I'm trying to share sessions between two cakephp apps that are on different subdomains. One is cakephp 2 and other is cakephp 3.
What i have so far:
The two apps are reading sessions from the same database table.
The two apps are writing session cookie "CAKEPHP" to the root domain. i have a
ini_set('session.cookie_domain','.domain.com'); on top of core.php and app.php respectively
both apps have the same Security.salt value
What is the problem?
When i open the cakephp 2 on one tab, it generates a session cookie with one value. But when i open cakephp 3 on another tab, it generate another value for session cookie. So, when i login on cake2 and then refresh cake 3 on another tab, the session on cake2 get lost.
When researching, i saw that cakephp 3 encrypts the session cookie and cake2 not... But i'm not able to see where can i make cake2 use the same encryption as cake3. Or disable encryption on both, if it will not cause security issues.
Can you help me on this?
Related
I'm trying to used CI3.0.4 for testing with Cookies if client disabled their Cookies and I will never let they come to web pages.
But when I try to disabled cookie CI will generated 4 of session files with another 3 is zero size;
And another when my session was expired CI will generate another file by keep old session files so this is good idea so if I used this website more than 2 or 3 years I will got more files in my website both in Database too.
I have two websites in laravel (website1 and website2) on the same server and I 'm using one database.
Both have their login access. When I login into website1 and next login into website2, I lose access to website1.
I create just one database because i'm using same information on each websites like users, groups. Is it possible to login each website at the same time without losing their access?
Thanks
Use the cookie as session driver and set different cookie prefixes for your laravel applications. Don't forget to clean your browsers cache and cookie.
I have a website with a PHPBB 3 forum. The website's authentication mechanism is based on PHPBB. I have migrated the site to a new dedicated server where I created an ubuntu VM on HyperV. When I try logging in to the new site, multiple cookies of the same name are set. These are the auto login (k), user (u) and session ID (sid) cookies. Only 1 set of these cookies tell us that the user was authenticated. I have attached two screenshots of the response headers (one from the old host & one from the new one).
Is there a PHP setting I can toggle to prevent this? The PHP files and database are identical between the two hosts. I tried fiddling with the PHP cookie name setting in the config table, clearing caches & session tables. But nothing seems to help.
Strangely though, if I manually add the sid as query string to the web page, I am shown as being logged in.
New Site
Old Site
It looks like the cookie path is set right... Are you, or a select few, the only ones with this problem? IF so, I would first try to clear all those cookies from the browser and start over. I've solved many a cookie problem with phpBB like that. A second option is to go into the admin panel and change the cookie name. That will invalidate all login cookies and kick everyone off the board... but they should be able to log in afterward.
I'm doing some basic integration between a CakePHP app and some external code. I want the external code to know if a user is logged in. The external code does not load CakePHP, so thought I would access that data directly using $_SESSION, but when I dump it it's an empty array, even when I'm logged into CakePHP.
Am I missing something? Why isn't the session data from CakePHP showing up?
You might need to play with your session ids and session name variables to get your external code to load the CakePHP session information.
For example, you will almost certainly need this:
session_name('CAKEPHP');
and you might need to pass across the session id from Cake, and possibly set the session save path as well.
You can read http://bakery.cakephp.org/articles/admad/2009/09/02/how-to-bend-cakephp-s-session-handling-to-your-needs
It will examplain you how to bend your cakephp session according to your need.
OR
You can see one more link which will solve your problem Use cakephp session with two different domains
Hope these two links will solve your problem!
I need to implement a solution for one of my project, where I have multiple domains + multiple sub-domains and they all need to share the same session. All domains and sub-domains would be pointed to the single application which is connected to the single database.
Means if user logged in from any of the domain will be able to visit secure pages of other domains of the application. User may change domain via following a link or via opening a new tab in the browser.
I have gone through some articles and found some below mentioned solutions:-
Session in Database - What if other user from same network with same user agent hits?
iFrame message passing - I heard at somewhere, that iFrame renders on document load and, then checking session after showing some page content will annoy the user.
CURL request with CURLOPT_COOKIEFILE & CURLOPT_COOKIEJAR - I have played with this and it is working fine, but don't know if it is secure and not performance killer.
Single Sign On (SSO) - I need some R&D to implement this and it would be the last option.
Please suggest what to do?
Just to verify I am not wrong, you need to share user session across all your applications.
As rightly said above, you may use 4 of the options above. However, I would like to focus on first option which is putting session in DB and would like to suggest another option as keeping sessions in shared directory or server.
Sessions in DB - The answer to your question (What if other user from same network with same user agent hits?) is you will have different session id's value to uniquely identify each row in Table. So, no need to worry about it. But the disadvantage is, each time DB connection would be required and a query would be fired, when session is initialized i.e. for every single page.
Sessions in shared directory/server - Configure all your applications in a such a manner that all applications store session at shared location. Shared location can either be a directory or a secured server. This can easily achieved by using session_set_save_handler.