I am working with the application using LDAP authentication in ZF2. I have given the logout option to exit from my application. If I click the log out button, then it is asking to enter the login credentials, It is fine.
Suppose, I closed the browser without clicking the log out button then open a browser again and access to my application url it does not ask login credentials which means that LDAP session still exists.
How can I clear the LDAP session on closing the browser and or accessing the application again, it should ask the Login credentials (username and password).
Please help me to solve this issue.
The method of authentication should not matter - whether you are using LDAP, MySQL tables or anything. You didn't mention if you are using a module (such as ZfcUser) for authentication, or vanilla ZF2, or how your sessions are configured.
From the information given, one of these should help you find your problem:
1) You are using a browser that is staying open "in the background", thus the session is staying open when you re-open the browser. To double check this, have a look at your process list / task manager for your OS and ensure the browser process has been exited completely.
2) You are storing the session using cookies (so that the session carries across a period of time, rather than a single browser session). Look into the use_cookies, cookie_lifetime and remember_me_seconds session configuration options in ZF2.
Related
I have created an extension for my website. It should log in user to forum after he has logged in to the website.
User session was created successfully (checked in database), but user still not logged in.
If I try to log in with external login form, it works great (the session is created and user is logged in).
I think the problem is not in my authentication extension.
I think I did something wrong with curl post and cookie.
What curl options should I set to login? Or maybe you can give me some useful links?
Take some of those phpbb3_* cookies and then send them through
[setcookie()](php.net/setcookie) to pass along to the user. It
might work, depending on your level of cookie security in phpBB (it
can't be tied to IP because curl and the user IP will be different
drew010
You won't be able to use curl and pass the cookies to the client if you >have Session IP validation turned on. I'd suggest turning that off, or, >instead of using curl, look for a plugin/module that can do 3rd party >logins, or look at the authentication handling code and replicate it. It >wouldn't take much to log a user in without requiring their phpBB password
drew010
I was wondering if there was a way to force an iOS device to login to a php page each time they send a request to the page.
Currently, after I log in the first time, I have to restart the application to force it to ask for credentials to be sent again. I have tested this behaviour with a webpage, and after the login prompt shows and I enter the password correctly, I do not have to enter it until I restart the browser and go to the page again.
I was wondering if there is any way to change this behaviour either server or client side to force the server to request credentials every time a request is sent.
If information about being logged in are stored in session (which I think it is - but it depends on application) you can f.e. reset session after each request.
In other words: run same action that will be run when user is logging out, but after every request.
As much as Esse's answer is good for server side, I found an easier workaround client-side, setting the NSURLCredential storage to NSURLCredentialPersistenceNone. This stops the phone from storing the basic auth credentials. As this site is not intended to be used by browser's this is a decent work around
I use Htdigest authentication with lighttpd. When the user first logs in to the website, a standard username/password dialogue box is presented. If correct username and password is entered, user can login, otherwise lighttpd shows an Authentication failure page.
So far so good!
The problem is when the user wants to logout, the browser doesn't forget the username and password. In other words as long as the browser is open, user can return to the same site without being asked to authenticate. One solution can be to close the browser so that it forgets the authentications But I don't want to force the user to close their browser everytime they want to log out.
Is there a way using JavaScript or server side code (ie. PHP, Python or Lua) to let the browser forget the htdigest authentication?
PS. We use Lua 5.1 on the server side which is not as powerful as PHP but it runs as FASTCGI in Lighttpd 1.4 on Linux 2.6.
It can be done, but is tricky. There is no default way to do this. Conclusion drawn from various sources:
You have to trick the browser in forgetting the user/password combo. This can be achieved by letting the logout page send a 401 Not Authorized response header. Unfortunately the details vary per browser.
For my application I need to know if a Facebook Connect session is valid from the server side.
The Javascript API lets you know if you are connected to Facebook or not, but it seems that this can't be done from the PHP client library.
The scenario where I need it is similar to the following:
Log in to The Run Around using Facebook connect.
Open Facebook in another tab.
Log out from the Facebook tab (not The Run Around).
Go back to the Run Around tab.
Enter a new entry, but deactivate the "Publish this run to Facebook" checkbox.
After submitting the form your run will get published though you logged out before! After that call, the site will log you out because the Javascript API will try to validate your status.
