I can go to my site, look in DebugKit > Session, and see the "Auth" variable - works fine, and everything is great.
BUT - on two machines (out of 5-7 tested), and only in Chrome, the Auth variable is completely missing. This keeps the user from logging in, screws up redirects...etc etc.
We've tried uninstalling and re-installing Chrome - we made sure security settings and session/cookie settings in Chrome were the same as all the other computers that work...etc etc. (Maybe we missed one?, but - fresh install, so...). And we made sure we're all in the same version of Chrome.
At first I thought it might be an issue with my code (and it still could be), but then we tried logging into another Cake site on one of the "stupid" computers, and it did the same thing - can't log-in.
I just managed to resolve exactly this issue on my machine.
It seems that somehow my Chrome managed to get two cookies with the same name for the same domain - CAKEPHP.
In order to make sure that all cookies are reset for all browsers I have updated my session configuration in /app/Config/core.php:
Configure::write('Session', array(
'defaults' => 'php',
'cookieTimeout' => 0,
'cookie' => 'newNameSESSION',
));
Note the key 'cookie' explicitly setting a new cookie name for the identification of the session. After this change I was able to log on to my application from all browser from which I was unable to log in before.
It must have had something to do w/ the Security Component. When I turned that off, they could log-in fine.
Still not sure exactly what the issue is, but upgraded my site to CakePHP 2.2 beta, and it's not an issue now.
The release notes are here.
Here are some of the release notes from the 2.1.2 stable release (I was on 2.1) - these are the ones that relate to Sessions/Auth...etc that COULD have had something to do with the problem:
AuthComponent now uses loginRedirect as the default redirect location, should the session be empty.
A change to CakeSession was reverted to help solve issues with IE8 and sessions being lost.
SessionComponent::id() always returns the sessionid. It will auto-start the session if necessary.
Related
I have a VM that I set up to do development on two sites hosted on Acquia with the same codebase. I'm using version Drupal 7.26. I have it where I can access both sites from the host computer, but when I try to log in using /user/login on either site, I get nothing. The POST returns a 404 containing the log in page again.
I've tried settings $cookie_domain = '.my-site.dev' as well as $cookie = 'www.mysite.dev'. Neither has any effect. I also tried adding a bunch of random charactersto the file to make sure I was editing the correct file; with the random characters, pages didn't load at all. (See https://www.drupal.org/node/611920#comment-3110010.)
I also tried doing repair table sessions. I forgot which site I saw that recommendation from. I also tried delete from sessions just for kicks. Neither worked.
Any ideas? Thanks!
edit: Per https://www.drupal.org/node/261411#comment-3182566, I tried to go to www.mysite.dev/?q=user/login. This did not give me a 404, but I had tried (unsuccessfully, it seems) to reset my password through the database. I'm at least getting an error about a bad username/password combination rather than nothing at all. Still, I would think /user/login should have worked, too.
edit 2: The production site uses CAS, but logging in through /user/login still works.
In my app, I have a session which persists when the user moves from page to page. However, the app uses a payment gateway and if the user goes to the payment gateway and then presses back to try to return to my app Cake is dropping the old session (and all the data it contained) and making a new one.
I found this question which is kinda the same issue, except it's happening when the user presses "back" from the payment gateway which I didn't really think would be classed as being referred.
Anyway, the advice in that question is to change Configure::write('Security.level') to low but I'm using CakePHP 2.3 and I notice from the changelog that one of the things that has been done is "Removed Security.level from core.php" -- and this seems to be because this particular setting is no longer used for anything.
So, my question is how do I disable whatever it is that is causing Cake to drop and regenerate the session when a user is either referred (or simply presses back) from a payment gateway?
I would suggest changing the following core.php settings:
Configure::write('Session',
array(
'defaults' => 'php',
'timeout' => '30',
'autoRegenerate' => false
)
);
I had a similar issue and that solved it for me.
