I have a Laravel 4.2 application deployed on a server on our intranet called "Dashboard". It can be accessed via the URL http://dashboard.mydomain.local/ and uses the "native" driver for session storage.
I am in the process of reconfiguring the application to run in Docker containers. The new site can be accessed via http://dbdock.mydomain.local/ and is running on a different server. The new site uses "redis" for sesson storage.
Here's the problem:
If I'm signed in to one site and then sign into the other, then I get signed out of the other.
Here's what I've tried:
I updated the application URL in the config/app.php file.
I changed the the encryption key.
I changed the session cookie name in config/session.php
It seems to me that the sessions should be kept strictly separated in this case because a) the session store is different (filesystem vs. redis); b) the session store is on different servers; c) the URLs for the two sites are different; and d) the session cookie names are different.
I can't understand how these two sites are conflicting with each other. Can anyone explain to me what's going on in this case?
Edit I should mention that these two applications are using the same database server for the user database. This is for the purposes of transitioning away from the original server (which is going to be retired in the near future).
I know this is a bit old but I had the same problem with two Laravel projects and when I changed the session cookie name in config/session.php for one of them, the problem solved.
I think you should delete your browser cookies.
Related
I've got 2 projects I work on right now, but the problem is that since I'm logged into one project the session for the login is saved so when I switch the other project I'm instantly logged in.
Both projects are running on the same server and I save the userID in the Session.
This could get a problematic as soon as I publish the projects and have more user accounts.
If both your projects are hosted under the same domain name and port then as far as PHP and the browser is concerned it's all one application, and therefore they will share a single Session.
Whether you logically view it as two projects is irrelevant to that. If they need to be treated as separate then host them separately e.g. on a different port or a subdomain - you can do this on your local webserver for development / testing, as well as on the live server.
We have a recurring issue related with an unexpected random User session expiration within all the applications hosted in subdomains of the same domain. Forcing us to re-authentication every time we are kicked.
Our system is:
3 Dedicated Servers run by a server provider, 3 static IPs
Each server acts as a Virtual server, we can have as many hostings as we need
200-300 different users working simultaneously in the applications
Server 1
A main domain "example.com" that points to a Wordpress website in a hosting of the server
A forum application, phpBB 3.2, hosted in "forum.example.com"
4 wiki sites in wikiX.example.com
apache 2.4.46-1~bpo9+1
PHP 7.3
mysql-server 10.1.48-0+deb9u2
PHP Session folder: /home/.example.com/tmp
Server 2
Several SugarCRM CE 6.5.15 instances in PHP 5.6 running in different subdomains sugarcrmX.example.com
apache 2.2.22-13+deb7u11
php 5.6
mysql-server 5.5.57-0+deb7u1
PHP Session folder: /home/sugarcrm.example.com/tmp
Each app with a different unique_key in config.php
Server 3
Several SuiteCRM 7.11.15 instances running in different subdomains suitecrmX.sinergiacrm.org
apache 2.4.46-1~bpo9+1
PHP 7.3
mysql-server 10.1.48-0+deb9u2
PHP Session folder: /home/suitecrmX.example.com/tmp
Each app with a different unique_key in config.php
We are working often in parallel within the different applications: SuiteCRM, SugarCRM, Forums and Wikis. Then, at some point that we can't define, the applications kick us out with the message 'You have been logged out because your session has expired.'. Redirecting us to the Login page of each of the applications that we were using in that moment. From this moment and for several hours, the situation happens again and again, kicking us out repeatably. Until a time that it seems to stop, leaving us for a couple of hours
This happens to all the members of our team: 8 people working from different locations with different devices, operating systems and browsers. Some of the users (within the 200-300 we metioned) reported this as well, but we presume isn't happening as often as us.
This issue started happening a few months after we upgraded our Wordpress, integrated the Server 3 and the SuiteCRM applications, but we can't say the exact moment it started. Before this, it never happened. So it is a bit difficult for us to find the reason right now.
We have already tried to change the PHP session parameters session.cookie_domain. Setting a different cookie_domain for each of the subdomain of each of the hosts, accordingly. Then deleting cookies of each of the browsers. At the beginning, it seemed we found the solution because our session was persisting. But after a few days, the sessions expiration issue came again.
Are we missing some crucial configuration within any service configuration?
Any idea about how to debug this?
Thanks
EDIT: We have a subdomain for each application sugarcrm1.example.com, sugarcrm2.example.com, etc... Each session is currently stored in different folder /home/sugarcrm1.example.com/tmp, /home/sugarcrm2.example.com/tmp
We don't need them to work in a common session, each application/subdomain has a different user/password management authentication.
