I've lost a day and a half now trying to figure out why Yii is deleting all of the session data after I go to Twitter's OAuth page and back to my redirect.
Here is the main SiteController, where I go to Twitter. Here I am trying to save the oauth_token and token_secret values, so I can use them on the redirect controller.
function actionTwitter()
{
$consumerKey = "";
$consumerSecret = "";
$connection = new TwitterOAuth($consumerKey, $consumerSecret);
$request_token = $connection->oauth("oauth/request_token", array("oauth_callback" => "http://127.0.0.1/yii/?r=redirect&type=twitter"));
$oauth_token=$request_token['oauth_token'];
$token_secret=$request_token['oauth_token_secret'];
Yii::app()->session['token'] = $oauth_token; // This doesn't save!!
Yii::app()->session['token_secret'] = $token_secret; // This does not save!!
$url = $connection->url("oauth/authorize", array("oauth_token" => $oauth_token));
$this->redirect($url);
exit(); // some people have said I need to exit the session first after I redirect, but it doesn't help at all.
}
Here is my RedirectController, which is a separate controller and not in the main SiteController:
public function actionIndex()
{
$type = $_GET['type'];
if ($type == "twitter")
{
$token = Yii::app()->session['token'];
print($token);
}
}
I also have the session autostart set to true in my config file.
Thoughts on why it isn't working / stuff I have read about:
Twitter's site is HTTPS, and I am on localhost (which isn't HTTPS). For some reason that I forget this will make the session lose data when I redirect. If this is the case, how do I fix it without using HTTPS?
When I create new CHttpCookies they do not save either, I can't retrieve the value
I have tried Yii::app()->user->setState instead, which isn't working either.
I found the solution. It did not work because I was using 127.0.0.1 for the redirect, instead of the standard localhost. I changed that and all is working now.
Related
I want to log a user programmatically to magento admin. The admin page is in an iframe and it have to redirect automatically to the admin dashboard without authentication. I used a code found in a ancient post and it matches with the magento core source. The code is :
umask(0);
$app = Mage::app('default');
Mage::getSingleton('core/session', array('name' => 'adminhtml'));
// supply username
$user = Mage::getModel('core/factory')->getModel('admin/user')->loadByUsername($loginadmin);
if (Mage::getSingleton('adminhtml/url')->useSecretKey()) {
Mage::getSingleton('adminhtml/url')->renewSecretUrls();
}
$session = Mage::getSingleton('admin/session');
$session->setIsFirstVisit(false);
$session->setUser($user);
$session->setAcl(Mage::getResourceModel('admin/acl')->loadAcl());
Mage::dispatchEvent('admin_session_user_login_success',array('user'=>$user));
if ($session->isLoggedIn()) {
//Redirection vers le dashboard
$url = "index.php/admico/dashboard";
header('Location: '.$url);
}
When I var_dump()the data, the user exists and it have all the informations like firstname, id, etc and it's all correct. The code go inside the last if and redirect to 'index.php/admico/dashboard' so the $session is correctly logged in. But, anyway, the frontpage display the connection form as if the session was not logged in and not the dashboard of the admin.
Can someone help me to figure out what's wrong please ?
Perhaps when the window is redirected in your last conditional, the iframe cannot access that login session on your website. I see that you are using the PHP header function. The only possible solution that I can think of is by getting the SID of the login session and using that as a URL parameter. So some edited code inside your conditional would look something like this:
$SID=$session->getEncryptedSessionId();
$url = "index.php/admico/dashboard?SID=" . $SID;
If that doesn't work, you can try using the PHP function setcookie() with $session as the stored data and then try the redirect. You can find documentation for that here. That's all that I've got for you. If this doesn't work, try looking at this and see if there is anything that may help you. Best of luck!
I have made two changes in the code and it is working fine for me on firefox, safari and chrome. I also cleared up my cookies before I attempted this code.
test.php
<iframe src="http://localhost.site/test_login.php" width="100%"></iframe>
test_login.php
<?php
require 'app/Mage.php';
umask ( 0 );
Mage::app ( 'admin' );
Mage::getSingleton('core/session', array('name' => 'adminhtml'));
// supply username
$user = Mage::getModel('admin/user')->loadByUsername("USERNAME");
if (Mage::getSingleton('adminhtml/url')->useSecretKey()) {
Mage::getSingleton('adminhtml/url')->renewSecretUrls();
}
$session = Mage::getSingleton('admin/session');
$session->setIsFirstVisit(false);
$session->setUser($user);
$session->setAcl(Mage::getResourceModel('admin/acl')->loadAcl());
Mage::dispatchEvent('admin_session_user_login_success',array('user'=>$user));
if ($session->isLoggedIn()) {
//Redirection vers le dashboard
$url = "/admin/dashboard/";
header('Location: '.$url);
}
I have run in to the following problem regarding XSRF tokens.
