I've create a web site that authenticates users via LDAPS to a Windows domain - works fine, users are able to log in when they enter credentials a session variable ($_SESSION['LDAPSExampleUsername'] is established and maintained until they log out. So, I want to make sure that if a user is logged in, they can see https://host/main.php. If they're not logged in, they can't get to main.php, it'll just take them to https://host so that they can to log in. I have this working fine with syntax like;
if (!isset($_SESSION['LDAPSExampleUsername']))
{
header("Location: /");die();
}
I've been doing some reading and find that many say that this isn't really such a great idea because web browsers can disable forwarding to other web pages (defeating the purpose and causing a major issue). What is the appropriate way of handling this situation?
Related
I ran an application that to have access, the user needs to log in, this application has multi levels of authentication, this application is a PWA too.
The problem is that when the user downloads the APP to the home screen it always opens on the login screen, but as it can be offline it will not be able to log in.
How can I do to keep it logged in? that is, when the user is offline or online go directly to their dashboard.
I read some answers about sessions and cookies, is it really the best way?
No react or angular or vue was used.
It took me a while to post the answer here, but it came.
Actually it was quite simple, just put in manifest.json to open the URL already logged in and solved my problem, of course it will only load if the user has ever accessed this URL according to my cache rules in the service worker, I suggest you try the same, if it doesn't work you can contact me that i can help.
So I noticed with SharePoint sites if you are using IE, it automatically sends your AD username/pass to the server. Now I'm being asked if the same can be done with the other internal websites. The other websites are written in php and I don't have access to the server settings, just to the php scripts. I did find a way to authenticate against AD from php scripts once the username and password gets submitted to the scripts. So I'm like halfway there once the script knows what user/pass, the user wants to use it can check if it's valid. but what I still need to know is how to tell IE that this page needs to know the user/pass they are logged in as like the SharePoint site pages can.
I use wamp to develop on a windows 7 machine. For this app I have an admin area which tracks the admin username and encrypted password with $_SESSION and a cookie which keeps track of the randomly generated encryption key for the password.
I set the cookie like:
setcookie('key', $key, time()+7200, 'admin/');
The admin user verification is run on every admin page after the admin user has entered username and password details to login.
The directory structure of the site and the admin is:
localhost/mysite/
locahost/mysite/admin/
A session runs in the admin section, and a session also runs in the user interface of the front-end to keep track of chosen criteria for searches.
When I run long database queries in the admin area ie. multiple updates and inserts where each iteration requires a connection to an external API, I am unable to load the front-end user interface in the same browser ie. firefox until after the admin operation has completed. If I use a different browser ie. chrome , I am able to load the front-end of the site while running admin mysql functions with no problems.
I'd like to view the site while these operations are running, and use the same browser. It's a small problem, but I'd like to know how to get around it because I want to learn. I mean I could just tell myself that it doesn't matter because the site works fine when I open another browser, and the final user isn't going to be running admin operations while viewing the site anyway, so from that perspective it doesn't matter, but I am curious.
What is going on with the sessions and cookies that stops me from viewing the site whilst the admin operations are running? Is my question even a good one? Part of me thinks that it's a silly question because ultimately the site works perfectly well in a separate browser. Anyway, thank you for looking!
I think your session is being locked. On the page that takes a long time to run add this at the top: session_write_close(); that should fix it.
We have about 100 users accessing our website daily. A majority of them have no issues logging in. However, once a month we get a call or email ticket with complaints that users just see the login page refresh, with no error messages or anything.
All error messages are sent through the PHP Session cookie, and of course everything after logging in is based off of that session. The only reason I could think that the page just refreshes HAS to be because they are blocking that session cookie on their local machine...
Now most often the user is on internet explorer, but occationally it even happens with Chrome or Firefox. I've even had a user (on OSX) who tried Safari, Chrome, FF - and it would NEVER let them log in, the page would just basically refresh. I had the user add the website as trusted, and still no luck.
It's the worst because I cannot reproduce it from any network or from any browser/computer, ever.
Does anyone know what could be causing something like this? The site IS forcing SSL (the HTACCESS file redirects to HTTPS). The site IS forcing the session cookie as HTTP-Only and the Secure flag is also set to TRUE (and these 2 are somewhat recent changes).
I'm unsure what other settings on the server or the PHP instance would be causing something like this, or if it's soley a client-side issue (which it appears to be). And if it's client side, I'd like to learn the issue and possible solutions to it.
To preempt everyone, no - I cannot share the website URL for debugging because the client would not appreciate that, unfortunately. Thanks for any help, I'll be happy to answer any question that I can!
Do you have more than one web server behind a load balancer? And are the PHP sessions stored locally on each web server? If so it is the load balancer's job to make sure a user keeps going back to the same server on repeated accesses. If something goes wrong, they could get sent to a server where they do not have a session. It could be some intermittent glitch sending users to the wrong server.
Just guessing, because as others noted, we don't really have enough info.
Does your session cookie have a valid name? I've run into this problem in the past where some browsers don't accept a session cookie if it has an invalid name, but other browsers do accept them;
http://php.net/manual/en/function.session-name.php
I am running a Wordpress site but i feel that the solution to this question is possibly more generic so am asking for help here.
I have set up LDAP authentication. My website is running on http://a.com (for example), the authentication must happen over an SSL connection and the SSL address is https://b.com (points to the same server). The LDAP authentication works fine, i can be certain of that. The problem is when i log in, it all goes well, authenticates, and then redirects back to a.com where all of a sudden i am not logged in. I am guessing this is to do with the cookies but don't know how to check or how to solve it.
Is this sort of setup possible? Any idea how to get it working properly?
Thanks in advance!
Cookies set on one domain cannot be read by another. You don't want my site to read your banking site usernames.
Here's a possible setup for you: Instead of redirecting back to http://a.com after logging in on https://b.com, redirect to http://a.com?authtoken=abcde. Your code on a.com grabs that token from the URL, and uses it to check a database to see what user just logged in on b.com and was assigned that token. Expire the tokens after they're used.