I'm using a module called FB JS Connect (a free extension, and I can't seem to find it in Extensions now.) All it does is allow users to login using their Facebook ID.
It works pretty well, and uses FB API.
The problem is that, a user logs into OC using the FB Connect button, do something, then logs out. Another user logs in (not using FB Connect button), and the previous user's FB information is still in $_SESSION !
The 4 variables persist in $_SESSION are listed below, until new FB user logs in :
fb__state
fb__user_id
fb__code
fb__access_token
I don't dare to mess around in the code to "fix" this issue without expert advices because it might break a lot of things.
I guess I'll need to clear this manually.
I tried putting the following in index.php, and it seems that $session = new Session(); in index.php is called multiple times when user logs in.
// Session
$session = new Session();
unset($session->data['fb_<FBAppId>_state']);
unset($session->data['fb_<FBAppId>_code']);
unset($session->data['fb_<FBAppId>_user_id']);
unset($session->data['fb_<FBAppId>_access_token']);
$registry->set('session', $session);
What's the best way to handle this?
Place the above "unset" code into logout.php and this will fix it.
I am having trouble with this specific extension as well and also cannot find it anymore in the OC extensions repo. My suggestion is to use another extension: http://www.opencart.com/index.php?route=extension/extension/info&extension_id=3333
Related
I had to update simplesamlphp on an old PHP server, the old version of the library was from 2010. Simplesamlphp is used as a Service Provider (SP) in a SP initiated enviroment.
I replaced it with the 09/'20 release and configured it the same. It's all working except one thing.
Simplesamlphp uses the PHPSESSION to store the session, by feature it replaces the php session with his and should set the old one again once the cleanup() method is called (on the session instance), after the authentication's complete.
This is not working, but I was fine with it because it didn't matter for the user.
Now I have to implement a button to test the SAML integration on a protected page.
By protected I mean it requires to be authenticated (through Zend Auth) to view the page, otherwise it automatically redirects (server side) the user to the homepage.
This is the code of the Action of this button (to test the SAML integration), that is inside this protected controller:
require_once('simplesaml/lib/_autoload.php');
$as = new SimpleSAML_Auth_Simple('cie');
$as->requireAuth(array(
'saml:idp' => $idp,
));
// --- user is redirected to the IDP and proceeds authenticating)...
$attributes = $as->getAttributes();
$session = \SimpleSAML\Session::getSessionFromRequest();
if($session){
$session->cleanup();
}
What happens is:
requireAuth() is called, my current session is put away and replaced with SimpleSAML's one.
user is redirected to the IDP and authenticates
IDP redirects the user back to my page
Zend does its things before my code is run (everything after requireAuth() is never run) and before the cleanup() method is called, so the old PHP session isn't restored
Zend checks the user isn't authenticated (because it's still using SimpleSAML's session) and redirects the user back to the homepage.
Said so, this doesn't happen with the old library from 2010, the old PHP session is never lost, I have no idea why. I checked everything my colleagues changed in the old library back in the day, but there isn't anything that deals with this.
Do anyone have any idea or tip I could follow?
Any workaround / idea to fix this issue?
I've been desperately googling stuff for weeks, but it's so hard to find something specific.
Thank you very much, just for reading this long question.
I managed to fix this issue very easily after many many hours, I'll write down what I did in case it may help someone else.
My problems were:
simplesamlphp using the same name for the session cookie as my application (I previously already tried changing this setting, but because of the second reason below it never worked)
not properly cleaning simplesamlphp session in my code
So, first all of, I added a call to the cleanup method because it was missing on the real page, the code posted on my question is the test page, this is the real page where it was missing a call to cleanup.
$as->requireAuth(array(
'saml:idp' => $idp,
));
$attributes = $as->getAttributes();
$session = \SimpleSAML\Session::getSessionFromRequest();
if($session){
$session->cleanup();
}
Without calling cleanup() any value I put on the property session.phpsession.cookiename besides NULL ( =use PHP's setting) caused the session to completely break.
So after adding cleanup() I can now specify a value for the property session.phpsession.cookiename (\config\config.php).
I specified a value different (because this was the problem) from the name used by PHP, that is the default value PHPSESSID.
'session.phpsession.cookiename' => 'hSAMLses'
And now it's all working peacefully, hope this answer helps someone because I really struggled too much.
I will start by saying I did not write the code, I inherited it, and I am new to CI on this project. Please let me know if you need further info to help.
Can anyone offer any insight as to why sometimes login doesn't work (just redirects to the login page again with no error) or adding an item to a cart on the site doesn't work (it just doesn't go into the cart) until I clear my cookies?
I clear my cookies and the log in works and I can add items to the cart.
It seems that your code is corrupting (writing bad data) in your session storage (for the chart) and corrupting cookie too.
Please review where is your code altering session storage (maybe in some javascript library) and cookie for login (check your login controller php file on CI).
