I have one issue regarding session of laravel 5.1. I have written a code which will give 2 ajax call simultaneously. In first ajax call i am retrieving data and inserting paramertes into session. And in the response of first ajax, i am giving second ajax call to only update the session for second ajax parameters. But i am facing problem for session is that, it sometimes updates session and sometime fail to update the session. I am storing these parameters into session because on page reload, i am using these parameters again. Any help will be appreciated. Thanks
Related
I am using DB table to store session. Whenever I access any page in website, expire value in session table is getting updated.
I store a value in the session using the following api:
Yii::$app->session->set("key", $value);
After I use this command, session expire is not updating in database.
Another problem is that the stored value in session is only accessible during the same request.
Next request that value is not there in the session.
I google'd and tried all my luck but not able to figure why this is happening.
Thanks in advance
CodeIgniter 2 regenerates the session id on every http-call. This leads to problems with concurrent ajax calls. This makes it possible that client and server get out of sync and the session is lost. A Fix to this is not updating the session on ajax-calls (see Codeigniter session bugging out with ajax calls). But if you use CodeIgniter as an API for a single page application, where every call is ajax, this just leads to the session never being updated at all. The user just get logged out after the session timeout (default 5 minutes).
In CodeIgniter 3 they attempted to fix this by using a write lock (see https://github.com/bcit-ci/CodeIgniter/issues/3073) on session storage. Because this relies on a Database-Feature it is only possible to safely store session information in MySQL and PostgreSQL. Redis for example can not be used (see http://www.codeigniter.com/userguide3/installation/upgrade_300.html#step-6-update-your-session-library-usage).
Finally my question is: How does Laravel handle this Problem? Laravel can use Redis for session storage. So when does laravel regenerate the session id? And if Laravel doesnt regenerate it automatically on every http request, how can this be judged in context of security aspects?
Like pstephan1187 noted, "Laravel only regenerates the session ID when you sign in and sign out". CSRF Protection is used against cross-site request forgeries, and it consists of a field that is required by default (Laravel 5) in POST, PUT and DELETE requests.
Handling this in ajax-calls is outside the functionality offered by Laravel, but can be worked around pretty easily.
For more information about Laravel sessions, see the official documentation (Which, by the way, is a very nice and easy-to-understand read).
In my AJAX Spring application, have added code in web.xml for a session timeout of 10 minutes.
If the user tries to access the page after this interval, he is getting redirected to the session time out page correctly.
But if the user clicks the back button, the url with the same session id actually returns values instead of displaying the "timeout" page again. This happens only in IE9 . In all others, this is working correctly.
Any pointers?
Should I manually invalidate the session after a request from an invalidated page? If I manually invalidate the session in my controller, for such a request, it seems to work perfectly even in IE9. Can anyone explain why this occurs?
I will explain my problem. I need to know if the steps below are correct:
The user enters their login details and these get submitted to the php server. If these are correct, I want to use the php code to start a session. However, because this is a mobile device I will be using html5 session storage. Now, my mobile website is all ajax based with no page reloads. So if the user submits the correct login credentials, I make an ajax response back to the user with what information? The SID/session_id of the session_start? Then, on the mobile device I place this session_id into the html5 session storage?
So, if these steps are correct, when the user then navigates around the website they are now logged in. And if they want to do something e.g. access a private page this creates an ajax request to the php server... this is where I am stuck. I assume that in this ajax request I send the session_id from the html5 session storage object, how does the php server use this id to prove the user is authentic? Presumably I need some kind of if statement and if it's not satisfied, send an ajax response back which my javascript will interpret as redirecting the user back to the login screen.
Many thanks if anyone can help me, it will be much appreciated as I am very stuck.
Note that cookies are not an option...
You could theoretically use HTML5 local storage to store the session ID, or transmit the session ID as a GET parameter in every request and pass it manually to PHP using session_id(), but I can't see the benefit. You might as well rely on cookies for this - they will be transmitted in Ajax requests.
I migrated my webapp from Tomcat 5.5 to Tomcat 6(.0.32). In that app there are ajax calls in every footer page to avoid session timeout. It works fine on Tomcat 5.5 but it doesn't work in Tomcat 6. I use a filter to track every call in a DB table. On non-ajax calls I can see the tracking in the table and the reset session timeout. On ajax calls I can see the tracking in the table but not the reset of the session timeout.
Why? Can I change this behavior? And, just for info, how can Tomcat6 distinguish the ajax calls?
If you're not explicitly accessing the session in response to the AJAX calls, you may need to set the org.apache.catalina.STRICT_SERVLET_COMPLIANCE system property. Of course, that may also impact other parts of your app. Another option would be to ensure that you do explicitly access the session...