Laravel Change expired link token to reset password? - laravel

I want to set expired linkto link 7 days when we sent link to reset password. I know, we can change it inside config/auth.php.
But, how can I change the expire link to 7 days? Please help me out!
/*
|--------------------------------------------------------------------------
| Resetting Passwords
|--------------------------------------------------------------------------
|
| You may specify multiple password reset configurations if you have more
| than one user table or model in the application and you want to have
| separate password reset settings based on the specific user types.
|
| The expire time is the number of minutes that the reset token should be
| considered valid. This security feature keeps tokens short-lived so
| they have less time to be guessed. You may change this as needed.
|
*/
'passwords' => [
'users' => [
'provider' => 'users',
'table' => 'password_resets',
'expire' => 60,
],
],

'expire'=> 60 *24 *7
here 60 is minutes
24 is hours
and 7 is days

Related

laravel 6 csrf token expired in every 60 seconds?

I am using laravel 6.I Want my laravel CSRF Token expire in every 60 seconds.
config/session
'lifetime' => 60,
First of All, CSRF is stored in XSRF-TOKEN cookie. Ref: 50904763
According to the question (Ref: 51615122), We change the configuration in app/Http/Middleware/VerifyCsrfToken.php by adding a new method named addCookieToResponse
use Symfony\Component\HttpFoundation\Cookie;
public function addCookieToResponse($request, $response) {
$config = config('session');
$session_life = env('CSRF_LIFE');
$response->headers->setCookie(
new Cookie(
'XSRF-TOKEN', $request->session()->token(), $this->availableAt($session_life),
$config['path'], $config['domain'], $config['secure'], false, false, $config['same_site'] ?? null
)
);
}
where $config is used to get session information from existing lifetime. However, I parse $session_life from .env to make sure you can customize as much as you can.
So, the result is simple, configure everything as belongs but in area $this->availableAt($session_life) where session_life is in seconds.
So, please set session_life to 60 in .env as below:
CSRF_LIFE="60"
After you save and refresh your page, or clean cache and configs, Session LifeTime will be two hours but CSRF will be only 60 secs.
Hope this works.
After long testing I end up something, that you put in the lifetime option in session not allow to set expire time in seconds, it'll allow to minutes.
So, when you set up liftime = "60", it's means it will expire in 1 hour.
Hence, You have to set liftime = "1" in your config/session.pph file. Also, default value in .env file SESSION_LIFETIME=120 you have to replace that with 1 SESSION_LIFETIME = 1.
After that you have to clear the cache by command:-
php artisan config:cache
Now, your session will expire after 1 minute / 60 seconds.
To see more check this question.

Yii2 Never Logout Idle Or Away User

User's in Yii appear to be logged out automatically if they close their browser or are idle for about a day (maybe less, I'm not sure). Is it possible to not log them out ever (or at least for a long time for month or year). Not sure if the Session parameters or Cookie parameters need to change.
I've tried changing the parameters.
'components' => [
'session'=>[
'class' => 'yii\web\Session',
'cookieParams' => ['httponly' => true, 'lifetime' => 3600 * 4* 365],
'timeout' => 3600*4 *365,
'useCookies' => true
],
]
I've tried session php ini parameters:
session_set_cookie_params(0);
ini_set('session.gc_maxlifetime', 0);
And I've tried setting the login parameters
Yii::$app->user->login($user, 31536000);
The options you used it should work without timeout and useCookies options, I used it in my last project where the session needed to last for a week minimum, open storage tab in the Mozilla dev bar and click on cookies on the left you will see the cookies section with the cookies registered for your site, in my case it is http://www.kp2.local
if you use the 'lifetime' => 7 * 24 * 60 * 60, it should show the cookie with an expiry date 1 week later i.e Wed, 23 Jan 2019 like below
and if you comment out the code and then log out, and log in again it should show you the expiry time on Session like
You just need to use the following settings in the config
'session' => [
// this is the name of the session cookie used for login on the frontend
'name' => 'advanced-frontend',
'cookieParams' => [
'httpOnly' => true,
'lifetime' => 7 * 24 * 60 * 60
],
],
If it still doesn't work, log out of the system try removing all cookies once by selecting Delete all option like in the image below.
and it will work.
Note: You should change the 7 in 'lifetime' => 7 * 24 * 60 * 60, to the number of days you want to keep the session
Keeping session for such long time may be a bad idea - inactive sessions data will consume your server resources and may slow down some operations. Yii has dedicated feature for such cases - you may set $enableAutoLogin to true:
'user' => [
'enableAutoLogin' => true,
// ...
],
And on login() call set timeout for identity cookie:
Yii::$app->user->login($user, 31536000);
It will set special cookie (valid for a year) with identity info, which will autologin user after his session expires. In this way you don't need to keep session data on your server for a year, but from user perspective it looks like he is always login (even if in the background a new session is created).

