I have two different domains both are developed in cakephp, My problem is, When I have logged into anyone of domain, Its working fine and when I'm open another one in new tab, It will take same session data. Suppose, If I logged out anyone, both are logout. So I need separate sessions. And one project have ACL component and another one doesn't have.
I have tried with different security.salt values, Its not working. Please sugges me what is the best way to maintain the different sessions.
Thanks in Advance.
In your core.php, you could set the session-configuration to one of CakePHP's default-configurations which will then store your sessions in the respective app's tmp-directory.
Configure::write('Session', array(
'defaults' => 'cake', // instead of 'php'
'cookie' => 'app_cookie1', // select a different one for each app
[...]
));
Moreover, you should select a different cookie-name for each app so they are not both unset upon logout.
This should resolve the conflict. If you are interested in some more advanced settings, take a look here: http://book.cakephp.org/2.0/en/development/sessions.html
Related
I have the following 4 sub-domains for my project:
www.mysite.com - public site, published pages etc.
my.mysite.com - normal users log in to this domain to create pages and other stuff
company.mysite.com - Company hasMany Employees that log in to this sub-domain to manage their pages and other stuff
admin.mysite.com - Admins of the site log in here to manage everything
--
Typically, I want to keep all 4 sub-domains separate. So a user logged in to my. should not be able to view company. unless they login their as well. I have managed to do this by creating the following middlewares:
auth:my
auth:company
auth:admin
Using the above I have different login views/routes etc. for the different types of users working correctly.
--
I needed a way to share sessions across the subdomains because when a user creates a Page on the my., they can publish it and it shows on the public www. (www.mysite.com/my-page)
What I needed is that when the User who owns the Page and is logged in to my., visits their own page on the www. sub-domain, an Edit button to show.
I managed to do this by sharing sessions across my subdomains by making the following change:
config/session.php
domain => env('SESSION_DOMAIN', '.mysite.com')
--
However, this messes up the logins for company. and admin., because when a User logs in to my., the session is shared across the sub-domains.
How do I share the sessions across the sub-domains but group them so something like:
domain => [
['www.mysite.com', 'my.mysite.com'],
['www.mysite.com', 'company.mysite.com'],
['www.mysite.com', 'admin.mysite.com'],
]
The sessions are shared because it's essentially the same application and you're presumably using driver = file or database.
To fix this, you can have multiple session tables per sub-domain.
Change your config/session.php file and make sure you're using database driver.
Create multiple copies of the sessions table, calling them company_sessions, admin_sessions etc.
Update your code (i.e. config/session.php file) so that the sessions table is based on the subdomain. E.g. create an if-else statement looking for the $_SERVER['HTTP_HOST'] and check it's a particular subdomain.
if ( $_SERVER['HTTP_HOST'] == 'admin.mysite.com' ) {
$config['table'] = 'admin_sessions';
}
The layout of your config/session.php may need to be changed to accomodate overriding the table and returning the correct value.
See if it works!
There are other ways you can achieve this, but this may be the simplest.
It may not work as you're trying to share sessions and don't want all sessions to be shared at the same time. You my have to compromise on the functionality and just stick with shared sessions.
I'm trying to share sessions between two cakephp apps that are on different subdomains. One is cakephp 2 and other is cakephp 3.
What i have so far:
The two apps are reading sessions from the same database table.
The two apps are writing session cookie "CAKEPHP" to the root domain. i have a
ini_set('session.cookie_domain','.domain.com'); on top of core.php and app.php respectively
both apps have the same Security.salt value
What is the problem?
When i open the cakephp 2 on one tab, it generates a session cookie with one value. But when i open cakephp 3 on another tab, it generate another value for session cookie. So, when i login on cake2 and then refresh cake 3 on another tab, the session on cake2 get lost.
When researching, i saw that cakephp 3 encrypts the session cookie and cake2 not... But i'm not able to see where can i make cake2 use the same encryption as cake3. Or disable encryption on both, if it will not cause security issues.
Can you help me on this?
I'm re-building a web application in CakePHP 3 and plan to change how the application is structured. At the moment the architecture is as follows - and none of it is written in Cake.
There is a login page at https://app.example.com which sets PHP session variables on successful login. All of the applications are then in sub-directories, e.g.
https://app.example.com/application-1
https://app.example.com/application-2
https://app.example.com/application-3
Each sub-directory has a script which checks the appropriate session vars are set, otherwise redirects to the login page, e.g. trying to access https://app.example.com/application-1 without being logged in sends the user to https://app.example.com/
I'm planning to rebuild one of the applications, https://app.example.com/application-2 in CakePHP 3, and do so on a separate subdomain (e.g. https://cake.example.com/).
What I want to do is allow the users to still login through https://app.example.com and then use https://cake.example.com/ if they are succesfully authenticated.
I was planning to allow my PHP sessions to work across multiple subdomains - as per Allow php sessions to carry over to subdomains
I'm not sure though how this would work within Cake 3 though. One idea I had was to set up https://cake.example.com/ without any of Cake's Auth functionality enabled. I was then going to use the AppController::beforeFilter() to check the session variables. If they were set appropriately, allow the user to use any Cake Controller method. If not, redirect them to https://app.example.com where they can login.
