this is enabled you just need an initial request to login to the application and initiate the session. Your second call should happen as a logged in user.
We configured like /var/www/app1 and /var/www/app2 , Both are logging in single session. How can I make this different session.
I tried with following solution from yii2 wiki. But it doesn't workout here.
'identityCookie' => [
'name' => '_backendUser', // unique for backend
'path'=>'/advanced/backend/web' // correct path for the backend app.
]
Please give solution for this issue.
Use a different session $name for each application. This can be set in your config as:
'components' => [
'session' => [
'class' => '\yii\web\Session',
'name' => 'mycustomname',
In advanced app, I tried to implement divided authorization for backend and frontend.
In first case, I used User class from basic app, in order to use users without database. But for frontend part, I used User class from advanced app.
It would seemthat everything is working perfectly. But when you try to log in at the same time on both sides, the latter takes precedence over the previous one. Ie after entering the frontend parts - automatically eject the user from the backend and vice versa.
You have to set different cookies for frontend and backend in config/main.php file. For Eg.:
In backend:
'components' => [
'session' => [
'name' => 'BACKENDID', //Set name
'savePath' => __DIR__ . '/../tmp', //create tmp folder and set path
],
],
In Frontend:
'components' => [
'session' => [
'name' => 'FRONTENDID',
'savePath' => __DIR__ . '/../tmp',
],
],