Laravel : login from one subdomain to another subdomain : session issue

I am using Sentry on laravel 4.2 in one application with muti-subdomain (every domain have different users) : i want to login from one subdomain(domain-a.maindomain.com) to another subdomain(domain-b.maindomain.com) without persisting session across subdomain.
Any one have idea how can i achieve this with laravel
i think Since the Laravel authentication system uses cookies to manage the session, you actually need to login the user on each subdomain you're going to use. To avoid that, you can use another session driver like database. and what #SUB-HDR give you in his comment is a good way too do it.
I'm not familiar with Laravel before version 5.1 but there is part of the documentation which relates to authentication:
https://laravel.com/docs/4.2/security
$user = User::find(1);
Auth::login($user);
With this you may be able to authenticate a user from one of your domains to the other. You would need to pass something from the first domain to the second domain which is a unique common attribute between the two user models and then authenticate the matching user.
in (php / mysql) we can made a row called IslogedIn(or something else you prefer) in All your Databases so they''ll look like :
//---------------------------------------------
// (main database) --> site1.com
// ------------------------------------------
// | id | username | password | IslogedIn |
// |-----|-----------|----------|-------------|
// | 1 | jhony | pass | 0 |
// |-----|-----------|----------|-------------|
//---------------------------------------------
// (2nd database) --> site2.com
// ------------------------------------------
// | id | username | password | IslogedIn |
// |-----|-----------|----------|-------------|
// | 1 | jhony | pass | 1 |
// |-----|-----------|----------|-------------|
here for example we see the user is logged in 2nd database
so the value will be : IslogedIn = 1
and we gonna use that in all our domains and from "login.php" (in Laravel it can be somthing else) , from "login.php" we mark IslogedIn = 1 if the user logged in by using some mysql orders .
after that we connect all databases using a scrip page and name it something like : 'checkout.php' in both domains folders and write in it :
1 - for old php versions :
$Db_Main_con = mysql_connect($hostname, $username, $password );
$Db_2nd_con = mysql_connect($hostname, $username, $password , true);
//-------------------------------------------------------------
$Db_Main_Select = mysql_select_db("Database_name1", $Db_Main_con);
$Db_2nd_Select = mysql_select_db("Database_name2", $Db_2nd_con );
//-------------------------------------------------------------
$Db_main = mysql_query("select * from users where id = :id", $Db_Main_Select);
$Db_2nd = mysql_query("select * from users where id = :id", $Db_2nd_Select);
2 - for new version is Generally similar only some changes in the past code , such as mysql to mysqli . read this article : mysqli_connect
and I'm not familiar with Laravel so ofc you change the "$host_main_name" and "$username" and ( table name )..... etc to feet your script
and from every db call the row : (IslogedIn) in a $string.
then we go to check if the user is Logedin in all Db we have :
if ( $Db_Main->IslogedIn || $Db_2nd->IslogedIn )
{
// ----->> your login code or relogin code here
// + sessions and cookies and reloud link and all other stuff
}
then we close the script with $Db_Main->close(); $Db_2nd->close(); .... etc when the checkout is end .