I was looking for some advice on whether there is a better way to do this, and if this is secure? I'm aware that doing this is essentially like developing the Cake app with no authentication, and just relying on the session vars being read in beforeFilter().
The login script at https://app.example.com also writes to a database where we have things such as the user ID, IP, user agent string and date/time. I can access this DB from my Cake application, but the idea of querying this database on every single request also seems wrong.
It's worth mentioning that https://cake.example.com cannot have it's own login page, even if it connected to the existing users database to lookup the credentials. This is because the users login through https://app.example.com which then acts as a dashboard for their applications. Essentially by the time they get to https://cake.example.com they either have to be authenticated, or sent back to the existing login page.
Checking the session manually can be just as secure as using CakePHPs auth component, as the component does exactly the same (given that you'd be using the session storage), just with data that you've set via AuthComponent::setUser(), ie it all depends on whether you implement things properly.
Checking the session value in AppController::beforeFilter(), and redirecting if necceesary should generally be fine, and as mentioned is pretty much the same as what the auth component does internally, it will check whether the configured session key is present and not empty.
You could possibly still leverage the CakePHP auth functionality if you wanted to, the flat u_id value in the session should suffice. For the auth component, just configure the login/logout options and the session storage key accordingly, ie if your login page is at https://app.example.com, and your login app writes auth data to $_SESSION['u_id'], configure the auth component like this:
$loginUrl = 'https://app.example.com';
$this->loadComponent('Auth', [
'loginAction' => $loginUrl,
'loginRedirect' => $loginUrl,
'logoutRedirect' => $loginUrl,
'storage' => [
'class' => 'Session',
'key' => 'u_id'
]
]);
That should be all that is needed (authentication wise), the component should pick up the possibly existing session key and treat you as authenticated, or otherwise redirect to https://app.example.com. Defining loginAction will prevent the component from whitelisting a controller/action, and logoutRedirect will be returned by AuthComponent::logout(), so you could easily implement a standard logout action in your CakePHP app if you want/need.
Of course this all depends on the u_id session value being accessible (ie you've configured your CakePHP app to pick up the existing session) and reliable in the first place.
I use Yii2 framework for my current project. My problem is when the user logs out all the sessions are destroyed but on the frontend I have a session registered which needs to be there after the logout process.
Is there a way in PHP to store that one session?
You probably will need to actually create 2 separate sessions. For this I would think the advanced template would be the best starting point. Frontend would be your main site, and backend would be your logged in area. You could even make a 3rd for your admin panel, if needed.
In your config you would need to specify different sessions. The way I use it, is to completely separate my frontend from the backend.
Example of config;
'components' => [
'user' => [
'identityClass' => 'common\models\User',
'enableAutoLogin' => true,
'identityCookie' => [
'name' => '_frontendUser', // unique for frontend
]
],
'session' => [
'name' => 'PHPFRONTSESSID',
'savePath' => sys_get_temp_dir(),
],
....
You would do the same for backend, only using different names.
If they can still go to the main site while they are logged in, you would need to do some addition checks, like checking if the other session exists. You could make a special rule to redirect them off the main site to the logged in area if it exists. If they still need to access the main site but know if they are logged in (like to show logout instead of login link, or show their username) then you would have to reference the other session.
I am not sure if you can actually use a session from another section... A way around it would be to store data in the first session about the 2nd session. In your login routine, you would need to inject the user data into the first session. And on logout, remove it.
Not sure what our going for, and there are still some things to look into (like if you can access another session without hacky options).
However, I think your hangup right now is that you need to define separate session values in your config.
I should also add, I wrote a wiki about how to have 2 separate sessions here: http://www.yiiframework.com/wiki/814/guide-how-to-actually-separate-frontend-user-and-backend-admin-on-yii2-advanced/
Problem with yiii2 advanced, is by default if you login to the frontend you are also logged into the backend. Well if you use frontend as members and backend as admin, you dont want it like that! A member shouldn't be logged into the admin area. So you have to make them 2 separate sessions.
While my wiki is for a slightly different use, I think it stems from the same problem and may help you figure this out.
If you need different sessions for frontend / backend, separate it as pointed in other responses but, if you need to save data between user sessions, save it to the database.
I've been trying to locate where the CDbHttpSession is called after login, to rewrite it.
My problem is that I have 3 products in my App, and each are restricted on X simultaneous users, so I shouldn't allow any user to access these products until someone closes session or the admin manually removes the session from the DB.
Any help on how could I achieve it?
Thanks!
It's a fixed application component available from CWebApplication. So you can access the session instance through Yii::app()->session. You can configure your own session component in your main.php.
'components' => array(
'session' => array(
'class' => 'MyCustomSession',
),
),
But this is probably not the right place where you want to solve your problem. There is no "close session" event in PHP's session system. So you can not really find out, when a user has "closed" his session.
What could be helpful for you are maybe the afterLogin() and afterLogout() methods in CWebUser. Much like with the session component you can also override the user component with your own class. There you can at least get hold of every login/logout process and do something. Note though, that a log out does not necessarily always occur: The session can simply time out and you won't get hold if it.