I have a domain and subdomain based app (all in one Laravel project). I have set up CORS and CSRF so that communication works. I've also replaced the cookie domain under session.php and now the session is shared across domain and subdomain.
I have an issue when logging in however. When I log in (either from domain or subdomain) user gets logged in. I can check that by dumping Auth::user() under my web.php. However when I try to dump it from middleware I get null.
How is that possible?
I tried clearing caches on both app and browser
You should probably check the database, I had those same problems a long time ago.
I think Laravel saves the session in the database, or in some other configuration.
Check "config/session.php"
Hope be helpfull
I found the issue.
I was calling my middleware before the session middleware under Kernel.php
NOTE
Global middleware is called before web middleware
Related
I have a problem with my Laravel 9.x App (modifying from Laravel Breeze by switching from Tailwind to Bootstrap 5). Everything works fine in local, nothing serious happen. But when I deploy it on DO Server, the problem begin. The problem is, I got 419 Page Expired after doing a POST request (Login/Register/Logout) at a certain time. However, sometimes it works fine, I can register & login, but when I'm try to logout it returns 419 Page Expired. I've checked every single form to put #csrf and I still got 419 Page Expired. Then I'm trying to comment out the \App\Http\Middleware\VerifyCsrfToken::class on my live server, and every POST request works fine BUT, it didn't generate login session for me. Any ideas to fix this issue?
Then I'm trying to comment out the \App\Http\Middleware\VerifyCsrfToken::class on my live server, and every POST request works fine BUT, it didn't generate login session for me.
This sounds like you site isn't using HTTPS and the browser is discarding the cookies in between the requests. This can also happen if you are using HTTPS but posting to HTTP (or vise-versa).
This behavior is expected if the cookie is set with the Secure flag. I've also seen some browsers do this anyway even if the Secure flag is not set.
In Laravel, this feature is not enabled by default. It is enabled via the .ENV variable called SESSION_SECURE_COOKIE being set to true. You can see this yourself by checking the config/session.php file.
This is a good feature to have enabled.
If you have setup any CORS (Cross-Origin Resource Sharing) policies then you may want to make sure they are not blocking parts of the request as it can have a similar effect. Something like https://www.example.com is not considered the same as https://example.com if a wildcard was not used when defining the CORS policy. These policies are a bit in-depth, so if none of this sounds familiar then you probably don't have one at all. If unsure, an easy way to check is to look at the developer console in your browser. They typically complain in red text about something being blocked by CORS if it is happening.
The Problem:
After successful initial "csrf-cookie" and "login" requests, the authenticated user seems to disappear from the session on all subsequent requests.
$request->user() and Auth::user() and auth()-user() all return null.
$request->session()->all() returns just a "_token" field, and $request->session()->has('users') and $request->session()->has('user') both return false.
Context:
This only occurs on my production server (I've tried both a Laravel Forge server and my own server with setting up Nginx manually).
This is a SPA backend, using Laravel 8. Using Laravel's built in Sanctum authentication. Using database session driver (although I've tried all the others, the driver does not seem to be the issue, and I can see the sessions in my database).
My session config currently (although I have tried other configs to no avail):
same_site = 'none'
domain = null
secure = true
http_only = true
What I've Tried:
Countless google searches, have not found any issues or solutions that seem to apply to my situation.
I have tried digging into the session and request objects immediately before and after the problem occurs (as described in the problem section) and have not gotten any useful information that way.
I have tried playing around with the session config... changing the "same-site", "secure", etc. variables.
I have found the problem, turned out to be extremely simple/silly: I had to add the \Illuminate\Session\Middleware\AuthenticateSession::class middleware to my route (specifically for me, in this case it was to the 'api' middleware group).
I am using laravel 5.1 with Sentinel - Cartalyst auth driver. Problem is that Laravel can't "keep" users logged in. After some time (when they visit website) it automatically kicks them out with error that they are not logged in (I have filter that checks if user is logged in for every route expect login route). It really bugs me and I can't fix it.
I tried using cookies, file and database driver for keeping login sessions and they all fail.
Does someone knows how to deal with this problem? I am bulding project for Intranet users (under local domain)... Maybe that could be problem? Also I notice that cookies expiration time is current datetime that laravels sets for max expiration time.
Are you sure you imported the correct namespace path to Cartalyst? I had an issue with sessions not persisting and it was caused by importing the native php Cartalyst class rather than the laravel one. It should be something like Cartalyst\Sentinel\Laravel\Facades\Sentinel::class
I have 3 working apps that I am moving from one production server to another. All 3 of the apps use Auth. All 3 work fine on the original server. On the new server, one of these apps works as it should (it happens to be CakePHP 1.3) i.e. after logging in the user's session data (like user name and role) is available in my PagesController after the redirect.
On the other 2 apps (one is 1.3 and the other is 2.3), after the login redirect, the session data seems to be gone. I have confirmed this by debugging $this->Auth->user() in the PagesController. I have also confirmed that the session data IS there after the call to $this->Auth->login() in the UsersController but is gone after the redirect.
Because these are apps that I have been using for years, I am confident that the problem is some configuration issue on the new server - something like a directory permission. I have reviewed all permissions and can't find a problem. I have compared the permissions on the one app that works to the ones that don't and I'm stumped.
Any suggestions?
Try with ob_start() or session_start() in the top of the AppController before starting the class.
Thanks..!
I have also posted this question and workarounds on the CakePHP Google group and added more detail. Please go to:
https://groups.google.com/forum/#!topic/cake-php/ORfK1b9AYTU
The problem is that sessions are not starting after the redirect. The work-around is to call CakeSession::start() in AppController in beforeFilter() , although this should not be necessary.
Ken
I am working on a project using zend framework, php, mysql on ubuntu.
I have created hostname test.dev on my local machine and using zend authentication. When an user is authenticated using zend authentication, I set session variable for logged in user id. I use this session variable(userid) on different pages to sure authentication.
Question:
Now I have to create a subdomain. I have created a new hostname mypage.test.dev on my local machine. Both hostnames are pointing to same directory, for example /var/www/test/public. But when I login on test.dev, I have to login again on subdomain mypage.test.dev. Even session variables of test.dev are not accessable on mypage.test.dev.
How can I login on all subdomains using one login?
Thanks.
Session variables are stored specific to each specific domain address. And so if a website is coded poorly and you login to http://mydomain.com and then later access the site as http://www.mydomain.com, you will encounter the same error.
One possible solution to this is to setup a webservice that allows you to access the other domain and retrieve any stored session variables as well as authenticate the user. So for example, if I login to test.dev and then later go to mypage.test.dev, a call will be issued to test.dev/auth-service/ by mypage.test.dev to authenticate the user and if it is successful, then return all stored session variables so that they can be stored by mypage.test.dev.
Perhaps a cleaner approach would be to always access session data only from one domain or the other and to always access it strictly through the web service so that the interface to session data remains consistent across both sites. This does present a possible performance though since it is obviously faster to simply access session directly rather than through a web service.
You are looking for this:
http://blog.pracucci.com/2008/09/24/zend-framework-and-session-cookies-across-subdomains/
After some time I have got my solution.
I added following line into config.ini
session.cookie_domain = .test.dev
then added the following line into Bootstrap.php
Zend_Session::setOptions( $this->getOption('session') );
and session variables are working for all subdomains of test.dev