The session id is too long or contains illegal characters in Laravel 4

I installed Laravel 4.0 and got this error
ErrorException
SessionHandler::read(): The session id is too long or contains illegal characters, valid characters are a-z, A-Z, 0-9 and '-,'
return (bool) $this->handler->close();
}
/**
* {#inheritdoc}
/
public function read($id)
{
return (string) $this->handler->read($id);
}
/*
Do you have Laravel 3 installed on the same machine? By default, Laravel 4 uses the same session cookie name (as Laravel 3), now found in /app/config/session.php file. Simply change:
'cookie' => 'laravel_session',
to, e.g.
'cookie' => 'laravel_session_4',
and refresh browser. All should work now.
It could be that you have a corrupt cookie. Try clearing cookies in your browser.
Take a look at this discussion: https://stackoverflow.com/a/16318456/1563189
Especially:
How do you end up with illegal characters in PHPSESSID in the first place? Aren't they generated by PHP automatically? – Lèse majesté Jul 6 '10 at 11:57
They are, but a cookie that links you to a generated session id is client side. If that cookie changes to an invalid format (somebody is trying to exploit something) PHP will notice it. – Aleksey Korzun Sep 6 '11 at 19:56
There is a bug report for this problem (https://bugs.php.net/bug.php?id=68063)
You can check the success of your session_start and generate the id if needed:
$ok = #session_start();
if(!$ok){
session_regenerate_id(true); // replace the Session ID
session_start();
}

Zend Framework - session id regenerated, can't stay logged in [duplicate]

This question already has an answer here:
Duplicate DB sessions created upon Zend_Auth login
(1 answer)
Closed 2 years ago.
I'm trying to store sessions in a database using Zend Sessions however for some reason my sessions die out. Im not sure if there's some code being executed which does this or whether its something else.
I've noticed that the session ID seems to be regenerated after a breif time after having logged in.
This is even despite having added the following line in my htaccess file:
php_value session.auto_start 0
The end result is that I'm logged out every minute I'm logged in.
Heres my code in my bootstrap file
$config = array(
'name' => 'session',
'primary' => 'id',
'modifiedColumn' => 'modified',
'dataColumn' => 'data',
'lifetimeColumn' => 'lifetime'
);
$saveHandler = new Zend_Session_SaveHandler_DbTable($config);
Zend_Session::rememberMe($seconds = (60 * 60 * 24 * 30));
$saveHandler->setLifetime($seconds)->setOverrideLifetime(true);
Zend_Session::setSaveHandler($saveHandler);
//start your session!
Zend_Session::start();
I'm not using any other session related function except perhaps for Zend_Auth when logging in.
Infact rememberme calls the regenerateID function of the Session class - the end result is that I'm constantly logged out every few minutes now.
I think that you might be having this problem because you're calling rememberMe BEFORE starting the session.
You have to start the session first otherwise rememberMe won't do anything since it needs a session to set the rememberMe time on.
rememberMe calls the regenerateId function and the regeneration of the Id is what really needs the session to exist.
Place the rememberMe call after the session start then see how that works for you.
If that isn't it then I don't know what it could be since my code looks similar to yours.
Have you tried something like this?
protected function _initSession() {
$config = array(
'name' => 'session',
'primary' => 'id',
'modifiedColumn' => 'modified',
'dataColumn' => 'data',
'lifetimeColumn' => 'lifetime',
'lifetime' => 60*60*24*30,
);
Zend_Session::setSaveHandler(new F_Session_SaveHandler_DbTable($config));
}
This way the lifetime isn't set after initialising the database sessions, but is directly included in the initialisation options - it works for me, I see no reason why this should fail in your case :).
I think you need to look once into following values after bootstrap code
session.gc_maxlifetime
session.cookie_lifetime
If You configure session resources in *.ini config file, check resources.session.cookie_domain parameter.
I spend 3 hours when I remembered about it.

Resources