When I log into my application I get a cookie with a value of say odm7krain1ms6bic7irfvpsj91 .
as long as I stay on this tab and move through the application I'm "usually" okay. If I open another tab and go the same url, I'll get a new cookie that overwrites the old one and my old session is lost. How can I prevent this from happening?
I've seen this happen when I'm using XHR requests also which effectivly logs me out of my current session.
Try adding the following to your core.php file:
Configure::write('Session.checkAgent', false);
Configure::write('Session.ini',array('session.cookie_secure' => false, 'session.referer_check' => false));
These parameters should force the cookie to persist. This will set both PHP and CakePHP's settings to allow cookies to persist over http and https.
use $_SESSION["your session var"];
Related
I am creating a cookie by using react babel but I am facing a problem. When I create a cookie the cookie created in the browser but when I click on the URL to authenticate then the cookies remove from the browser, and when I create it again, the two cookies with an old one and a new one is created in the browser.
When I delete a cookie and refresh the page the two cookies again created in the browser. I don't understand how is this possible?
I am using this code to create and delete a cookie-
cookies.remove("WebTimeClock", {
path: "/labor-settings",
domain: "localhost",
});
and for create a cookie I am using this-
cookies.set("WebTimeClock", currentUniqueID, {
expires: new Date(dateTime),
});
I am using "react-cookie" for this.
You can set multiple cookies of the same name if you set them against different paths. In your first example, you define the path, but in the second, you do not. Not setting a path will use the existing URL path. If I do this on stack overflow, you can see from dev tools there are now two cookies:
i have a question that if user session related data is stored in cookies and once cookies is deleted it is taking user to login page so my question is
"Is there any link between code downloaded so far to the user into browser and visible in source " will it be also gets disconnected and once user deletes cookie,
if user creates new cookie for the user with successful login and then is the Browser is going to get Fresh copy of code to Source there by deleting existing cache or will use the existing code which is downloaded earlier
please help me finding answer to how Cache of code (Written in AngularJS) in browser will connect and disconnect from server based on user cookies?
i wanted to understand this
There is no "Code cache", there is just browser cache - all *.js, *.html, images, etc. are cached by browser basing on user browser settings and http reponse headers.
This is not related to Cookies - user can leave one and delete another and vice versa. E.g. user can use site without cookies at all OR turn off browser cache, so it will load all assets each time.
Not a duplicate of Facebook login message: "URL Blocked: This redirect failed because the redirect URI is not whitelisted in the app’s Client OAuth Settings."
This issue is about CakePHP sending the wrong URL. It is fully understood why Facebook doesn't like the URL, not clear how to fix it in CakePHP
Trying to use this HybridAuth plugin for Cakephp, everything seems to be working except the redirect URL has http, which facebook does not like. I need to make it https. I cannot figure out how to manipulate this value.
https://www.facebook.com/v2.12/dialog/oauth?auth_type=rerequest...redirect_uri=http%3A%2F%2Fwww.example.com%2Fhybrid-auth%2Fendpoint%3Fhauth_done%3DFacebook&scope=email%2Cpublic_profile
Which gives me this error, which makes sense:
URL Blocked: This redirect failed because the redirect URI
is not whitelisted in the app’s Client OAuth Settings. Make
sure Client and Web OAuth Login are on and add all your app
domains as Valid OAuth Redirect URIs.
I've been trying to fix this for about two hours. I've tried setting
'hauth_return_to' => [
'controller' => 'Lookings',
'action' => 'find',
'prefix' => false,
'plugin' => false,
'_ssl' => true
]
in the AppController authenticate settings for HybridAuth, which doesn't seem to do anything. Also tried a lot of random things around the internet that just seemed to break more things. I'm a bit lost now.
New update
I have tracked this URL's origin as far as the loginBegin method in hybridauth/Hybrid/Providers/Facebook.php, and it's in $this->params['login_done']; though I'm uncertain now where this is being set.
Old update
Updating the Appcontroller authenticate settings still doesn't seem to affect this particular URL no matter what I do. I believe this setting is related to the "URL Login done" redirect URL, and my issue is with the "URL Start login" URL, though I'm not entirely certain.
Add the 'base_url' property to the HybridAuth object in /config/hybridauth.php to manually set the base URL.
Additionally, it appears that base_url is create using $_SERVER['HTTPS'], which is apparently not set to true in my current environment. This can be found in the login method of the Hybrid_Provider_Adapter class.
Addressing either of those issues should fix the problem.
I have a web application in production environement. When the user logout from the website and hits the back button it's should not take him back to the site. Once the user logout all the cache should be erased. I browsed throw some sites, but I didn't get the proper solution. I am not getting how to implement the technique. Any help/advice greatly appreciated.
Currently what I have done in my backend:
app.use(function(req,res){
res.setHeader("Cache-Control", "no-cache, no-store, must-revalidate");
res.setHeader("Pragma", "no-cache");
res.setHeader("Expires", "-1");
});
On the browser side
Local Storage to Manage Session
//To clear everything Or get your item and set it to null
localStorage.clear();
Session Storage to Manage Session
//To clear everything Or get your item and set it to null
sessionStorage.clear();
Cookies to Manage Session
$cookies.remove("userInfo");
NOTE : I would recommend you to use cookies with a Random CSRF Token to protect your clients from CSRF by storing a randomly generated session key in SessionStorage.
As you currently do not have a session maintained in the back-end I would like you to read this thread :
How to end a session in ExpressJS.
And this https://expressjs.com/en/advanced/best-practice-security.html
complete PHP newcomer here. I have a 3rd party PHP application (developed by someone else but I have code to it) that sets a cookie when a user login into its login page. Lets call it MYAPPCOOKIE. I also have a CakePHP based API that enables developers to extract information via an easy to use API.
What I want to do is disable access to the APIs if MYAPPCOOKIE is not set. In other words, rely on the user logged into the portal before I return API values. I know this is a weak authentication mechanism, but I'd really like to start here.
I understand my app and my cake APIs are two different entities. So to get started, I first edited api/app/Config/core.php and added the following line:
Configure::write('Session', array(
'defaults' => 'php',
'cookie' => 'MYAPPCOOKIE'
));
I assume this will give my Cake layer access to the same cookie that the main app uses.
Now, how do I go about denying API access if this cookie does not exist? Do I have to go to every controller of every API and do something like
$this->Cookie->read('MYAPPCOOKIE');
and then do the rest of the work? Or is there a more general way for me to check in the Cake Layer if the instance that is accessing the API also has that cookie set and if not, just return a 4xx for all APIs?
So I finally solved this issue the following way:
a) As it turned out using cookies is a bad idea. There is no way to actually delete a cookie - you can only expire it - the browser decides when to delete it. So even if you change the cookie to have an expired time on logout in the app, the cookie still physically exists and the next time you check isset($_COOKIE[cookiename]) in the cakePHP app, it still exists, which means you can't really use this method to make sure you are logged in to the App (PHP) before you access the API (CakePHP)
b) In my case, the solution was to instead use $_SESSION - the PHP app sets a username and other details when a person is logged in and clears the session when you log out, so to make sure the API ties into the login system of the App, I added the following code to AppController.php:
public function beforeFilter() {
if (!$this->Session->Read('username'))
{
throw new NotFoundException(__('Not Authenticated'));
return;
}
}