I have a website that requires a login. The logins are managed by an authentication token that is assigned to the target device (with a few others), but for some reason, its not working on Windows Phone. I have tested it on iPhone and all desktop browsers and it works on all of them.
I set it to show me the set cookies, and it is showing all the other cookies that have been set, except for the auth token cookie.
I tried changing the cookie name (to see if there was a collision with some redundant code running) but that didn't work (still working on desktop browsers).
I had placed a piece of code to detect the setcookie function call, which told me it was being called correctly. In the same code path of the login and setcookie I did a var_dump of the $_COOKIE then too and it showed that the token had been temporarily sent.
The code does contain the ability to detect a mobile browser, but it is unused (outside of a few small parts of the template engine).
An additional note about the code is that from the start, right up till the end, the output buffer is enabled, and only printed at the end of the code.
What else can I do to try to find the cause of the problem, or what could be causing the problem specifically for Windows Phone.
EDIT
I have just tested it on an iPad, and it is also not working. Very strange as it works on normal iPhones and the Safari browser.
EDIT
I have installed a server (AMPPS) on a computer on my LAN running the site (with the same db) and the login function works correctly.
In addition, during my tests, on the mobile (on the live version), the user is redirected to the users only page, but the cookie is not detected, and the user is returned to the sign in page. Other cookies are, but the auth token is not.
All of the cookies are set in the same way, with an expiry of time() + 3600, and the path set to '/'
I think I have fixed it. The code included some IP validation for the tokens, but for some reason, on those devices, the IP (returned from $_SERVER['REMOTE_ADDR']) is 127.255.255.255, which was incorrect. Not sure why it was doing that instead, but I have amended it so that the IP is not taken into consideration for invalid ips (such as 127.255.255.255) and it is working now.
Related
I'm running a PHP script (on DOMAIN B) inside an iFrame on another domain (DOMAIN A).
When a user enters the site, a check is performed to see if they have the correct browser settings (cookies enabled AND third-party cookies enabled - however it is called in various browsers).
In order to do this, I set a session cookie $_SESSION['COOKIE_CHECK'] = 'passed'; from the iFrame (DOMAIN B), redirect to another script within the iFrame on DOMAIN B (header('Location: ...) and check if the cookie is still there. If not, an error message is displayed, otherwise the user is redirected again to the main script (also on DOMAIN B).
I'm making sure the session is active with session_start(); as the first line of code in all scripts. The header redirect is using the same (sub)domain for the target as the originating script.
This worked perfectly fine on all browsers (IE, FF, Safari, Chrome) for years until now. With the recent Safari update to version 13.0.4, this no longer works in Safari. It still works in other browsers.
I tried a few things including redirecting the parent document to the cookie check script on DOMAIN B and then back again. Nothing worked.
Any insight would greatly be appreciated!
Cheers and thanks in advance!
Tom
I've just started using PHP and have run into a rather odd issue with using sessions and google chrome.
I start a session and set some variables when a user first logs in, and then access the session variables at different points across my web-app, which is working as expected. The problem is that if someone else visits the web-app from a different computer (on the same network), they are treated as being logged in as the first user.
What's weirder is that this only seems to occur when using chrome. If I sign-in using firefox or IE, then navigate to the app on a separate computer (using any browser) the problem doesn't occur.
Clearing cookies in chrome seems to work, but I would like to know why this is happening to prevent security problems in the future.
Having a separate mobile site on a subdomain which has the name m.domain instead of domain:
When I try to login on ios devices with openid I get an error page from google but not if I use the site from my desktop.
chrome mobile is ok, it is just safari.
I thought those server variables would stay the same no matter what?
Can someone explain that?
EDIT:
There really is not much to output in the form of an error except that openid needs to have the "www" in it's authorization request because I compared the strings. It errors in the "realm" variable wich is set by "SERVER['HTTP_HOST']" in the lightopenid library.
It might have something to do with your login forms structure, rather than $_SERVER variables as they are provided by the server, and since you are trying to log into the same server, all outcome should be identical no-matter what device you are using.
We have about 100 users accessing our website daily. A majority of them have no issues logging in. However, once a month we get a call or email ticket with complaints that users just see the login page refresh, with no error messages or anything.
All error messages are sent through the PHP Session cookie, and of course everything after logging in is based off of that session. The only reason I could think that the page just refreshes HAS to be because they are blocking that session cookie on their local machine...