In the 5th step, the application should check with Facebook if the session has expired or not (or use a workaround). The Connect implementation of The Run Around is flawed and shouldn't be used as an example because of this security issue.
While I understand your analysis of the situation, this is actually the correct behaviour.
The Run Around is a Facebook Connect site, which means that it is completely separate from Facebook, as it should be. When you use FB Connect to link your FB account to the Run Around site, it establishes a local session and account for you in the Run Around database. This is technically what you are logged in to The Run Around with. Once this happens, your Facebook session is entirely irrelevant unless The Run Around wants to retrieve information about you from Facebook.
There are options to provide a FB Connect site with closer linkage to Facebook if you want to. See Detecting Connect Status and the FB.init() parameters for more on this. The Run Around has utilized this to force a logout of the local session once it detects that you are no longer logged in to Facebook. However, this only occurs once a page change or action happens and the Javascript runs to verify your FB session status.
The overall effect of how this all works is that Facebook Connect sites retain the ability to manage users locally, and only utilize Facebook features when needed and/or possible.
A friend told me the way to know if a session is valid or not:
http://wiki.developers.facebook.com/index.php/Users.getLoggedInUser
This method uses the session key as a parameter and returns the user id. If the session has expired, an error code is returned.
NOTE:
I won't use this in my application, as Zombat said, my app should keep its own session. I'll do what Digg does: be consistent with the log in and log out procedure by not automatically logging in and out when someone logs on Facebook.
The Run Around tries to do everything automatically, but that is problematic, specially because the app doesn't check the session from the server side.
we've recently done some installation but I'm facing issues with one pc in particular and its baffling. We have a webapplication installed on our local server which is accessed by all our workstations. FOr some reason we can't log into our webapplication using one workstation. The application is a PHP MYSQL collaboration system. I double checked and for some really odd reason whenever we login it creates a session ID but upon logging in and redirecting to another page the session is broken and a new session id is generated thus the individual is automatically logged out again.
What could be the issue here - is its a firewall thing - its not the web application as we can access it fine via the other workstations. We even disabled the firewall but in all cases that single dumb workstation seems to have an issue with maintaining the session.
Help please - I'm sure its an issue confined to that one PC - what could it be.
Update
The authentication sequence is as follows:
Login
Authenticate user
Build session
Store session variables with session ID in db
Redirect
SESSION variables are empty - a new session ID is generated
Since new session ID is not of an authenticated user - return to login
More details
SSL is not enabled
Cookies are enabled are on the problem machine
UPDATE
I don't understand how can redirection be the problem here. My redirection code is as follows I'm using the following function to redirect to the index page upon successful login.
function _redirect($url)
{
#To redirect to a specified page
if(headers_sent())
echo "<meta http-equiv=\"refresh\" content=\"0;URL=$url\">";
else
header("Location:$url");
exit;
}
Plus even if it is an issue why is it a problem on just one PC and not on the others? I don't wish to change my code just to accommodate one system as opposed to fixing whats wrong with that one system which is preventing it from behaving in the first place.
MORE UPDATE
I just double checked and found something odd. My login is ajax based i.e. a request is made via ajax if it is a success the session variables are generated and a boolean 1 is sent back upon receiving the user is redirected via a javascript call which is:
function _redirect(url)
{
window.location = url;
}
I commented out this call and instead when the user is logged in I manually go to the index page and it works fine!! What is the javascript redirect messing up in this one pc thats not messing up in the other workstations is beyond me :( How do I fix this?
It sounds like the cookie is not being set and sent back to the server properly on this machine. Verify that you have cookies enabled and that you don't have some 3rd party browser extension or other software blocking cookies.
what browser are you using on this workstation? IE? Firefox? Have you tried different web browsers? Tried checking the browser settings yet? What is the time out set to? Is the time on the server and workstartion syncing properly with ntp?
In IE you can disable accepting of sessions cookies if the security is set to high I believe.
If you're losing the session, it's likely because the session cookie is not being transmitted. Does the browser on that machine have cookies enabled? Are you using SSL for your login page? Does your login code do anything besides validate a username/password (e.g. validate an IP address or machine name)?
Edit
Can you verify with Fiddler/Wireshark that the session cookie is transmitted when you redirect? Can we see some example login code?
I misunderstood the question to begin with (hence my edit history)
What is the domain the login is on and the main site is on? If it's between domains (could be anything like sending between example.com and www.example.com)