I'm using Ion Auth social
https://github.com/ghosthouse/CodeIgniter-Ion-Auth-Social
and throughout my web check if the user has a session started or not.
if ($ this-> ion_auth-> logged_in ()) {
}
For this reason in /application/config/autoload.php charge
$ autoload ['libraries'] = array ('ion_auth');
in my localhost everything is perfect, but in my website protected with cloudflare, create multiple sessions just with this:
__ci_last_regenerate | i: 1544893031;
creates more than 50 sessions per second with just this info which overloads my sql, obviously it is a problem of codeigniter sessions with cloudflare, I have already created the request in the codeigniter github but it does not seem to matter to them.
So I'm wondering if you can share an option / solution, so that only one codeigniter session is created when the user logs in Ion Auth.
Thank you.
Related
I would like to create a multi-tentant laravel 8.0 application (with laravel multi-tenancy package and laravel sanctum) with Vue Frontend for the customers and a Vue Frontend for Admins.
(Vue2) Frontend for customers like: example.com and store1.example.com and store2.example.com
(Vue2) Frontend for admins like: store1.admin.example.com and store2.example.com
(Laravel) Backend for the rest api like: store1.api.example.com and store2.api.example.com
I would like to make it possible for customers to log in on any of the subdomains forexample on example.com or on store1.example.com and also be logged in on all the other subdomains.
Is it possible?
Do you have any suggestions?
+1 question: Is there any way to generate a subdomain with laravel?
This would be my first multi-tenant sandbox application, thanks for your help!
I have done a similar set-up with this although I haven't gotten to a deeper sub-domain.
The first thing you need to do is configure the tld and wildcard sub-domain to your application, so whatever subdomain you hit, you should always see the index content.
The first setup for this is to set SESSION_DOMAIN in laravel .env to something like .whatever.com
e.g.
SESSION_DOMAIN=.whatever.com
Then the next thing you have to do is to make sure your application uses JWT Authentication https://github.com/tymondesigns/jwt-auth
and when you save the token on your user browser, you need to set the domain same as your SESSION_DOMAIN.
I grab the tld no matter what subdomain they try to log-in
const tld = (() => {
const host = window.location.host, subs = host.split('.')
if ( subs.length > 2 )
return host.replace(/^[^.]+\./g, "")
return host
})()
then I added . in-front of the tld on domain cookies that holds the token
Cookies.set('token', token, { expires: remember ? 365 : null, domain: `.${tld}` })
so if you go to Application tab from dev toolbar, then under cookies on your app, the domain should be .whatever.com and if you jump from one sub-domain to another you should still be authenticated
Also, regarding with your setup, I think you are just over-using a subdomain in your initial plan.
You can just simply create a table for STORE which holds all different store then add a column for slug. then just create one-to-many or many-to-many relationship for other stuff like store owner from users table, store products from products table etc, so you store table should just look like
id | name | slug
1 | My Store | store1
Then on the front-end, you would grab the slug of the sub-domain and request a query with matching store slug to your API end-point, you only need one structure for your end-point, you don't need to have each store have their own api end-point, you just need to include the store slug every time you hit your end-point which are store specific request, so if you hit store1.whatever.com, all your query should pull everything related to a store with slug store1
Additionally, you don't need to use a sub-domain for admin and api end-point, try looking for a Vue+Laravel template, like this one below which has a lot of features like vue routing, vuex and templating which I think is very suitable for your set-up https://github.com/cretueusebiu/laravel-vue-spa
Then the way you should handle it is much better to be something like this
Front-end -> store1.whatever.com
Admin -> store1.whatever.com/admin/
API end-point -> whatever.com/api/
I'm building an app where each subdomain has its own database.
For example:
"example1.app.dev" uses "example1_dbo" database
"example2.app.dev" uses "example2_dbo" database
Each subdomain has its own users, meaning that for example:
user_ex1 can only login on example1.app.dev because he is set in example1_dbo
user_ex2 can only login on example2.app.dev because he is set in example2_dbo
How do I achieve this with Laravel Auth?
Basicaly I have set subdomain routing:
Route::domain('{account}.myapp.dev')->group(function () {})
And i have set up database connections in config/database.php and env file.
I have used this concept on Eloquent models with Model->setConnection($account)
But this method is exhausting while app is growing...
I'm looking for Middleware solution where i can change default DB connection for request globally and for Auth as well while i was not able to get authentication to work.
