For some reason my site is doing a 307 redirect. It used to have validation in codeigniter, so that if user was not logged in it would redirect. However I took away this validation so that now any person can access that page. Nonetheless, now a 307 redirection appeared and I can't take it away. The CI_cookie is still called, so I'm guessing that the validation and redirect is still cached somewhere, but I don't know how to remove it, nor find any information on google on how to refresh cache if that's what it is.
Here is the header info:
Note: the redirection used to happened inside the controller, not on a .htaccess file. I used sessions for the user validation. I'm not posting it because it's no longer on the file, however if you need to see it just let me know and I'll update my question.
Also it would be nice if you could explain me the downvote. I know this question isn't a duplicate because I haven't found it anywhere. Thanks!
Without seeing the controller code in question...I can only make a guess...if you did indeed remove the redirect from the controller, then it could be cached. Try in a different browser, or refer to your browser's documentation for clearing cookies/cached data.
Not really clear from question but I would use a cookie manager extension like this one
and clear the session cookie, you can find the name of the session cookie in config.php
$config['sess_cookie_name'] = 'your_session_cookie_name';
when you delete the session cookie and refresh the page, CI will (in the background) call session_destroy() method and create a new session, so deleting the session cookie from the client will oblige the server to regenerate a new session.
that being said, if destroying the session doesn't help, we can't really answer without seeing the controller
Related
I solved my problem but I don't know why it works. I was hoping someone could shed some light?
I have a WordPress site. If a new user visits the site, they see a generic element on the homepage. When they visit an internal page, a cookie is created. When the user visits the homepage again, they see a customized element based on the cookie.
The problem I was having was that when the user returned to the homepage from an internal page, even though the new cookie was set with the right value, the $COOKIE superglobal was not reset until a refresh was performed. You could naviagte to as many different pages as you'd like, but still the superglobal was not reset until a literal refresh was performed. This was using both setcookie() and the setting the super global directly.
This was fixed by adding session_start() to the header. I thought session_start() affected the SESSION super global. Why did this solution also affect the COOKIE superglobal?
Why did this solution also affect the COOKIE superglobal?
Most likely it didn't, not directly - but by sending different headers regarding caching, it influenced how your browser was instructed to check for changes when displaying the same URL again, whereas before you simply got a stale copy presented from the cache.
it just seemed odd to me that cookies would be cached as well
Well not the cookie itself got "cached" - but the document in which you made any output depending on the cookie was. You still saw the first version of the page you loaded - the PHP code behind this was not executed again, because the browser did not actually request the URL from the server again.
But when the server sent a response header indicating that this page should not be cached (or that the client you check with the server before displaying the resource again) the first time it was loaded - it caused the browser to make a new request when you returned to the page.
I have an application where the login and logout works correctly. Once the user logs out, and tries to access a page he needs authentication for, he is redirected to the login screen.
Where my problem lies is. If while I am logged in, if I copy the cookie values and save them on a file. After logout, I alter the cookie and add the same values, I get logged back in into the application as the same user.
On logout I have written a function that loops over all the cookies and deletes them.
My understanding is that cookies are both on the client and also on the server side. So if the cookies are getting deleted, they are getting deleted on both the sides and that the server would not recognize them after they have been cleared, even if the browser sends them back again(apparently that is not the case, i think).
The reason why I am doing this is because this is one of the points raised by our security auditor, and I need to get a way to fix this hole. (At this point doing https is not feasible)
I'd be happy if someone can give me pointers on how I can clear out the cookies on the server side as well, so, when the next time someone hits the server with the same cookie, it does not accept it as a valid cookie.
Edit:
I am using codeigniter sessions and tank_auth as the authentication library. At logout, the library itself calls
$this->ci->session->sess_destroy();
to be extra sure, I tried the following after a few attempts :
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
My regular logout works, and if I try to access the page directly it does not open.
But if while I am logged in, I take my cookie, save it somewhere -- log-out successfully and replace the cookie with my older one, I get right back into the session.
Is there a way to stop this behavior -- Where the server side will not entertain a session after it has been destroyed. I also made sure that my server and php are on the same timezone (setting it with date_default_timezone_set).
Cookies are not stored on the server at all. Those are stored in the browser and then sent to the server in the request headers. You can easily find software and plugins for browsers that allow you to create/edit/delete cookies. For that reason you should never store sensitive information in cookies. Essentially what you want to do is store the user data in a session and then store the session name in a cookie. Usually this is done automatically in php when you use the function session_start().
If you are using Codeigniter, the php session functions are wrapped in a CI session library that is auto loaded on each page load. So instead of storing data in $_COOKIE you will want to get/set your data via the userdata method in the session library:
//in your controller
//save session data
$userdata = array(
"isLoggedIn"=>true,
"username"=>$_POST['username']
);
$this->session->set_userdata($userdata);
//get session data later
$isLoggedIn = $this->session->userdata("isLoggedIn");
if(!$isLoggedIn){
//if the user is not logged in, destroy the session and send to the login screen
$this->session->sess_destroy();
redirect("/");
}
Note that the code above is not tested and is only supposed to give you an idea on where to go. If the session methods aren't working for you, you may need to load the library in manually:
//in the __construct method of your controller:
$this->load->library("session");
You can find more information here:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
and here:
http://www.php.net/manual/en/book.session.php
Thanks for you answers guys.