I'm new to PHP, I read other articles without finding the answer I'm looking for, but still don't know if what I want to do makes sense or not.
I'm using PHP 7.
My user authentication page, checks credentials and then executes session_start(), creating the session server-side and a cookie client-side in the browser.
Each other page of the web application then calls session_start() to resume session information, in this case checking the cookie. Everything works fine so far... at least when I have a single login.
I'd like to be able to have more than one user SIMULTANEOUSLY logged in the same browser (on another tab for example.) using cookie. I don't want to append the session ID to the URL.
I managed to create different session on the server-side using session_id() before session_start() in the authentication page based on username, but the problem is on the client side.
The first successful login (session_start()) creates a cookie and the second login updates the same cookie corrupting the previously created session.
Therefore when it comes to resume the session, session_start() will resume only the last session, mixing the data fetched from DB based on session info.
Is there a way to make session_start() create a cookie for each login and make PHP resume the correct session using cookies?
Any ideas?
FURTHER DETAILS:
I'm updating a legacy app trying to fix some security issue. The need for multiple sessions comes from administrative purposeses where admins access the same site. The reason why it's needed a separation of session is that depending of the session info, the data are fetched from a different database. Therefore, a regular usage would only need one session per user, but the administrator he needs to make multiple logins viewing different data depending on that login.
The default PHP behaviour is to handle sessions using cookies.
..and the default behaviour for browsers is to "reuse" the same set of cookies if you revisit an URL in another tab.. So, like mentioned below:
The simple way probably is to start another browser. Not the same browser but like firefox and chrome, if you have multiple browsers installed.
Another way would be to install a browser plugin, like Sessionbox for Chrome or Multifox for Firefox.
Edit, for clarity: I can think of two cases when multiple sessions would be used:
During development. Depends on the application, but an obvious case would be testing communication between two users.
After deployment. Though I've never seen a site that required multiple logins for the same user account.
This is my frame of reference. Based on this I assumed the question was for development. I'm not suggesting that the site should require installing extra packages. Flash would be about the only one that's ever gotten away with that..
You can use the same session but change the variable names that you are looking for:
if ( $_SERVER['REQUEST_URI'] == '/admin/' ):
$session_name = 'session1';
else:
$session_name = 'session2';
endif;
session_start( $session_name );
I am setting up a user session from a core php app that is located in example.com/corephp/, now I want to redirect this user to example.com (the main site) which is in cakephp.
How can I retain the user session from the core php app to cakephp app?
I triend setting $_SESSION['user'] = someone and $_SESSION['token'] = token from core php app and tried to retrieve that value from cakephp but it didn't work.
I tried to google for this but no proper answer that could work.
Thanks in advance.
---------------------- edit
I have tried adding session_name('CAKEPHP'); to the core php app.
As well as tried to reduce the security level of my cake app from medium to low.
Didn't test, but try this.
In your corephp app:
$_SESSION['Auth']['User'] = $someone;
My reasoning is that it will set the $_SESSION, but maybe CakePHP doesn't recognize it for some reason. So we set it the right way using Cake's API:
In CakePHP
$this->Session->write('Auth.User', $_SESSION['Auth']['User']);
Always use the session wrappers. thats what they are there for
in the controller:
http://book.cakephp.org/2.0/en/controllers/components.html#using-components
in the view:
http://book.cakephp.org/2.0/en/core-libraries/helpers/session.html
everywhere else:
http://book.cakephp.org/2.0/en/development/sessions.html#reading-writing-session-data
never ever access it using $_SESSION and you should be fine (cake inits the session for you and takes care of a lot of things behind the hood).
if you share the session make sure you set the session name equally. both should also use the same session type (php probably).
I have my own login system, and I want MediaWiki to share the same session. I'm trying to have my login system automatically login to my MediaWiki too which means I would probably have to share the same user database too.
Advice?
Not sure if this is exactly what you want, but we use LDAP Authentication.
The session is set in includes/GlobalFunctions.php. If you want to fake a user login to mediawiki after the user logs in to your system, you'll need to make sure that the cookie parameters match (e.g. the cookie URL must be the same); have a look at the arguments they use to construct it in the call to session_set_cookie_params.
Once you've got the session set up correctly, you'll need to load a user and inject it to the session so that when mediawiki goes to check if the user is logged in, it finds your injected user and goes right ahead. Look in includes/User.php, the User::loadFromSession call looks like a promising place to figure out what they expect to find there.
If you make changes directly to the MediaWiki source, you'll have a hard time upgrading to future versions of MediaWiki. It would be much better to use the existing authentication plugin framework:
http://www.mediawiki.org/wiki/AuthPlugin
You didn't specify what your existing login system is, but if you're lucky somebody has already built a plugin for it:
http://www.mediawiki.org/wiki/Category:User_identity_extensions