Client: AngularJS
Server: PHP
When the index.php is hit, PHP generates an XSRF token and saves it in a session.
A cookie is set with same value.
AngularJS reads the cookie and stores the value.
On subsequent POSTS, the XSRF token is sent as a header, and the idea is to compare the stored session token to the sent header.
Everything seems fine, no problems whatsoever.
BUT: the issue is, that PHP cannot read the session registered in index.php, because technically there have been no page reloads! If I hit F5 and reloads everything , the session is read nicely.
How can I set the XSRF Session token on index.php and have it available for subsequent ajax requests from the client?? I'm pulling out my hair on this one... appreciate feedback.
UPDATE
After changing the session identifier name, everything suddenly worked!
In index.php:
// Create token and set session
session_start();
$token = hash('sha256', uniqid(mt_rand(), true));
$_SESSION['XSRF']=$token;
Later, also in index.php:
/* Give token to Angular client */
<script>
angular.module("app").constant("CSRF_TOKEN", '<?=$_SESSION['XSRF'];?>');
</script>
Note that I'm not using a cookie, instead I set a constant which is then made available to the .run method in Angular:
in Angular:
angular.module('app').run(['CSRF_TOKEN','$http',function(CSRF_TOKEN,$http) {
$http.defaults.headers.common['CSRF_TOKEN'] = CSRF_TOKEN;
All requests to the server are routed to one common php file. The file checks if the header is set, and compares the two tokens:
// Only POST requests are checked (I don't use PUT/DELETE)
if($_SERVER['REQUEST_METHOD']=="POST"){
session_start();
$headerToken = $_SERVER['HTTP_CSRF_TOKEN'];
$sessionToken = $_SESSION['XSRF'];
if($headerToken!=$sessionToken){
header('HTTP/1.0 401 Unauthorized');
exit;
}
}
This is what I'm doing in my PHP/AngularJS projects:
index.php
session_start();
if (!isset($_SESSION['XSRF-TOKEN'])) {
$uniqueValues = md5($_SERVER['REMOTE_ADDR'] . $_SERVER['HTTP_USER_AGENT']); //add more/less/any "unique" values, see comments
$_SESSION['XSRF-TOKEN'] = sha1(uniqid(microtime() . $uniqueValues, true));
setcookie('XSRF-TOKEN', $_SESSION['XSRF-TOKEN']);
}
any script called by AngularJS $http:
(AngluarJS uses the value of the cookie XSRF-TOKEN and will send it in every request as X-XSRF-TOKEN custom header, so we need to compare this value to the value stored in the session.)
function verifyXSRF() {
/*
$headers = apache_request_headers();
$headerToken = "";
foreach ($headers as $header => $value) {
if ($header == "X-XSRF-TOKEN") {
$headerToken = $value;
break;
}
}
*/
//more efficient, see comments
$headerToken = $_SERVER['HTTP_X_XSRF_TOKEN'];
if ($headerToken != $_SESSION['XSRF-TOKEN']) return false;
return true;
}
session_start();
if (!verifyXSRF()) die("XSRF error");
Feedback welcome as I don't know exactly if this is enough XSRF protection.
I'was looking for a solution, but i found nothing.
I'm trying to make AJAX login. The scipts are sending correct data and response: bad or correct login data. After succes page is reloading and ... user is still not logged in.
I was trying to force set a cookie, but it didn;t works.