This is what I figured, later. I am not sure what was causing this but the sessions were not getting invalidated after trying everything. I moved the sessions on codeigniter to the database. Then the logouts started working correctly, where after logout if the 'stolen'/'saved' cookie was put in the browser again it would Not log the user back in.
So, thats what solved it.
Sorry if this is a silly question but lately I've been designing a site for a client and something strange has been happening with my sessions.
The site has a PayPal button which redirects the user to PayPal so they can confirm a payment, before being redirected to the site again.
Before the user is redirected, a load of session variables are saved. Some of them are to do with PayPal, others are to do with things on my site such as a variable to determine which user is logged in, their shopping cart items, etc.
Now, here's where things have been going wrong...
The user is redirected from checkout.php to PayPal. Before they're redirected, all session variables for the site are present (shown by var_dump and print_r). This is fine.
The user returns from PayPal to orderreview.php, but var_dump and print_r now show that the site session variables are missing, but all PayPal ones are there.
I fixed this problem by removing "session_start();" from the top of orderreview.php.
So my question is, why did removing that line fix the issue? Why wouldn't it work before?
I thought I understood PHP sessions but clearly I don't understand them as well as I thought.
I'd read this somewhere:
"As of PHP 4.3.3, calling session_start() while the session has already been started will result in an error of level E_NOTICE. Also, the second session start will simply be ignored."
So I was under the assumption that calling session_start at the top of the script wouldn't affect anything if a session was already started earlier.
Thanks for any answers, once again I apologise if this is a silly question.
That's may be because that you have been redirected to another site during the process. And while you return from Paypal to your website, session_start() generated a new session id which your previously stored session variables are not linked to.
And when you removed session_start() (I don't think session should work without this on top), it used the old session id and never got regenerated. Hence, old session data are back!
This is just my assumption.
I have a problem with cookies.
Basically I'm trying to store the user's session ID as a cookie like so:
setcookie("CheckoutSessionID",session_id(),time()+3600);
This works fine on my site, the cookie has the correct value and is valid for long enough. However, my site redirects to PayPal so the user can confirm a payment. The user is then redirected back to my site. It's when the user is redirected back to my site that ALL cookie variables are gone.
As in, print_r($_COOKIE), var_dump($_COOKIE) etc have no values. This only occurs after being directed to and from PayPal.
Any ideas as to why this is happening?
Thanks in advance for all help, I'm stumped!
Okay I've been digging quite deep and realised that an earlier question of mine is related:
PHP sessions and session_start()
Basically I had problems because PHP sessions were being deleted when I went to PayPal and back. However, I believe this was actually caused by the session COOKIE being destroyed, not the entire session.
I also found this topic here: Do PHP sessions get lost when directing to a payment gateway?
Answer given by someone suggests using a GET request with the return URL to send data back, instead of using cookies or sessions.
The whole reason I was using a cookie in the first place was to save the user's session ID, as the sessions weren't working properly, so basically I've just made my return URL something like this:
mydomain.co.uk/mypage.php?SessionID=[session ID goes here] and then obtained it then set the user's session ID to it.
Sorted! For now... I mean I'll probably end up hitting another brick wall due to cookies/sessions not working properly.
Thanks everyone for your help :)
Actually whatever is happening (cookie is being empty), logically it's right. When you submit a page/make request the browser sends the cookie from the client's computer with the request so that you can find the cookie in the cookie variable.
But once you redirect the user to another external page/site and come back again to your page then you should not get the cookie in the cookie variable because (in your case) when the user is getting back to your site from the paypal the paypal is not submitting the cookie with the request.
In this case you can save your data in the database before you redirect the user to the paypal and once the user comes back to your site you can retrieve that data from the database.
I got similar problem cookies being removed after redirect from Paypal.
it took me a while to figure out where was a problem.
Samesite=**"Strict"** // Removes cookies after redirect from Paypal.
Samesite=**"Lax"** // does not remove cookies after redirect from Paypal.
I am having a really unsual problem I have never had before, I have a signup page/form and a processing page that for submits to, on the processing page I set any errors that are in the user data like empty fields and set them to a session var array
$_SESSION['signup_errors'] = $signup_errors;
$signup_errors is an array that I set to the session, I can then access that session data on the same page but I just changed my site around to use mod-rewrite to change the URL's and the only thing that I can seem to think of is on my signup form I cannot access these session variables anymore and now that I use mod-rewrite the url is like this domain.com/account/new and it used to be domian.com/?p=account.new so now it appears that it is in a differnt folder, could that have something to do with it?
I have tried debugging it a lot and that is the only thing I can come up with is maybe because it appears to be a different directory now because of the mod-rewrite maybe that makes the session unaccessible?
Are you sure you're starting sessions on every page you're accessing? I would check to make sure there's
session_start();
Wherever necessary.
Also, what does
print_r( $_SESSION );
return? Anything at all? If not it would probably indicate what I was saying.
I would check that you're not changing domains. E.G. domain.com -> www.domain.com
Normally a cookie is used to track the session id, and by default, the cookie is tied to a single domain. I.E. If the session was created at www.domain.com, when you visited login.domain.com the cookie wouldn't be sent resulting in no session information.
It happened to me once, maybe you have a similar scenario. The session variable was temporary and I would destroy it once it was outputted to the screen.
With mod rewrite if you are routing everything, if there is a broken image, that might be redirected to your php script as well, it would in the back ground print out the error and destroy that session var.
Just a thought!