I have followed the authentication tutorial in the cakephp documentation and created a working login system.
One thing I'm trying to do is have the user redirected to the action they were trying to access initially when not logged in, after they complete login.
I believe the page they were visiting is supposed to be written to Auth.redirect within the session by the startup function in the Auth component, however this doesn't appear to be working.
In my users controller I have added the following to the beforefilter:
$this->Auth->allow('add', 'login');
Therefore when trying to access the edit action I'm redirected automatically to the login action.
In the login action, I've included:
debug($this->Session->read());
debug($this->referer());
This is outputting the session information, and in this session there is no mention of Auth.redirect so neither the Auth function or myself is unable to use this to redirect the user with.
I've tried using $this->referer but for some reason when being redirected automatically by the auth function the referer isn't being tracked either.
Does anyone know a reason why auth.redirect might not be being written and why $this->referer isn't being populated when redirected by the auth function?
I must note I am on a windows machine using WAMP. However my add action redirects to login after success and debug($this->referer()); picks up the redirect URL when this occurs so the headers must be working fine.
Further Notes:
I've identified the issue with CakePHP by looking through the sessions stored in the database.
It seems that the auth.redirect is stored in the session, however for some reason a new session is generated when the user is redirected clearing the previous data.
Is there anyway to stop CakePHP creating new session ids for users?
I've identified the issue as to why auth.redirect wasn't working.
I had set a custom session cookie name in core.php, for some reason the session component doesn't work with the custom cookie name and therefore creates a new session on every page.
If you are experiencing problems with sessions and you have a custom session cookie name, reset it to default and it will work.
I will be submitting this as a bug to CakePHP.
Further Note
I identified the issue was occuring because of a . in the cookie name, without this . the custom cookie name performs as it should.
Related
The issue here is I am trying to login into my system via ajax. Let me explain it to your first.
when my user puts in his login details it will be send to the server via Ajax request and then once it gets verified i create an entry into a session and save the information like userid and logged_in flag.
And then i return those value through Json back to user which is processed by a piece of javascript and redirect the user to dashboard.
If the user is not authenticated it shows an error.
But now whats happening here is. When i create a session variable and when the user is redirected to the dashboard. Sometimes it does not create the session variables and thats why i cant show logout button?
any help will be appreciated.
If you’ve used AJAX-heavy web apps built on a CI backend, you might have noticed premature session expiration, even if you’re expiration was set to never expire ($config['sess_expiration'] = 0; in application/config/config.php)
This was apparently due to AJAX requests not regenerating sessions, and apparent collisions. Long story short, last month there was a patch introduced without much fanfare, which (so far) seems to be working for me.
Replace your system/libraries/Session.php file with the one found here (CI’s git):
https://raw.github.com/EllisLab/CodeIgniter/b211adee89f5fd2192051e9c0826146bd150f469/system/libraries/Session.php
Some problem is coming when I am uploading site to online server. User authentication was working on my local computer but when I am trying to upload it to a server, it is not working. When I sign in, it redirects me back to the login page.
I have checked out and come to the point that when the page refreshes, the user info from session flush away and it redirects back to login page.
$this->setState('username', $user->username);
setState method is also not giving information on next page.
Please help me out with possible solution.
Thanks
Make sure that you session was started automatically in php.ini config "session.auto_start = 1" or it was started manually by session_start() or Yii similar function
$session=new CHttpSession;
$session->open();
And check your session status by session_status() function.
I've got a symfony site that is designed to be used in an iframe on another site. For all browsers it works fine, except Safari, because Safari doesn't let an iframe set any cookies. Instead of logging in, I am returned to a blank login page with no errors.
The solution I've been trying is to set PHPSESSID as a hidden field on the form, and use that to keep track of the session instead of a cookie. The problem I have is that after logging in, formlogin seems to set a new session key and send a redirect. I can't get the right session key on this redirect.
