I try to share the session over subdomains and the normal URL. In config/session.php I have 'domain' => '.workplace.dev', , so now I have for example 2 URLs that looks like:
http://workplace.dev
http://testing.workplace.dev
When I login at http://workplace.dev the session start and works fine around that URL, but when I enter http://testing.workplace.dev, the session beeing destroyed.
Any solution to this problem? Laravel 5
You need to have the session cookie be available across subdomains.
You can specify these configurations in config/session.php to indicate that you want the session to persist across subdomains.
'driver' => 'cookie',
'path' => '/',
'domain' => '.workplace.dev',
Related
Brief Summary
When I click a link from gmail, the cookies and sessions are lost. But if I copy the link in gmail and paste it in a blank tab, the cookies are retained!
Long Detail
At www.mydomain.com, i set cookies and PHP session with following options:
$myCookieSessionOptions = array(
'lifetime' => (time() + 60*60*24*363),
'path' => "/",
'domain' => "." . "mydomain.com",
'secure' => true,
'httponly' => true,
'samesite' => 'Strict'
);
session_set_cookie_params ( $myCookieSessionOptions ) ;
session_name("mySessionName");
session_start();
The above is the code both on page login.php and anotherpage.php.
On login.php when I login and set sessions, etc. the session_id() shows up as c7a9c180b767e889ad0161dc613aec41, for example.
When i access anotherpage.php in a blank tab and with some GET parameters (and my code does nothing to the session), i get the same session_id().
However, when the same link for anotherpage.php (along with the get parameters) is sent in an email, then I get a totally new session_id: 3fc7f8749ba6eb46ddd35a0db3a17589 for example.
And in the other tab, which had login.php, the session is lost, as a new session is created, obviously.
The question is if this behaviour is normal?? And this is not with gmail alone, obviously. From "anyotherdomain.com", when i click on a link to my domain, no cookies are sent!
Very weird! Is there any documentation on this behavior?
Any help will be appreciated
session auto start is Off. Checked in phpinfo
And there's no code before the above that does anything at all with the sessions
Thanks
Rajan
I figured it out! If I have samesite="none", the problem disappears
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
And tested it & it works fine.
As per the doc:
Strict
Cookies will only be sent in a first-party context and not be sent along with requests initiated by third party websites.
Wondering if someone can provide some clarification on why this is behaving how it is when using samesite in a php session cookie.
example.com has the following :
session_name('Example_Login');
session_set_cookie_params(['lifetime' => 0, 'path' => '/', 'domain' => '.example.com', 'secure' => true, 'httponly' => true, 'samesite' => 'strict']);
session_start();
test.com has the following form posting to example.com :
<form method="post" action="https://www.example.com/" target="_blank" autocomplete="off">
<input type="hidden" name="username" value="demo_user">
<input type="hidden" name="password" value="demo_password">
<input type="hidden" name="signin" value="signin">
<button type="submit" name="submit">Login</button>
</form>
example.com receives the post and with php I use the $_POST variables sent to validate the login credentials and log the user in. With those values being valid, the user is not logged into example.com though. If, I change the samesite parameter on example.com's session cookie to 'lax' the posted form works as expected.
I did read up on the samesite parameter before adding it and I did not see anything that stuck out to me where it would affect posts/gets. What am I missing here? I don't see how the samesite parameter has ANY affect on what I am doing here. I sent a post from another domain, retrieve the variables, and do some logic with php... what does the samesite parameter for the session cookie have to do with anything here?
UPDATE:
I did some debugging. The post variables are sent and received fine, session is created on example.com and creates lots of $_SESSION vars, etc. I narrowed down the problem to a redirect that happens after the username/password is validated in php. If the user/pass is correct and the account exists I store user information in $_SESSION then I call the following in php :
header("Location: /main.php");
exit();
The redirect happens and upon reaching main.php $_SESSION is empty. All of its variables are gone. I echo'ed it and it shows the following :
Array
(
[user] => Array
(
[session] => 1
)
)
I switch the samesite parameter to 'lax'. Run the exact same debugging and $_SESSION is full of my user information as expected which was put there before the redirect.
I also changed my redirect to absolute as header("Location: https://www.example.com/main.php"); to see if that had an affect, but the problem still remains.
So, my question now is... when using samesite='strict' in my session... why is the session emptied after a redirect to a page on the same domain?
UPDATE 2:
I changed the session save path to another location specifically to debug and see what happens. When it reaches example.com it creates the session file and the values I added into it are there. When it reaches example.com/main.php (the redirect) it creates a brand new session file as seen above. My session settings and start are in their own file which is required first thing on these pages :
session_name('Example_Login');
session_set_cookie_params(['lifetime' => 0, 'path' => '/', 'domain' => '.example.com', 'secure' => true, 'httponly' => true, 'samesite' => 'strict']);
session_start();
So with samesite='strict' the above creates a new session, but with samesite='lax' it uses the same session file from the previous page. What gives? I am seeing where things are going wrong, but not why it is happening or how to fix it.
UPDATE 3:
Created a very simple test to demonstrate what is happening and why. See answer below. One can argue with me all day justifying why this works how it does, but I think the logic happening here is flawed.
SameSite=Strict means the cookie will not be sent on cross-site requests which includes cross-site POST requests and redirects triggered from the cross-site POST request.
