How can I make a valid Auth session with all subdomains including www.example.com and http://example.com addresses
Now CakePHP just broke Auth session if one is created on www., and you visit the website without www.! And vice versa.
I can't use redirect to http://www.example.com if users are comming without using www., because there will be a lot of subdomains and redirect becomes not an option.
Thanks!!!
I'm not at my computer at the moment, but you might be able to override the session domain by adding this to your app/Config/bootstrap.php
ini_set("session.cookie_domain", ".example.com");
The CakePhp Session doesn't seem to have a configuration option to set this, but the standard php configuration should probably work.
Related questions can be found here;
CakePHP keep session from main domain across to a subdomain
PHP Sessions across sub domains
Related
I have developed a website and deployed it via Google App Engine. But when I open the website with full url let's say "https://www.website.com" it opens but when I type "website.com" in url section of the browser it doesn't opens and says the site is not secure. How can I resolve this?
It looks like a couple of things are happening
If you just type in 'website.com', the browser will try to open 'http://website.com' (note there is no subdomain -www i.e. you are using the naked domain) unless you have done a redirection to 'www' in which case, you will get 'http://www.website.com'
If you have specified 'secure' always in your 'app.yaml' file, then GAE will redirect the 'http' to 'https'
It seems like
a) You have specified 'secure always' in your app.yaml file
b) You are not redirecting naked domain to sub-domain
c) You have mapped the sub domain, 'www' to your GAE appspot domain. You have not mapped the naked domain
Solution
Map both naked and subdomain (www) of your custom domain to your appspot.com urls
Enable SSL for both mappings
The browser will give you a not secure message but it will also allow you to "proceed with risk".
For example, take a look at this image:
chrome screenshot ssl warning
Click on Advanced >> Proceed to website name (unsafe). This will take you to the website.
Basically, the original problem is that your website is not redirecting to https when someone lands on the http page.
Follow this tutorial here to do so:
https://cloud.google.com/appengine/docs/standard/nodejs/application-security
Edit 1
I have just read your question again. I think your website does redirect from http to https but the problem is that the SSL certificate attached to this website is invalid. You need to have a good SSL certificate; one which has not expired.
I have a project where subdomains are created for each of my users. So, if my project is example.com, a customer of mine might have steve.example.com.
I then added social logins with Google and Facebook. For Google's "Authorized JavaScript origins" and "Authorized redirect URIs", they don't allow wildcard domains. What's the best way to handle this?
Next, it gets more complicated for users that want to load steve.example.com on their own domain via CNAME. So if example2.com's DNS is pointed to steve.example.com, it appears I need to add example2.com to my Authorized Javascript Origins. What's the best way to handle this? Can I add it via API? I can't find any documentation regarding this and I'd rather not have to manually add 1000 subdomains and domains to Google.
Do you want a user to authorize a scope "A" for site 1 and get it auto approved for site 2? Most likely not.
If you use the same client ID (put these all in the same project) that means they should just be approved once by a user. This may be a privacy violation if the sites are different and a user may not want to sign-in to one of those but into another.
To solve this, you should be creating a different client id for each of your customer.
Another good reason to create a project/client id is if for some reason there is abuse and one of the client ID is compromised then other/all customers are not effected.
If you are creating project/client ids for each project then you should add the right subdomain there during the configuration. I also recommend not having all the projects (1000s as you say) in one Google account.
I recently purchased a domain with Yahoo Domains for my GAE app. Where I managed to get the domain mapped into my GAE account.
Now, since GAE does not support naked domains, I just placed the CNAME for www to point to Google App Engine.
Everything works fine now, i.e. my app can be accessed through http://www.my-example-domain.com
The problem is with naked domain (with Yahoo), I am trying to forward the naked domain http://my-example-domain.com to http://www.my-example-domain.com however, the domain manager is complaining that the forward is not possible.
What could be the problem that forward is not possible? Also, is there a way to solve this in GAE management console, since Yahoo domain manager seems to not able to handle this.
Hi Please try to do the following changes from your Google Apps Admin Console.
Go to this URL for Domain Management Settings in Google Apps Console.
Under the Domain Management. Click on change redirect and add www.example.com. Also check the attached screenshot for the same.
Also follow the instructions provided in the URL change A record below change redirect url.
After making these changes you will see the URL will get redirected automatically.
I have a GAE app and I have already been able to redirect appidentifier.appspot.com to my own domain's www subdomain and the naked domain. For example, if I owned foo.appspot.com and foo.com, then entering in www.foo.com or foo.com into the browser will render the contents of foo.appspot.com successfully. I configured all this using Google Apps on the Google side of things and NameCheap on the registrar side of things.
Now, I have made a new, non-default version of my GAE app. Let's call it dev.foo.appspot.com. How do I set up a URL forward (or what-not) so that I can access this GAE version by simply entering dev.foo.com into my browser?
What you are looking for to do is possible if you set up a wildcard subdomain mapping. This is well documented in the final section of Using a Custom Domain.
I have main site example.com where users can register and login or just login with openid.
Logged in users can create their own sites with subdomains like mysite.example.com.
Every user can have multiple sites.
Every site is cakephp app.
Every cake app has its own ACL.
How do I deploy authorization so users logged in to the main site, are also logged in to their own sites.
Two main requirements here:
Client-side cookie needs to be valid for all applications
Check the cookie set by CakePHP on the client side (FireCookie is good for this). The domain part of the cookie needs to read .example.com (not www.example.com) in order for it to apply to sub-domains. This might work in bootstrap.php:
ini_set('session.cookie_domain', '.example.com');
Server-side session storage needs to be accessible by all applications
In core.php for each application, set a common session storage. Options are:
php: This will use the PHP defined session storage directory, which should be the same for all applications.
database: If all applications use the same database, this could be an option.
cake: For this to work, you would need to define a common /tmp directory for each application.