I enabled sticky sessions to cope with issue of session mismatch on multiple instances. AWS adds cookie named as AWSALB to handle this. Is there any option by which we can rename the cookie?
Related
Is it possible to access my Laravel application without obtaining a session? Right now I use sessions to prevent spam, and curious if I can just block out users that can't store sessions.
If you wish not to store any data for every request, you can choose array driver for sessions (docs).
array - sessions are stored in a PHP array and will not be persisted.
In .env file set SESSION_DRIVER=array
I have disabled cookies for my website and get TokenMismatchException. Since I am using sessions file driver and in my form I have {{ csrf_field() }} why do I get TokenMismatchException when I disable cookies for my website ?
If I inspect the call that was made I can see that the token was sent in post : token J0Y0t2hj3jjVFMdGCch0apliPqlz1lZlwUc0VqCk
why do I get TokenMismatchException when I disable cookies for my website?
Because the CSRF token value in the form needs to be compared to (the) one stored in the session.
If your session is not working without cookies, then of course this will fail.
So decide whether you want to demand cookies for your app to work, or if you want to use less secure ways of transporting the session id (GET/POST – how to configure that within your framework, should be in its documentation.)
check your config file(config/session.php) and see if your session driver is cookie. If yes, then change that to something else.
here is the notes: Laravel's HTTP Session
file - sessions are stored in storage/framework/sessions.
cookie - sessions are stored in secure, encrypted cookies.
database - sessions are stored in a relational database.
memcached / redis - sessions are stored in one of these fast, cache based stores.
array - sessions are stored in a PHP array and will not be persisted.
Our Laravel 5.1 application has been using the "native" session driver setting (configured in the .env file). With it set this way, we were able to use the laravel url.intended behavior to redirect the user to the url they were attempting to access prior to being authenticated.
We had to change it to "cookie" because every time we use Amazon's Opsworks system to deploy a new build, users were logged out because their server-side session files were no longer available. Once we changed it to cookie, the users remain logged in even when we deploy a hotfix or new build.
However, with it set to cookie, the url.intended does not work at all. I tried hacking together some solution by adding a custom url intended node, but it just won't work. It seems like when the user attempts to access a url prior to being logged in, it sets the session info, but then the application redirects the user to the login page where it's getting nulled out.
I'm using Debugbar to look at the session vars and I'm going crazy. I'm already bald so I have no more hair to pull out.
Does anyone have any ideas?
We ended up setting up a Dynamo database at first and then transitioned to Redis on a common server. We have a load balancer and don't want sessions getting lost or corrupted by switching servers so all cache is now being stored in that common location.
I have an owncloud and a roundcube sharing the same session pool via a memcache server and I would like them to work with an unique session.
I changed the cookie session.name to have the same for owncloud and roundcube and I tried a lot of tricks: to pass the session id then the session name via url, to change the $_SESSION['user_id' in roundcube because owncloud has the same variable, to avoid the cookie creation in the session_init from roundcube, etc...
But, the roundcube session always erase the owncloud one which causes owncloud not to login anymore.
What is the trick ? Is there a method somewhere to do that ?
I use the 'RoundcubeLogin.class.php' to perform the login from owncloud to roundcube but it creates separate sessions for each.
why do you want to share the session? What do you want to achive?
If you're just wanting to avoid another login, you can use the same login for roundcube or owncloud and use the auto-login feature
I have a Symfony application which use a mysql database to store session data, and uses the SfGuard plugin to manage the authentication.
Despite that symfony allways save the authentication info in a cookie. Is there anyway i can disable cookies and store the authentication info in the database or in memory?
I might need in the future, to have a kind of single sign on feature, where the authentication state will persist between multiple applications, in different domains. Thats why I mostly want to eliminate the need to use cookies.
Thank you for your help.
You do not seem to understand how sessions work.
That cookie that gets sent to the cient is called the session id, and it's unique to the visitor. When he reqests a page from the server that cookie identifies the row in your session table where his data are - no data besides the ID is ever sent to the client.
Without that ID there's no way to pair a request to session data, that's why you could not log in anymore after disabling the cookies. The alternative to the cookie is to pass the session id some other way, like in the url - php can do that automatically, you just need to enable use_trans_sid in the php.ini.
Yes, you can store the authentication info in the database : See here how.