SameSite=Lax is the correct option for your session cookie here. Being able to use Strict here is not better or more secure, it is too restrictive for this use case.
I've boiled this entire thing down to a simple test.
example.com has two pages :
test1.php
<?php
//session name
session_name('Test');
session_set_cookie_params(['lifetime' => 0, 'path' => '/', 'domain' => '.example.com', 'secure' => true, 'httponly' => true, 'samesite' => 'strict']);
session_save_path($_SERVER['DOCUMENT_ROOT'].'/sessions');
session_start();
//session stuff
$_SESSION['sessiontest'] = 'worked';
//cookie stuff
setcookie('testing', 'worked', ['expires' => 0, 'path' => '/', 'domain' => 'example.com', 'secure' => true, 'httponly' => true, 'samesite' => 'strict']);
//redirect to the other page
header("Location: /test2.php");
exit();
?>
test2.php
<?php
//session name
session_name('Test');
session_set_cookie_params(['lifetime' => 0, 'path' => '/', 'domain' => '.example.com', 'secure' => true, 'httponly' => true, 'samesite' => 'strict']);
session_save_path($_SERVER['DOCUMENT_ROOT'].'/sessions');
session_start();
echo '<pre>'.print_r($_SESSION,1).'</pre>';
echo '<pre>'.print_r($_COOKIE,1).'</pre>';
?>
test.com
go to test
If you start at test.com the session and cookie (created at example.com/test1.php) are empty at example.com/test2.php. This all has to do with the chaining and logic being used for samesite which in my opinion is flawed in this case. The session and cookie it is preventing are being CREATED on the site this is supposed to protect from the 'outside'. I'm sure someone will have some argument justifying this, but as far as I see it this whole thing was created to mitigate the results of bad coding... and in this case... is preventing legitimate code from working as it should. This example shows I am not 'using' anything from test.com... yet because of the redirect happening when you reach example.com/test1.php it sees the session and cookie created on it as more or less 'bad' when reaching example.com/test2.php because the chain started at test.com.
I have started using Yii2 basic and need to store session information. I already know that in Yii2 basic, this should be done using sessions like
$session = Yii::$app->session;
$session->open();
$_SESSION["a_id"] = $id;
$_SESSION["w_auth"] = "true";
The problem with this is that every time the browser is closed my session expire
Is there anyway to keep session alive or set session destroy so even I close the browser and open it again. It will not ask me again to put my username or password.I need to do this in the YII2 Basic .
session cookies set expire time after 7 days
`
'components' => [
'session' => [
'class' => 'yii\web\Session',
'cookieParams' => ['lifetime' => 7 * 24 *60 * 60]
],
`
You need to use cookies for this.
Cookies are info kept in your browser.
Here is how to do in yii2:
$cookies = Yii::$app->response->cookies;
// add a new cookie to the response to be sent
$cookies->add(new \yii\web\Cookie([
'name' => 'a_id',
'value' => $id,
]));
Add the above cookie when you login and then use it this way in your actions:
$cookies = Yii::$app->response->cookies;
$a_id = $cookies->getValue('a_id');
if($a_id !== null) {
// user is logged in
}
Note: What is kept in the cookie of your browser is not your actual info, but the session id and this is sent when you reopen your browser and restores your session by this id. Your actual info is kept in your session(in the server). This how yii 2 cookies work.
References
What are cookies and sessions, and how do they relate to each other?
Cookies vs. sessions
In my Cakephp application, i have a session cookie with the name 'my_cookie' and it contains some random value 'QSD5111AS552DNJK'.
I observed that the value is same for the cookie (Before login and After login also). If i want to change the cookie value after login, what are the steps i have to follow.
And my code in core.php file
Configure::write('Session', array(
'defaults' => 'php',
'cookie' => 'my_cookie',
'timeout' => 4000
));
Please help me in this issue for getting more clarification.
I guess what you want to do is prevent session fixation, in that case it should be noted that CakePHP already does this for you out of the box. When using the authentication component, the session is being renewed before the authenticated user data is being written to it, and after the user data is being deleted on logout.
See
Source > AuthComponent::login()
Source > AuthComponent::logout()
For the sake of completeness, you can always renew the session manually, either via the session component in case you are in a controller
$this->Session->renew();
or by using the CakeSession class directly
App::uses('CakeSession', 'Model/Datasource');
CakeSession::renew();
I am writing a cookie for auto login users.
It works almost flaw less. But when the Session times out the cookie gets deleted, although it's set for 30 days.
I can't understand why this is happening.
If I close the browser and reopen it, all are fine, but if I leave the browser open and let the Session time out the cookie gets deleted to.
Configure::write('Session', array(
'defaults' => 'php',
'cookie' => 'KPD',
'timeout' => 180,
'cookieTimeout' => 30 * 1440
));
UPDATE: I found the problem but I don't have a solution! The problem is that when I rewrite the Cookie nothing happens, even if I try to delete it, and rewrite it.
I have a cookie as an array User.remember = array('token' => TOKEN). When I try to rewrite the token, the cookie remains the same!
Maybe you are not defining the value (in number of minutes) of Session.cookieTimeout, you should define proper value for Session.cookieTimeout. If it is not defined it will use the same value as Session.timeout