Some problem is coming when I am uploading site to online server. User authentication was working on my local computer but when I am trying to upload it to a server, it is not working. When I sign in, it redirects me back to the login page.
I have checked out and come to the point that when the page refreshes, the user info from session flush away and it redirects back to login page.
$this->setState('username', $user->username);
setState method is also not giving information on next page.
Please help me out with possible solution.
Thanks
Make sure that you session was started automatically in php.ini config "session.auto_start = 1" or it was started manually by session_start() or Yii similar function
$session=new CHttpSession;
$session->open();
And check your session status by session_status() function.
Related
I developed a web application that allows both entrepreneurs and customers to log in through two different login portals. I developed the application locally, using a XAMPP, i.e. Apache, configuration. There, it worked perfectly.
I am now trying to have it run on a Lighttpd web server which works OK. I'm running into a weird issue. If I use the customer login, everything works fine, the session gets created, and the customer keeps having access to his account data.
When I login through the entrepreneur portal, something strange happens. When I var_dump()'d the $_SESSION variable, directly after logging in shows me the session object correctly. When pressing F5, or navigating to another page in the portal, the $_SESSION variable gets destroyed and var_dump($_SESSION) shows an empty array.
I found Why PHP Session Destroyed? that proposes a solution to fix Lighttpd destroying sessions. I assume that is not the problem, as my sessions work at one login portal, while not at the other.
Does anyone have a clue why my session gets destroyed?
This is how I set my session variable:
$_SESSION["ll_oid"] = $q["id"]
(where $q["id"] is the entrepreneur ID)
And this is how I check it:
$id = $_SESSION["ll_oid"];
if($id == null) {
session_destroy();
header("Location: index.php");
die();
}
At all pages, session_start() is called before any headers are sent.
I have an application where the login and logout works correctly. Once the user logs out, and tries to access a page he needs authentication for, he is redirected to the login screen.
Where my problem lies is. If while I am logged in, if I copy the cookie values and save them on a file. After logout, I alter the cookie and add the same values, I get logged back in into the application as the same user.
On logout I have written a function that loops over all the cookies and deletes them.
My understanding is that cookies are both on the client and also on the server side. So if the cookies are getting deleted, they are getting deleted on both the sides and that the server would not recognize them after they have been cleared, even if the browser sends them back again(apparently that is not the case, i think).
The reason why I am doing this is because this is one of the points raised by our security auditor, and I need to get a way to fix this hole. (At this point doing https is not feasible)
I'd be happy if someone can give me pointers on how I can clear out the cookies on the server side as well, so, when the next time someone hits the server with the same cookie, it does not accept it as a valid cookie.
Edit:
I am using codeigniter sessions and tank_auth as the authentication library. At logout, the library itself calls
$this->ci->session->sess_destroy();
to be extra sure, I tried the following after a few attempts :
session_start();
session_unset();
session_destroy();
session_write_close();
setcookie(session_name(),'',0,'/');
session_regenerate_id(true);
My regular logout works, and if I try to access the page directly it does not open.
But if while I am logged in, I take my cookie, save it somewhere -- log-out successfully and replace the cookie with my older one, I get right back into the session.
Is there a way to stop this behavior -- Where the server side will not entertain a session after it has been destroyed. I also made sure that my server and php are on the same timezone (setting it with date_default_timezone_set).
Cookies are not stored on the server at all. Those are stored in the browser and then sent to the server in the request headers. You can easily find software and plugins for browsers that allow you to create/edit/delete cookies. For that reason you should never store sensitive information in cookies. Essentially what you want to do is store the user data in a session and then store the session name in a cookie. Usually this is done automatically in php when you use the function session_start().
If you are using Codeigniter, the php session functions are wrapped in a CI session library that is auto loaded on each page load. So instead of storing data in $_COOKIE you will want to get/set your data via the userdata method in the session library:
//in your controller
//save session data
$userdata = array(
"isLoggedIn"=>true,
"username"=>$_POST['username']
);
$this->session->set_userdata($userdata);
//get session data later
$isLoggedIn = $this->session->userdata("isLoggedIn");
if(!$isLoggedIn){
//if the user is not logged in, destroy the session and send to the login screen
$this->session->sess_destroy();
redirect("/");
}
Note that the code above is not tested and is only supposed to give you an idea on where to go. If the session methods aren't working for you, you may need to load the library in manually:
//in the __construct method of your controller:
$this->load->library("session");
You can find more information here:
http://ellislab.com/codeigniter/user-guide/libraries/sessions.html
and here:
http://www.php.net/manual/en/book.session.php
Thanks for you answers guys.
