there is a strange problem which might be a not discovered issue in Laravel security, it goes like this: while I submit an ajax form to update or insert to the database (a lot of data that takes too much time) and I logout from another tab in the middle of it, the request will still succeed without an issue! and more importantly after that my browser acts as if I did not logout at all ! am I going crazy or do we have a problem ?
Auth::guard('web')->logout();
$request->session()->invalidate();
$request->session()->regenerateToken();
return redirect('/');
For most people this is not a security vulnerability.
This happens because Laravel checks authentication at middlewares, that runs BEFORE calling the controller method. So at the time your request starts, you're still authenticated.
Related
I have tried so many options I could think of or find online, user details are still persisted even after successful deletion of all the tokens!
I am using Laravel sanctum with Vue. The logout function I created works as expected when I use postman to make the request, but this is not the case when I make the request via axios from the browser. The tokens gets deleted quite alright but I still can access protected routes.
I have also tried
Auth::logout()
I have continued to try this using sanctum and web as guard.
Any help will be appreciated.
Good evening,
I'm using Laravel with VueJS and I have a little problem with disconnection.
Example: I open 2 tabs, log out on one, go back to the other, and I can still do what I want, like create a user.
But I can't change route (that's normal, I use a befor each in the router).
How can I do that, to prevent any action being in the same route?
Thank you in advance, don't hesitate to ask me more info if you need more info
Server-side
You need to check for the non-expiration of the session:
if(Auth::check()) {
// Code which should only run if the user has a valid session
} else {
// Code for handling the non-existence of session
}
Client-side
Your client-side should always know if a request has succeeded and handle eventual failures. This is valid for a session which expired for some reason, but other issues as well, like request timeout, or even some errors.
Make sure the logout happened
Something like this
Auth::logout();
should be executed when you log out.
I have been playing for a couple of days with a stateless Laravel API with JWT based authentication, where I store the token in a cookie.
All is well, except for the cookie (in)validation...
I set my cookie like so
Cookie::queue(Cookies::NAME, $token, (int) env('COOKIE_VALIDITY'), Cookies::PATH, env('COOKIE_DOMAIN'), env('COOKIE_SECURE'), Cookies::HTTPONLY, Cookies::RAW, Cookies::SAMESITE);
$redirectUrl = $request->query('redirectTo') ?? route('home');
return redirect($redirectUrl);
This works, it does set the cookie.
However, my cookie Expires/Max-Age seems to be one hour behind, always.
2019-10-12T08:51:35.737Z (when it is actually 9:51)
The cookies gets sent correctly on all subsequent requests though.
The biggest problem however, is cookie invalidation.
My logout action looks like this
return redirect('/login')->withCookies([Cookie::forget(Cookies::NAME)]);
The action gets called to, but the cookie remains unchanged.
I also tried with the cookie()->forget() helper, this has the same result.
Any clues to what I am doing wrong here?
Ps: I do see that laravel by default adds a session cookie as well, I suppose this is normal, due to the fact that I reach the site as an anonymous user and therefor receive a session for that?
Im asking because the challange for me is to have a full stateless API that only uses server side rendered login page and then redirects back to some kind of SPA.
All help is much appreciated.
To whom it may concern, I have found the problem.
Apparently, specifying the cookie name is not sufficient.
return redirect('/login')->withCookies([Cookie::forget(Cookies::NAME, Cookies::PATH, env('COOKIE_DOMAIN'))]);
Works perfectly.
I'm having trouble authenticating users via Vue 2.0.
In Vue I have a form in which the user enters all his data and submits it via POST to a Laravel (web route) endpoint.
Then the user is created in the UserController method with the supplied data and I'm stuck at this point as I don't manage to authenticate my user after creation and redirecting him to some route (other page).
User creation goes fine...
Can someone explain me rapidly how it should work? (as I understood that I can't redirect from the controller as the data is POSTed via an ajax call).
What's the "right" way to do this as I'm afraid I'm completely mistaken :)
Thanks in advance for your help.
You would have to perform the redirection at the front end script after receiving the response from the controller method.
This is my thought as a possible solution for you:-
The authentication can be done in the controller following the creation. The controller method then need to return a JSON response indicating success.
Note: Laravel 5.3 ships with pre-built authentication controllers. RegisterController handles user registration.
The Vue script need to process the response i.e. if success, redirect to somewhere or if failed, prompt a message.
Cheers!
i have a website that uses session cookies for security. it works fine and all, but any ajax requests right now are not secure. example being lets say a user is on a page. they can only get to this page if they are logged in with a session - so far so good. but now the ajax request they ask for is
ajaxpages/somepage.php?somevar=something&anothervar=something
if any other user decides to just go to that link themselves (without a session) they still get the same ajax output that was meant for logged in people.
so obviously im going to have to pass session data across when i send an ajax request. anyone have any tips for the best way of doing this? ive never done this before and would rather use trusted methods than make up my own.
The ajax requests work just like any other request to your website and should return the same session cookies as the non-ajax request. This is pointed out in this question. If you aren't getting the session cookie, perhaps something else is wrong.
Having an ajax output isn't necessarily a vulnerability. It entirely depends on what data is being transmitted. I am not sure what platform you are using, but most web application development platforms have a session variable that can maintain state between requests.
What you should have in place is way of marking the user as being logged in from the server side. I php this would look like:
if(login($user,$password)){
$_SESSION['logged_in']=true;
}
Then you can check in a header file if they are allowed to access the page:
if(!$_SESSION['logged_in']){
header("location: http://127.0.0.1/");
die();
}
(If a variable isn't set it is also false.)
There are a few things you need to keep in mind. This is a vulnerability:
if(!$_COOKIE['logged_in']){
header("location: http://127.0.0.1/");
die();
}
The user can control $_COOKIE, so they can tell you that they are logged in.
Another vulnerability:
if(!$_COOKIE['logged_in']){
header("location: http://127.0.0.1/");
}
header() doesn't kill the script. In fact it still runs, so it will still output but it won't be displayed in a browser, you can still use netcat/telnet/wireshark to see the data.
Use the same security check on the pages that handle the ajax request.
Since that is a PHP page, I don't see why you couldn't perform authentication on the PHP side. If authentication is successful, send back the data. Otherwise, send back an error message. AJAX aren't that different from any other request.
Just let ajax carry the session cookie, there is no problem with that, but you must check if the user is logged or not at the end, and you might want to add some CSRF token for your request, just in case ...
And try to validate the referrer, so you can check if the request was sent from your website, and your website only, it's not a good practice to let user open your request url for ajax in their browser ....
And if you have query in your script, to get some data from your database or else ... don't forget to sanitize the input, and escaping the output, based on what kind of data that you need, once more just in case ...