Thanks,
IE with chormeframe has a habit of sending first request to a "different" site with plain IE-useragent header whereas subsequent contains "chromeframe " in it. On a non-Cake site I had same issue with sessions when checking useragent.
I'm stumped. We have a client who cannot log in to our system and yet we can log in fine using her credentials. She can also log in fine from her friends home.
Upon entering her credentials the screen simply refreshes and nothing happens when in fact she should be brought to a dashboard page. When I monitor the request via the Chrome web developer tools I can see that the dashboard does get requested after log in but then suddenly we're brought back to the log in page.
Now I've cleared her cache, cookies and all other temporary internet files from both IE9 (her default browser) and Chrome. Nothing happens. I've read that changing session names might help but that did nothing either.
The system is using the newest version of CakePHP (2.2.1) and absolutely any help would be appreciated.
This issue has been solved. Turns out this client in particular had the wrong date and time set on her computer. Upon setting the correct date and time, she has been able to log in absolutely fine since.
Thanks everyone for help!
I have some problems with CakePHP 1.3 standard Authentication. It seems that users or admin users get log out too easily... especially on some browsers. In IE7-9 it sometimes needs only to change window or tab in browser to log out. This is annoying.
I have found that many users have these kind of problems but I'm unable to find good resources or examples how to specifically adjust automatic log out. I found out that some Security.level settings etc. might affect these, but tips are not very precise...
In user authentication, I would like to disable automatic log out or at least make a long timeout for active logged in user. Any advices or howto-guides how to change auto log out behaviour without changing the cake core (not intended anyway)...?
use this code perhaps solved your problem,
<?php echo $this->Html->link('Enter', '/pages/home', array('class' => 'button', 'target' => '_blank')); ?>
I always had trouble with it, too. Just recently I started to use Miles' AutoLogin component which at least "cloaks" the problem:
http://www.dereuromark.de/2012/02/02/more-persistent-sessions-in-cake2-x/
Not ideal, but it works.
I've noticed that if Security level is set to high in core.php, as in Configure::write('Security.level', 'high'); my users get logged out very quickly if their Session times out without the timeframe set by the Security.level.
When I changed that to medium the problem went away.
I have a CakePHP website that's been working great.
I just developed a new functionality that at one point auto-logs the user in, and redirects him to a page that's behind the login wall.
This works perfectly well in my dev machine, but in production, the user gets redirected to the login page.
Relevant code: (not much)
$objCustomer = $this->Customer->findById($customerId);
$this->Auth->login($objCustomer);
$this->redirect("/customers/signup");
Customer is the Model that's used for authentication.
In the server, I see that I AM getting redirected to /customers/signup, and that redirects me to /customers/login
The thing that confuses me the most is that this works perfectly in my machine.
I dumped the return value of Auth->Login in the server, and it returns 1, so in theory everything is fine and the user should've been logged in.
Some things I can think of that are different between my machine and the server:
Dev machine is Windows, Server is Linux. This sometimes introduces case-sensitivity issues, but the signup method i'm redirecting to is all lowercase, I don't see where there could be such a problem here.
Dev machine is IIS, Server is LiteSpeed. Maybe Litespeed is screwing with something? This would be the first time in over a year running this site in production that i'd find something different because of LiteSpeed
Production site is over SSL, dev is not. I don't see how this could be a problem.
Any ideas are infinitely welcome!
Thank you!
I had problems too with authentication working fine on my machine in development mode, but not working on the server in production mode. Surprisingly, when I changed the server to development mode it started working correctly. Then I changed back to production, and it was still working. Perhaps it was some cache issue.
After a LOOOONG process of trying different weird things, it turns out it all boils down to this:
ini_set('session.referer_check', $this->host);
That's part of CakePHP's standard security features... It sets that INI setting.
If the request made to the action that'll call Auth->login is coming from another host (domain/subdomain/whatever), PHP will consider the session invalid, which effectively kills the auto-login attempt.