This is what I figured, later. I am not sure what was causing this but the sessions were not getting invalidated after trying everything. I moved the sessions on codeigniter to the database. Then the logouts started working correctly, where after logout if the 'stolen'/'saved' cookie was put in the browser again it would Not log the user back in.
So, thats what solved it.
Magento (V 1.12) redirects me back to the Login page straight after a user logged in. If I look at requests list in Fierbug after pressing the login button it shows me,
http://dev.myweb/customer/account/loginPost/
http://dev.myweb/customer/account/
http://dev.myweb/customer/account/login/
So its going back to the login page. Even if I try to manually copy and paste the http://dev.myweb/customer/account/ on the browser it goes back to the login page.
Following line added after some debugging through the issue
This happens because frontend cookie is not getting created when the session starts. Why its not getting created is the issue
This happens only on my local environment. It really frustrating. Any ideas?
do this to resolve ...
Check the Cookie settings under System -> Configuration -> Web
Session Cookie Management
Cookie Lifetime = 3600
Cookie Path = (blank)
Cookie Domain = .yourdomain.com [this is (dot)yourdomain.com]
Use HTTP Only = Yes
I have followed the authentication tutorial in the cakephp documentation and created a working login system.
One thing I'm trying to do is have the user redirected to the action they were trying to access initially when not logged in, after they complete login.
I believe the page they were visiting is supposed to be written to Auth.redirect within the session by the startup function in the Auth component, however this doesn't appear to be working.
In my users controller I have added the following to the beforefilter:
$this->Auth->allow('add', 'login');
Therefore when trying to access the edit action I'm redirected automatically to the login action.
In the login action, I've included:
debug($this->Session->read());
debug($this->referer());
This is outputting the session information, and in this session there is no mention of Auth.redirect so neither the Auth function or myself is unable to use this to redirect the user with.
I've tried using $this->referer but for some reason when being redirected automatically by the auth function the referer isn't being tracked either.
Does anyone know a reason why auth.redirect might not be being written and why $this->referer isn't being populated when redirected by the auth function?
I must note I am on a windows machine using WAMP. However my add action redirects to login after success and debug($this->referer()); picks up the redirect URL when this occurs so the headers must be working fine.
Further Notes:
I've identified the issue with CakePHP by looking through the sessions stored in the database.
It seems that the auth.redirect is stored in the session, however for some reason a new session is generated when the user is redirected clearing the previous data.
Is there anyway to stop CakePHP creating new session ids for users?
I've identified the issue as to why auth.redirect wasn't working.
I had set a custom session cookie name in core.php, for some reason the session component doesn't work with the custom cookie name and therefore creates a new session on every page.
If you are experiencing problems with sessions and you have a custom session cookie name, reset it to default and it will work.
I will be submitting this as a bug to CakePHP.
Further Note
I identified the issue was occuring because of a . in the cookie name, without this . the custom cookie name performs as it should.
I am trying to have a user login to a Joomla site from an external site and then be redirected to a page where only registered users can view it. I used this script and it seems to be working somewhat. I can see the user logged in via the Joomla admin panel, however when I put in a redirect at the end of the script ie.
header('Location: registered page url');
Joomla prompts me to login in order to view the registered page. What am I doing wrong? The original post never did discuss how to redirect the user. Also, when I don't put the redirect in the code the browser just goes to a blank white page. Is that normal? Shouldn't it go to the home page of the curled site?
Also note that I've tried adding a return url to the code:
$loginRedirectUrl = 'index.php?option=com_content&view=article&id=146&Itemid=178';
$loginRedirectUrl = base64_encode($loginRedirectUrl);
$postfields['return'] = $loginRedirectUrl;
When I did a print_r($postfields) it returned everything filled up. Including the encoded return url and token. So, I'm highly confused as to why it looks like I'm logged in but the browser still somehow isn't keeping the cookies or something like that.
Cookies are not disabled.
Any help would be greatly appreciated. Thanks in advance.
Let's see if we can cover this one step at a time. The bit of code in the other post just handles the logging in stuff. If you run it unedited, then you will just end up with a blank page when it runs, so that is normal.
Next, if everything including the token is showing up in $postfields then the next thing I would check is to see if the Joomla admin shows a logged in session. If it does, then the problem is in the cookie being transferred to the the browser. If it isn't then it would indicate that the session was created but the login failed for some reason.