Have you tried this package:
https://github.com/stancl/tenancy
It provide that out of the box.
hope it is helpful.
I am new to Laravel. I have created a domain and subdomain with a specific domain group.
domain.com
admin.domain.com
On my domain.com a user can login. And in the subdomain admin.domain.com an admin can login. The problem Im having is when a user is logged in the root domain the admin subdomain is also logged in. I want the root domain and subdomain to be of different sessions. Please help!
This problem is not on framework, I got this problem when I worked with Yii 2.0 too, the issue because sessions general from application key, the solution is make key different between root and subdomain.
The solution here is you have to general another Laravel Application key on your subdomain follow the document:
php artisan key:generate
Application key [Idgz1PE3zO9iNc0E3oeH3CHDPX9MzZe3] set successfully.
2 keys in root and subdomain have to different.
Hope this help.
Laravel by default uses a single cookie to keep session data and manage its authentication system, thats why your user keeps logged across your subdomains, because your cookie is still there.
In this case I think you have 2 options:
1st: Create a different auth system using middlewares for each subdomain group to manage sessions (lets say you create/read a different cookie for each subdomain, but this could be a little bit tricky if the same user want to use the app across different subdomains at the "same time").
2nd: Use a different session driver (lets say database e.g.)
CodeIgniter 2 regenerates the session id on every http-call. This leads to problems with concurrent ajax calls. This makes it possible that client and server get out of sync and the session is lost. A Fix to this is not updating the session on ajax-calls (see Codeigniter session bugging out with ajax calls). But if you use CodeIgniter as an API for a single page application, where every call is ajax, this just leads to the session never being updated at all. The user just get logged out after the session timeout (default 5 minutes).
In CodeIgniter 3 they attempted to fix this by using a write lock (see https://github.com/bcit-ci/CodeIgniter/issues/3073) on session storage. Because this relies on a Database-Feature it is only possible to safely store session information in MySQL and PostgreSQL. Redis for example can not be used (see http://www.codeigniter.com/userguide3/installation/upgrade_300.html#step-6-update-your-session-library-usage).
Finally my question is: How does Laravel handle this Problem? Laravel can use Redis for session storage. So when does laravel regenerate the session id? And if Laravel doesnt regenerate it automatically on every http request, how can this be judged in context of security aspects?
Like pstephan1187 noted, "Laravel only regenerates the session ID when you sign in and sign out". CSRF Protection is used against cross-site request forgeries, and it consists of a field that is required by default (Laravel 5) in POST, PUT and DELETE requests.
Handling this in ajax-calls is outside the functionality offered by Laravel, but can be worked around pretty easily.
For more information about Laravel sessions, see the official documentation (Which, by the way, is a very nice and easy-to-understand read).
I've trying to add a messageboard to my Codeigniter web site. Everything has gone well except for one little part: I'd like my log in from the main site to carry over to the messageboard. Since the messageboard is not able to run in Codeigniter, I made a subdomain to run the messageboard in. This means that the main site and the messageboard do not share cookies. The messageboard is Phorum-powered, so there's a hook that I can use to sign in if I have the user_id of my user. In other words my problem basically boils down to being able to run a function on one domain that can get the user_id variable stored in the session of another domain.
Here are things the I've tried:
Setting up a controller in codeigniter that uses ci->session to echo the user_id. Then in the messageboard, I used CURL to fetch me the output of the codeigniter controller. This doesn't seem to work because CURL doesn't carry cookies or sessions or something, so codeigniter can't access it's session when called through CURL.
Same thing but with file_get_contents. File_get_contents is disabled on my server.
I'm pretty much out of ideas. Does anyone know a function I could write that would get me a CI session stored user_id from a different domain?
Here are two things you can try:
1) host the forum in a subdirectory of your code igniter project. So your two websites will have the url http://mysite.com/ and http://mysite.com/forum. Now that they share the same domain, you can access the session.
2) In your forum login page, display the message "auto-signing in". On that same page add an iframe in the html with the src="http://mysite.com/autologin/tokenid", but hide it with css. The autologin page will have CI session information, which you can temporarily make available to the world via a hard to guess tokenid and by echoing $_SESSION['user_id']. Remember to expire this page when you are done with it. Then refresh the forum's login page and use CURL to grab the publicized session information at http://mysite.com/autologin/tokenid. This is full of security flaws, so do it only as a last resort.