This is an experiment on fresh laravel 5.3 project( default authentication) basic auth flow works perfectly
step-A :Obtain the Laravel session cookie
Open the auth url in normal browser window, After the successfull login i can see the laravel session cookie( ie laravel_session ) in browser cookies section i just copied that value
Application State:Logged in
step-B: Obtain the authentication using the same session cookie in incognito browser window
opened the http://localhost/finde/public/login in incognito window which is the login URL for the application in this I've added the Laravel_session cookie that's obtained from step-A via browser console.
Now i am able to access the http://localhost/finde/public/home URL with the session cookie obtained from step-A.
Application state:Logged in
Just go back to step-A application state and logged out from the application so the session cookie is now invalid?.
But when i come back to http://localhost/finde/public/home URL in the incognito window and refreshed it. Oops, its still accessible
But why this session cookie is still valid ??
Related
I'm using Symfony Session component with NativeStorage.
The initialization is very simple (session property has type Symfony\Component\HttpFoundation\Session\Session)
$this->session->start();
I'm facing a session issue during payment redirects, my application redirects user to Paypal payment, if the user push "abort" link in Paypal page it will be redirected to the abort page of the initial application.
During this second redirect somehow the session is refreshed and a new cookie and a session-id is activated.
I'm working with Firefox without private mode. I have tried to open the page manually in a new browser tab but the session is discarded in the same way.
What can cause a session expiration during a page redirect? The cookie generated is the standard cookie made by Symfony Session class and PHP:
Domain and protocol (https) dont change. The URL path changes from initial page to abort page.
UPDATE:
The issue seems to be connected to Firefox.
I have tested it with Chrome and works, I have tested the case with Firefox in privacy mode and it works... so I guess it is something wrong with my firefox sessions.
I am trying to do a login functionality using SSO.
I have done login and logout successfully.
Problem is that I need to redirect to SSO login page at the time of logout from my application. It is done, but now when I paste my application url in the browser, it redirects me to SSO login page rather than my application page.
If I remove the cookie from the browser through settings, it will redirect me to my application login
I have tried to remove cookies through code but no luck,
Yii::$app->response->cookies->remove('XYZ', true);
Can any one please direct me to the right way?
We can't able to login to my application unless clear browser cookie / reopen browser
Framework Yii1
library used: oneLogin
I am developing an webapp and have been running by some problems with the user authentication implemented in Yii2's Advanced Template.
The thing is, it runs fine locally, but on the production server the login seems to not work properly. It validates the data correctly (user and password), and if they match any entry in the database I can track via the F12 function on Chrome that I have been redirected to the index page, as expected. The problem is that, after being redirected to the index page, it redirects me back to the login page (as if I wasn't authenticated). Inspecting the browser's cookies I can see that the identity cookie used by Yii2 is already marked as 'deleted' at this point.
What may be the problem? Is Yii2 not being able to save the state of the user perhaps? How can I try to debug that?
In Firefox (and Microsoft Edge) I'm seeing something that I assume is impossible.
I log into my website and get a PHPSESSID of 6a47272fa6d7b4de2292966bf77ddb51
I close Firefox
I reopen Firefox and I can see in the options that my website has no cookies set (as I expect)
I visit website again without Logging in and my session is still active (I'm still logged in) but my PHPSESSID is now 7d4117307c86faa7ea9dc7afe6b4b720
I'm not looking for a fix. I just want to know how this behavior is possible. How could PHP know which Session to resume if Firefox is not sending a PHPSESSID after the browser closes?
I don't see this happen in Chrome (the user needs to log in again as you would expect), but I do see it happen in Microsoft Edge.
After paying very close attention to my network tab in Firefox. I discovered that neither PHP nor Firefox remembered that I was logged in.
Rather my website was redirecting me to Google Sign In and Google Sign In has non session cookies that remembered I was logged in. So it quickly redirected me back to my website creating a new logged in session for the same user.
It was happening so fast it I could not tell that I was being redirected to Google until I watched the network tab.
Thanks Axalix for the suggestion.
i am having some application in PHP and providing service to some other client. they have put our link in the iframe on their site page. The problem is with session establishment. it works great in google chrome , firefox and IE 8. but it is creating a problem in IE 9. For the first time, when the page is opened , the session is not established on our application but if the page is refreshed then the session is established.
IF i copy the iframe link to the IE9 address bar, then also the session is established. I have not used any domain for our application just given them the public IP to be used.
For session , the client is sending its details along with our page and we authenticate and establish the session on our server. Our session is different than the session used by client. The application is hosted our own server.