I'm using https://github.com/panique/php-login-advanced login script, also there is a NodeJS server which authenticates users by their session cookies. The problem is when the user resets his password, he's still able to authenticate with his old session cookie. My goal is to remove all cookies for a user that reseted his password, so he will not be able to re-authenticate with his old session cookie. Already tried with php script that is searching for all sessions in /var/lib/php5/* and deletes them. All was fine while running that script under 'root', but this is not an option and apache user don't have privileges to read this folder. I'm looking for a better solution than just give read/write privileges to that folder.
Instead of using file-based sessions with PHP, why not use something like redis instead? Then both node and PHP can access the same session easily and removing the session is simple. For this kind of solution see this answer as a guide.
Just reset the session storage path(session.save_path) in your php.in to a directory accessible by apache and restart you apache server
Related
Since PHP sessions are basically cookies, and I am using them to authenticate logged in users (I know, I should move to tokens), is it possible to read the session cookie on my node app? (I want to create a simple chat that gets the logged in username from the PHP session, and on the way allow only logged in users to use the chat)
What would then be the preferred way to do that? (In terms of security as well)
**Edit: I am trying to get something sort of the node equivalent of this in PHP:
if(!isset($_SESSION['user_id']){
//don't allow access to the chat page
} else {
//show chat for logged user
}
A cookie is not language specific so if the cookie is there, you could certainly read it with node.js.
BUT, the browser only sends cookies to the server that they are associated with. So, if your PHP server is not part of the same sub-domain as the node.js server and the cookies are configured to allow sharing with sub-domains, then the browser won't send the PHP cookie to your node.js server.
To read cookies with Express, you can use the cookie-parser module. Samples for how to use it are in the doc. After installing the cookie-parser middleware, you would end up referencing:
req.cookie
to access that same cookie. To manage sessions using Express and node.js and keep track of server-side session state, one would typically use the express-session module.
I have created a website, I have to login to view this site, now I have copied all files into a new directory and created a separate database for that.
The problem is whenever I am logging in one site the other one is also logging in, and also for log out. Can anyone tell me why this is happening? My server is running on localhost (XAMPP).
I followed this tutorial to create login page:
https://www.tutorialspoint.com/php/php_mysql_login.htm
When us store data in the session like you do at $_SESSION['login_user'], this session stored data is for your domain. When you copy the application in an other directory, it still runs under the same domain thus it will access the same session data. You can fix this by making the session data key unique to its directory ex. $_SESSION[$domain.'_login_user'] with $domain being some application specific variable.
Also take a look into session hijacking when using sessions, you are definitely not using them safely: PHP Session Fixation / Hijacking
The Problem
I want to clear all sessions for all users in my Laravel application.
What I have tried
I understand that Auth::logout() will log out a single user, but not all users. I have also tried deleting the session files from storage/framework/sessions. Neither have worked.
I am using the built in Authentication (e.g. Auth) and the file driver for sessions running Laravel 5.2.
How can I effectively force logout for all logged in users so they have to log in again?
It's worth noting that Laravel actually only stores active sessions in the session folder; those that are 'remembered' but haven't been actively accessing your application do not count among these sessions. As such, just deleting the files won't finish the job.
You must also clear all Remember Tokens from the users table, as this token is used in conjunction with the local token stored in the cookie to re-create the session when a user reconnects.
in app/session.php you can change cookie value, so user will automatically logout because of cookie is not match with the config
Simply regenerate the APP_KEY with following command.
php artisan key:generate
This will regenerate the APP_KEY, which will be used to encrypt and decrypt the cookies. Since it changes, all the cookies will be invalidated. Users has to login again.
Alternate:
You could also flush all cache by following command:
php artisan cache:clear
I have a LAMP server. I have started playing around with php cookies and sessions inside my scripts. Is there any way to check what or how many and what type of session I have active? I am able to check if cookies are being deleted from client side but sessions are server side with only a token in the client side.
Is there a command of some sort that would allow me to view active sessions (amount, time, session info) connected to my server?
Thanks.
By default PHP stores session on disk. Go do your sessions directory and check the active sessions there.
The file name of the session directory is the session token and the data stored in the file is the session data.
Here's the thing:
I have Website A in Server 1, a CakePHP 2 based website without any kind of login system.
I also have Website B in Server 2, another CakePHP website which has its login system (uses CakePHP's Auth for more details if it matters), with a login form in first page where users can enter login/password to access it.
So now what I need to do is to add a login form in website A that logs users into website B (as if they had used the form in website B).
Is that possible? If so, what approach should I take to do that securely? (By that I mean without plainly exposing the users credentials).
I assume you're doing this so that you can go between multiple sites, but only login once? I've come up with a way to do this, provided that the sites share domains, but are hosted on different subdomains by getting them to share session. The reason this only works on websites that share domains is because two completely unrelated websites cannot share cookies, which is necessary to get them to share session.
Note that since your goal is to make the two servers completely share their sessions, you will encounter some problems, like for example, flashmessages for one site will appear on both. I ended up extending the Session component so that it would automatically append to all session variables with a prefix to specify which server the session variable belongs to.
Here's an outline of the steps:
The login server will need to be able to host shared sessions, probably via memcache's session save handler, which you will need to install on both your servers. See more here: http://www.dotdeb.org/2008/08/25/storing-your-php-sessions-using-memcached/
The login server's site will need all the regular stuff for a login system, but you also need to set the server up so that it will use the shared memcache session instead of the normal way of saving session. Example once you have memcache installed, add to its php.ini file:
session.save_handler = memcache
session.save_path = "tcp://[login server ip]:11211"
The other server's site will also need to use the shared memcache session stored on the login server, so config its php.ini the same way you did for your login server. Then, set up the Auth component on this site so that it will require logins, but for actually logging in, redirect them back to your login server.
On both servers, in bootstrap.php, add the line ini_set('session.cookie_domain', '.' . ROOT_DOMAIN); Where root domain is the root domain both of them have. So if you were using test.com and subdomain.test.com, ROOT_DOMAIN would be "test". This way, the websites will also share their session cookies.
Make absolutely sure both servers are set to the same time. If their times don't match, you'll likely randomly lose your session because one of the servers will think the session is much older than the other server, and so it will delete it because it thinks the session is too old.