I recently had to set SESSION_DOMAIN=".example.com" to be able to access the laravel session cookie from a subdomain sub.example.com.
After this, part of the previously logged users started reporting Error: Request failed with status code 419 on post request (reportedly even after logging in again), others report being unable to log in at all.
I am unable to reproduce this problem. No related exception or errors are logged, however this clearly suggests that it's an issue related to the session and/or XSRF-TOKEN cookies.
How to fix this?
Will flushing all my redis session data, force all users to log out or remove all cookies fix this or make it worse?
Changing the SESSION_DOMAIN caused the coexistence of two cookies named session in the browser with different domain configurations.
Setting the SESSION_COOKIE to a new value and flushing the remember_token solves the problem.
Related
I've developing an update to an existing Laravel System (currently running Laravel 6 and PHP7.4), that runs on both EC2 and Laravel Vapor Setups, and have run into some very strange issues that only present themselves on Vapor Setups. These issues relate to Cookie Generation Failing and POST Routes being ignored when handling Routes.
Issue #1: Cookies No Longer Being Set
The first issue presents itself immediately upon loading the system up for the first time, no cookies are being saved, even though our .env is configured to do so:
SESSION_DRIVER=cookie
Without Cookies being generated, forms can't be processed and users cannot be marked as authenticated.
The system itself has had no changes made to it in areas that would touch core logic around Cookies, but none are now being generated. If we revert the codebase to the previous release without these changes, the system runs perfectly on the Laravel Vapor Setup, but runs without issue using both version of the code on the EC2 Setup.
Potentially Related: Redirecting users seems to be being done with JavaScript on the problematic Vapor Setup, whilst EC2 and Local Development Environments are managing to do so using headers. This indicates there's an issue somewhere in the code that's being used, but the areas that manage that code, as mentioned a few times, haven't been touched during development.
Issue #2: POST Routes Being Ignored
This might be a run on from the first issue above.
POST Routes are being completely ignored from our web.php file. I've tried submitting forms, I've tried using Insomnia to make requests to them, and have even tried setting up a route that would catch requests to any route that was using the POST method, and in each case they were being completely ignored by the system.
Submitting our login forms leads to a strange error being output:
Call to a member function can() on null (View: /var/task/resources/views/core/main/parts/headermenu.blade.php) (View: /var/task/resources/views/core/main/parts/headermenu.blade.php) (View: /var/task/resources/views/core/main/parts/headermenu.blade.php) (View: /var/task/resources/views/core/main/parts/headermenu.blade.php)
This error is strange because it should only be displayed after a user is authenticated, but submitting any details to the system gets this output, even blank details. I'm not sure how the user ends up on an authenticated page, as the POST route that handled authentication is being ignored, so no authentication logic is ever being run. I can, at least, confirm that the system is able to connect to the database to run verification logic, but the route that does so is never accessed because of this issue.
Honestly, I'm coming up blank on solutions to both of these issues, but they're blocking progress with this feature. Any and all guidance on where to look, or how to resolve the above would be most greatly appreciated.
I have an application built on Rails 2. If the user opens two instances of the same application(dev, uat or any two), it logs out while the person is active. Also this behavior is inconsistent. sometimes it happens within 2 minutes of login and sometimes it happens once in half an hour.
Also a very interesting thing to notice is If I disable the validation for CSRF token, the user never gets logged out unless the session times out or the user logs out voluntarily.
--Update--
After digging more into the issue I found out that the CSRF is not the cause of this issue. The session id is getting deleted from the cookie. What could be the possible cause of the issue
So As I already told in my question that the CSRF validation is not the cause of the log out issue. So I digged deeper and saw that randomly the session_id cookie was getting deleted and that is when I try to use the application further it was obviously getting logged out.
So the fix for this was to make sure that the session_id cookie should not be allowed to be deleted. In order to do so I marked the cookie as secure. Although I was still not able to find out the root cause of this cookie deletion.
I was using the SqlSessionStore to store session info. Following is the Fix that I put:
ActionController::Dispatcher.middleware.swap(:"ActiveRecord::SessionStore",
SqlSessionStore, {:secure => true})
I keep getting logged out whilst using the system. What common issues should I be looking for?
Within laravel authentication sessions should last for 15 minutes.
The only issue that I can see is that I was logged out due to me performing some AJAX requests on the system which may have caused authentication token to change?
I am using default authentication library that comes with Laravel 5.2
I am working on Laravel 4 application and using Sentry for authentication. I need to add Keep Me Logged In functionality into my application. I have googled around and found that passing second variable to Sentry::login($user, $remember) sets up a cookie. I have done that and can verify that it is working from the browser (Chrome). But somehow whenever I try Sentry::check() after a day it returns null for cookies. Even when the cookie is present in the browser. Can anyone point out what am I doing wrong? Same happens when I attach my custom cookie to the response.
This scenario happens on my production server. Whereas it works fine on my local server.
PS: Lifetime of the cookie is set to forever (5 Years)
After working around for sometime on the issue I was finally able to resolve the issue by creating and attaching custom cookie to the response after login. And then wrote a middleware to check for that cookie. If present then login user and continue.
Our Laravel 5.1 application has been using the "native" session driver setting (configured in the .env file). With it set this way, we were able to use the laravel url.intended behavior to redirect the user to the url they were attempting to access prior to being authenticated.
We had to change it to "cookie" because every time we use Amazon's Opsworks system to deploy a new build, users were logged out because their server-side session files were no longer available. Once we changed it to cookie, the users remain logged in even when we deploy a hotfix or new build.
However, with it set to cookie, the url.intended does not work at all. I tried hacking together some solution by adding a custom url intended node, but it just won't work. It seems like when the user attempts to access a url prior to being logged in, it sets the session info, but then the application redirects the user to the login page where it's getting nulled out.
I'm using Debugbar to look at the session vars and I'm going crazy. I'm already bald so I have no more hair to pull out.
Does anyone have any ideas?
We ended up setting up a Dynamo database at first and then transitioned to Redis on a common server. We have a load balancer and don't want sessions getting lost or corrupted by switching servers so all cache is now being stored in that common location.