I'm using force ssl admin (if that's important).
function ajax_login(){
global $user_ID;
if (!$user_ID) {
// First check the nonce, if it fails the function will break
check_ajax_referer( 'ajax-login-nonce', 'security' );
// Nonce is checked, get the POST data and sign user on
$info = array();
$info['user_login'] = $_POST['username'];
$info['user_password'] = $_POST['password'];
$info['remember'] = true;
$user_signon = wp_signon($info, true);
if (is_wp_error($user_signon)){
echo json_encode(array('loggedin'=>false, 'message'=>__('Get lost.')));
} else {
wp_set_current_user($user_ID);
wp_set_auth_cookie($user_ID);
echo json_encode(array('loggedin'=>true, 'message'=>__('Wait stupid, im redirecting...')));
}
}
die();
}
Could You help me please? I don't have an idea what can be wrong. (everything looks fine before that place, data is sending corretly, var_dump($info) also return correct data).
if you are using true parameter for secure cookie as you are you need to use https on your login page and also https on your admin ajax url and then you will get your cookie.
Your wp-config.php file should also have
define('FORCE_SSL_ADMIN', true);.
I am new to PHP and even newer to SESSIONS
I am working with the Instagram API and I am successfully able to authorize an app, and redirect to a page to display content.
My main folder is called Monkey and it has a sub folder called Instagram.
MY callback url for instagram is success.php located in the instagram folder. When I successfully retrieve an access token from Instagram it redirects to the index file in the Monkey folder.
On my success page, I am creating an array full of data called instaArray. I am trying to pass the array from the success.php in the instagram folder, to the index.php in the monkey folder.
My redirect is simply
header( 'Location: ../index.php' );
Because I am new with sessions, I guess I am doing something wrong. I figured it was straight forward, but I suppose not ha.
On the success.php page, after I build the array I have this
session_start();
$_SESSION['instagram'] = $instaArray;
I thought that should create a session that holds my array InstaArray.
Then, on the index.php page in Monkey, I have this
<?php
session_start();
$get_instagram = $_SESSION['instagram'];
print_r($get_instagram);
?>
But absolutely nothing happens. I've even tried to set the session instagram to a simple numerical value or 1, $_SESSION['instagram'] = 1; and get that on the index page, and it doesn't work either.
Am I doing something horribly, terribly wrong? I've read up on sessions, but because it's new, it's still a little confusing.
Thanks for the help, and I hope I was able to explain everything properly.
EDIT: Here is my success.php page in full
<?php
require 'src/db.php';
require 'src/instagram.class.php';
require 'src/instagram.config.php';
// Receive OAuth code parameter
$code = $_GET['code'];
// Check whether the user has granted access
if (true === isset($code)) {
// Receive OAuth token object
$data = $instagram->getOAuthToken($code);
// Take a look at the API response
$username = $data->user->username;
$fullname = $data->user->full_name;
$id = $data->user->id;
$token = $data->access_token;
$user_id = mysql_query("select instagram_id from users where instagram_id='$id'");
if(mysql_num_rows($user_id) == 0) {
mysql_query("insert into users(instagram_username,instagram_name,instagram_id,instagram_access_token) values('$username','$fullname','$id','$token')");
}
//Set Cookie
$Month = 2592000 + time();
setcookie(instagram, $id, $Month);
// Set user access token
$instagram->setAccessToken($token);
// Retrive Data
$instaData = $instagram->getUserFeed();
// Create Instagram Array
$instaArray = array();
$count = 0;
// For each Instagram Post
foreach ($instaData->data as $post) {
$instaArray[$count]['post_id'] = $post->id;
$instaArray[$count]['name'] = $post->user->username;
$instaArray[$count]['profile_img'] = $post->user->profile-picture;
$instaArray[$count]['img_url'] = $post->images->standard_resolution->url;
$instaArray[$count]['caption'] = $post->caption->text;
$instaArray[$count]['like_count'] = $post->likes->count;
$instaArray[$count]['comment_count'] = $post->comments->count;
$instaArray[$count]['created_time'] = $post->created_time; //Unix Format
$count++;
}
// Start Session For Array
session_start();
$_SESSION['instagram'] = serialize($instaArray);
header( 'Location: ../index.php' ) ;
} else {
// Check whether an error occurred
if (true === isset($_GET['error'])) {
echo 'An error occurred: '.$_GET['error_description'];
}
}
?>
Why not use an ID and then cookies rather than sessions + data (which are usually store on the server in text files in a temporary directory)? And keep all data within a database than allow the client to be accessible to the data. Sessions are also temporary.
Note, do you know if you have "globals" on?!
"Please note when working with sessions that a record of a session is not created until a variable has been registered using the session_register() function or by adding a new key to the $_SESSION superglobal array. This holds true regardless of if a session has been started using the session_start() function."