I've tried to add the session key to the end of the redirected URL by adding the following to the end of the app.php (this is very unsymfonic, but I'm getting pretty desperate).
foreach(headers_list() as $header) {
if (substr($header,0,9) == "location:") {
if (strpos($header, '?')===FALSE && strpos($header, '#')===FALSE ) {
header($header."?PHPSESSID=".session_id());
}
}
}
This adds a session key, but it seems to be adding the old session key, not the new one that has been created by the form login. As a result, when I try to login I get the message "Your session has timed-out, or you have disabled cookies.".
How can I get the right session_id? Is there a better way to do this?
What you get is simply additional security check to prevent malicious users to fake sessions. The same behavior will happen if you'll try to load the page with the login form, then remove all cookies, then try to authenticate.
The check is defined at this line. The checking method is self-explained and pretty clear.
For your special task I'd say that this would be not preferred behavior, so you should override this class.
There is quite good documentation on how to write custom authentication provider - that could be the start point for your inspiration ;)
I have built a very simple CakePHP website using the Auth component and have stumbled across a very annoying bug. Basically if a user tries to access an area that they are required to login to first they are taken to a login page and then sent back to the original page if they successfully login... this is all fine and dandy but because this remembrance of where the user tried to go is stored in a session it hangs around so if I ended up at the login page then decided to go elsewhere then comeback and then GO DIRECT to the login form it will send me to the page I tried to access earlier on as it's still being stored in the session.
How do I stop this? As it means users are being sent to random pages when they login from the login page if they tried to access the site previously.
This isn't a bug. This is intended, documented behavior.
Fortunately, CakePHP is well documented. Can check out the 1.3 book that details the variables needed to change default Auth behavior, specifically $this->Auth->autoRedirect property.
I've a Code Igniter project using database backed sessions. The web application is password protected, meaning that I have an abstract controller checking if the user is logged in before I allow him to see any pages, apart from the login form.
While I had no problems implementing this, I'm having some difficulty understanding how to make the application redirect the user to the page he wanted to see if he need to login first.
How it goes: the user is logged out and types in a URL. The application detects he's not logged in so send him to the login page and creates a row in the ci_session table. At the same time I store the url the user entered in the session object using either flashdata or userdata. My problem is that once the user logs in, the application will create a new row in the database, meaning a new session, completely ignoring the values I stored previously.
Shouldn't it be one row per session?
The CI URL Helper has a redirect function that you can use. http://codeigniter.com/user_guide/helpers/url_helper.html
Does a "header redirect" to the local URI specified. Just like other functions in this helper, this one is designed to redirect to a local URL within your site. You will not specify the full site URL, but rather simply the URI segments to the controller you want to direct to. The function will build the URL based on your config file values.
The optional second parameter allows you to choose between the "location" method (default) or the "refresh" method. Location is faster, but on Windows servers it can sometimes be a problem. The optional third parameter allows you to send a specific HTTP Response Code - this could be used for example to create 301 redirects for search engine purposes. The default Response Code is 302. The third parameter is only available with 'location' redirects, and not 'refresh'. Examples:
if ($logged_in == FALSE)
{
redirect('/login/form/', 'refresh');
}
// with 301 redirect
redirect('/article/13', 'location', 301);
I think you're misunderstanding how sessions works between a browser and your web application. When a user opens your login page, they are assigned a unique session ID which codeigniter keeps track of. Unless your session gets expired, either forcefully by logging out or due to your own session expire settings, codeigniter should only be writing 1 row per unique session in your database. Make sure you have your sess_expiration variable in config.php set to something realistic.
I don't see how removing the underscore from your cookie name could have fixed this, as the name has nothing to do with how sessions work in general.
You can user something like this.
When the user tries to access a page like
http://test.com/userpage.php
If he is not logged in, redirect him to
http://test.com/login.php?redirectpage=userpage.php
(This redirect will be done by userpage.php after checking the login status from the cookie or the session.)
The login page has the value "redirectpage" and once the user logs in at the login page, redirect him to the page he was previously trying to visit.
You will have to check the user login status in all the pages that you need the user to be logged in.
Solved it.
My problem was not how to redirect or how to store data. My problem was the application creating two sessions per request.
I changed the name of my cookie to something that didn't include underscores and voila, fixed. One session per request and everything works as it should.