The unique_key in config.php is a guid code used by SugarCRM Core to generate a unique user session ID.
We haven't tried changing the default session name "PHPSESSID" yet.
You need to consider the following things:
Move your session storage to a third party/mount it outside/database. I would recommend memcache for a scalable solution. Refer Is it recommended to store PHP Sessions in MemCache?
WordPress, PhpBB, Wiki, and SugarCRM have different session management mechanisms. Firstly you need to make changes to all these to work with the common session
I have two laravel projects in te same server (mydomain.com and sub.mydomain.com) with different database but the user ID's are the same.
I want the session to be the same on both platforms, How I do this? It is posible?
According This answser, you have first to set the cookie domain to ".example.com" to enable sharing accross subdomains.
To answer in a more laravel specific way, you have to change the 'domain' value in the config/session.php file. Beware of implications when in local environment.
Also some things are to be taken into consideration. If the two domains are differents laravel APP, please ensure that they are sharing the SAME APP KEY so that cookies are valid on both apps and that they share the same session storage (same db table, or same folder path, adjust to whatever driver you use).
Beware that by sharing the APP KEY, compromising one app will enable the attacker to probably access the other one. (make sense as a real user that have access to one, will have access to the other). To be more secure, look into oauth providers that will enable the user to access apps with a single shared login system.
I have two different projects in symfony2. I am using symfony2.3 version.
I have used fosuserbundle for user authentication.
I have one server. I have uploaded my both projects at
/var/www/html/project1
/var/www/html/project2
And i am accessing my two applications/projects like
http://202.12.0.0/project1 and
http://202.12.0.0//project2.
(IP here is given only for example. It's not my IP which i am using).
My problem is when I login in http://202.12.0.0/project1 it store session for taking http://202.12.0.0 as domain.
So when I login in http://202.12.0.0/project2, It logout from http://202.12.0.0/project1. I need to login again.
And V/S same for project2.
I have no other option for that. I mean i have no option for virtual host for this two different project. I have LAN, and every one using this project/my-application using IPaddress/project.
I Referred Session in different applications Symfony2 But it doesn't help me.
You probably should configure both projects to use different place where session files are stored.
In Symfony2 you can do that with save_path param in framework configuration
More info: http://symfony.com/doc/current/cookbook/session/sessions_directory.html
Also it can be done strictly in PHP with session_save_path function.
Edit.
Also changing just session name could work too. You can do that either by framework configuration or by session_name PHP function.
Here's the thing:
I have Website A in Server 1, a CakePHP 2 based website without any kind of login system.
I also have Website B in Server 2, another CakePHP website which has its login system (uses CakePHP's Auth for more details if it matters), with a login form in first page where users can enter login/password to access it.
So now what I need to do is to add a login form in website A that logs users into website B (as if they had used the form in website B).
Is that possible? If so, what approach should I take to do that securely? (By that I mean without plainly exposing the users credentials).
I assume you're doing this so that you can go between multiple sites, but only login once? I've come up with a way to do this, provided that the sites share domains, but are hosted on different subdomains by getting them to share session. The reason this only works on websites that share domains is because two completely unrelated websites cannot share cookies, which is necessary to get them to share session.
Note that since your goal is to make the two servers completely share their sessions, you will encounter some problems, like for example, flashmessages for one site will appear on both. I ended up extending the Session component so that it would automatically append to all session variables with a prefix to specify which server the session variable belongs to.
Here's an outline of the steps:
The login server will need to be able to host shared sessions, probably via memcache's session save handler, which you will need to install on both your servers. See more here: http://www.dotdeb.org/2008/08/25/storing-your-php-sessions-using-memcached/
The login server's site will need all the regular stuff for a login system, but you also need to set the server up so that it will use the shared memcache session instead of the normal way of saving session. Example once you have memcache installed, add to its php.ini file:
session.save_handler = memcache
session.save_path = "tcp://[login server ip]:11211"
The other server's site will also need to use the shared memcache session stored on the login server, so config its php.ini the same way you did for your login server. Then, set up the Auth component on this site so that it will require logins, but for actually logging in, redirect them back to your login server.
On both servers, in bootstrap.php, add the line ini_set('session.cookie_domain', '.' . ROOT_DOMAIN); Where root domain is the root domain both of them have. So if you were using test.com and subdomain.test.com, ROOT_DOMAIN would be "test". This way, the websites will also share their session cookies.
Make absolutely sure both servers are set to the same time. If their times don't match, you'll likely randomly lose your session because one of the servers will think the session is much older than the other server, and so it will delete it because it thinks the session is too old.