Now most often the user is on internet explorer, but occationally it even happens with Chrome or Firefox. I've even had a user (on OSX) who tried Safari, Chrome, FF - and it would NEVER let them log in, the page would just basically refresh. I had the user add the website as trusted, and still no luck.
It's the worst because I cannot reproduce it from any network or from any browser/computer, ever.
Does anyone know what could be causing something like this? The site IS forcing SSL (the HTACCESS file redirects to HTTPS). The site IS forcing the session cookie as HTTP-Only and the Secure flag is also set to TRUE (and these 2 are somewhat recent changes).
I'm unsure what other settings on the server or the PHP instance would be causing something like this, or if it's soley a client-side issue (which it appears to be). And if it's client side, I'd like to learn the issue and possible solutions to it.
To preempt everyone, no - I cannot share the website URL for debugging because the client would not appreciate that, unfortunately. Thanks for any help, I'll be happy to answer any question that I can!
Do you have more than one web server behind a load balancer? And are the PHP sessions stored locally on each web server? If so it is the load balancer's job to make sure a user keeps going back to the same server on repeated accesses. If something goes wrong, they could get sent to a server where they do not have a session. It could be some intermittent glitch sending users to the wrong server.
Just guessing, because as others noted, we don't really have enough info.
Does your session cookie have a valid name? I've run into this problem in the past where some browsers don't accept a session cookie if it has an invalid name, but other browsers do accept them;
http://php.net/manual/en/function.session-name.php
we've recently done some installation but I'm facing issues with one pc in particular and its baffling. We have a webapplication installed on our local server which is accessed by all our workstations. FOr some reason we can't log into our webapplication using one workstation. The application is a PHP MYSQL collaboration system. I double checked and for some really odd reason whenever we login it creates a session ID but upon logging in and redirecting to another page the session is broken and a new session id is generated thus the individual is automatically logged out again.
What could be the issue here - is its a firewall thing - its not the web application as we can access it fine via the other workstations. We even disabled the firewall but in all cases that single dumb workstation seems to have an issue with maintaining the session.
Help please - I'm sure its an issue confined to that one PC - what could it be.
Update
The authentication sequence is as follows:
Login
Authenticate user
Build session
Store session variables with session ID in db
Redirect
SESSION variables are empty - a new session ID is generated
Since new session ID is not of an authenticated user - return to login
More details
SSL is not enabled
Cookies are enabled are on the problem machine
UPDATE
I don't understand how can redirection be the problem here. My redirection code is as follows I'm using the following function to redirect to the index page upon successful login.
function _redirect($url)
{
#To redirect to a specified page
if(headers_sent())
echo "<meta http-equiv=\"refresh\" content=\"0;URL=$url\">";
else
header("Location:$url");
exit;
}
Plus even if it is an issue why is it a problem on just one PC and not on the others? I don't wish to change my code just to accommodate one system as opposed to fixing whats wrong with that one system which is preventing it from behaving in the first place.
MORE UPDATE
I just double checked and found something odd. My login is ajax based i.e. a request is made via ajax if it is a success the session variables are generated and a boolean 1 is sent back upon receiving the user is redirected via a javascript call which is:
function _redirect(url)
{
window.location = url;
}
I commented out this call and instead when the user is logged in I manually go to the index page and it works fine!! What is the javascript redirect messing up in this one pc thats not messing up in the other workstations is beyond me :( How do I fix this?
It sounds like the cookie is not being set and sent back to the server properly on this machine. Verify that you have cookies enabled and that you don't have some 3rd party browser extension or other software blocking cookies.
what browser are you using on this workstation? IE? Firefox? Have you tried different web browsers? Tried checking the browser settings yet? What is the time out set to? Is the time on the server and workstartion syncing properly with ntp?
In IE you can disable accepting of sessions cookies if the security is set to high I believe.
If you're losing the session, it's likely because the session cookie is not being transmitted. Does the browser on that machine have cookies enabled? Are you using SSL for your login page? Does your login code do anything besides validate a username/password (e.g. validate an IP address or machine name)?
Edit
Can you verify with Fiddler/Wireshark that the session cookie is transmitted when you redirect? Can we see some example login code?
I misunderstood the question to begin with (hence my edit history)
What is the domain the login is on and the main site is on? If it's between domains (could be anything like sending between example.com and www.example.com)