Reference:
http://www.php.net/manual/en/function.session-register.php
make session_start() first line after php
<?php
session_start();
and remove it from anywhere ele on page.
session_start() should be your first line in index.php also as in success.php
Note: The session_start() function must appear BEFORE the tag:
REF : http://www.w3schools.com/php/php_sessions.asp
I think you need to unserialize() your array in index.php.
$get_instagram = unserialize($_SESSION['instagram']);
I've been successfully accessing the LinkedIn API through my CodeIngiter application. I moved to a nearly identical server and implemented i18n library and it's stopped working.
After the user authenticates on LinkedIn it returns to the correct URL, but generates a series of errors beginning with Undefined index: oauth_verifier
After using an i18n library my URLs now have two letter language codes in the 1st segment like 'en' or 'br'.
EDIT: This is the Linkedin library I'm using.
I believe this is causing routing issues with the setting of $_REQUEST['oath_verifier']
Any help on this is greatly appreciated.
Excerpt from controller:
class LinkLogin extends MY_Controller {
function __construct(){
parent::__construct();
$this->load->helper('url');
$this->load->model('profile_model');
$this->load->model('generic_model');
include_once (APPPATH.'libraries/Linkedin.php');
}
function index(){
}
function initiate(){
session_start();
$this->load->helper('url');
$config['linkedin_access'] = "***";
$config['linkedin_secret'] = "***";
$config['base_url'] = "http://www.youinapage.com/linklogin/initiate/";
if ($this->uri->segment(4) == 'profile') {
$config['callback_url'] = "http://www.youinapage.com/linklogin/get_profile_linkedin/";
}
if ($this->uri->segment(4) == 'resume') {
$config['callback_url'] = "http://www.youinapage.com/linklogin/get_resume_linkedin/";
}
function get_resume_linkedin() {
session_start();
$this->load->library('format');
$config['linkedin_access'] = "***";
$config['linkedin_secret'] = "***";
$config['base_url'] = "http://www.youinapage.com/linklogin/initiate/";
$config['callback_url'] = "http://www.youinapage.com/linklogin/get_resume_linkedin/";
# First step is to initialize with your consumer key and secret. We'll use an out-of-band oauth_callback
$linkedin = new LinkedIn($config['linkedin_access'], $config['linkedin_secret'], $config['callback_url'] );
//$linkedin->debug = true;
# First step is to initialize with your consumer key and secret. We'll use an out-of-band oauth_callback
$linkedin = new LinkedIn($config['linkedin_access'], $config['linkedin_secret'], $config['callback_url'] );
//$linkedin->debug = true;
if (isset($_REQUEST['oauth_verifier'])){
$_SESSION['oauth_verifier'] = $_REQUEST['oauth_verifier'];
$linkedin->request_token = unserialize($_SESSION['requestToken']);
$linkedin->oauth_verifier = $_SESSION['oauth_verifier'];
$linkedin->getAccessToken($_REQUEST['oauth_verifier']);
$_SESSION['oauth_access_token'] = serialize($linkedin->access_token);
header("Location: " . $config['callback_url']);
exit;
}
else{
$linkedin->request_token = unserialize($_SESSION['requestToken']);
$linkedin->oauth_verifier = $_SESSION['oauth_verifier']; // ERROR: Undefined index: oauth_verifier
$linkedin->access_token = unserialize($_SESSION['oauth_access_token']);
}
Based on your comments and post, I'm guessing you are trying to use the same method twice in a row, so you get logged in. Seems weird but whatever.
The i18n you use will however change your routes to encorporate the languages so you should update your url's which you are setting inside your to controller to also use that language or a language.
In codeigniter, you should always try to set url's by the use of site_url(). This way you can easily port your application to other domainnames/locations. In this case, the localisation-library would also have changed the url's for you.
You should change all references to urls as follows:
$config['base_url'] = site_url("linklogin/initiate/");
$config['callback_url'] = site_url("linklogin/get_resume_linkedin/");
To use site_url(), you will need the URL Helper. You should include that helper before trying to use site_url(). But you already include it in your constructor, so no problems there.
You should also replace the use of header(...); exit; with redirect();. If you die after sending the header, codeigniter will not fully run and your logs will not be fully completed.
redirect($config['callback_url']); // Replaces: header($config['callback_url']);exit;
redirect('linklogin/get_resume_linkedin/'); // Alternative to above statement
I would also advice you to check out the manual to check out the build-in session class and the input class.