Facing Cakephp session issue - session

I am using cakephp 2x and facing issues with cakephp session.
And the flow of website is like whenever you register successfully its auto logged-in and redirects to home page.
Here I am using data from cake session like:
$this->Session->read('Auth.Front');
But it returns different values on register and on login.
So how to debug it ? from where its writing session 'Auth.Front' ?

AuthComponent is surely overwriting the Auth key with the user data. Try using a different key.
This should work:
$this->Session->write('Front',$myData);
$myData=$this->Session->read('Front');

Related

Laravel Session does not deleted when using flush() or forget()

I'm trying to create an api which use a Session variable. This what I did:
Login
return auth('api')->attempt($credentials);
Call an api which save a variable test to Session
Session::put('test', $venueId);
Log out. In logoutController, call Session::flush() (I tried with Session::forget('test') too).
Session::flush();
// Session::forget('test');
auth()->logout();
Login again.
Call Session:all() in a randomly api. => Variable test still there.
I've checked in database, when I use auth()->logout() in controller, database create a new session in sessions table which has payload same with payload in step 2. And when I login again, it seems to use 2nd session (which created after logged out in step 3) to get value.
How can I handler this? I want all session to be flushed after user logout
I found out problem. I've used multi authentication, so I have 2 logout controller and I put Session::flush() to wrong controller. Put Session::flush() into correct controller and it worked.

How can I logout another user in Yii2

I need to be able to logout other users. I tried the following:
Yii::$app->getSession()->destroySession($sessionId)
I do this for every sessionId connected to this user.
I tried changing the authKey (with enableAutoLogin set to true).
Setting enableAutoLogin to false doesn't help.
The session is deleted in the database but as soon as that user does a new request his session, with the same sessionId as before, appears in the database again.
I tried using this:
Yii::$app->user->switchIdentity(User::findIdentity($id), 0);
Yii::$app->user->logout(true);
The switchIdentity works but creates a new session in the database (that i destroy with the logout method).
As a test I have downloaded both the basic and advanced template and both have the same problem. What am I missing here ?
I tried doing the same in pure PHP but somehow Yii manages to get the user session back and the user is still logged in.
I am using Yii 2.0.6

Difference between Auth::logout() and Session::flush()

For some reasons, i cannot use Auth. So, instead Auth::logout() i'm using
Session::flush().
My session driver is database.
I have two questions:
What's the difference, internally, between these methods (Auth::logout() and Session::flush())?
There is some risk for me when using Session::push() for login and Session::flush() for logout users?
Taken from laravel documentation:
Removing All Items From The Session
Session::flush()
So, if you use session::flush and have data in your session it will be deleted.
Why you cannot use Auth::logout()? How did you login the user then?

Does Laravel regenerate the Session ID? (compared to CodeIgniter)

CodeIgniter 2 regenerates the session id on every http-call. This leads to problems with concurrent ajax calls. This makes it possible that client and server get out of sync and the session is lost. A Fix to this is not updating the session on ajax-calls (see Codeigniter session bugging out with ajax calls). But if you use CodeIgniter as an API for a single page application, where every call is ajax, this just leads to the session never being updated at all. The user just get logged out after the session timeout (default 5 minutes).
In CodeIgniter 3 they attempted to fix this by using a write lock (see https://github.com/bcit-ci/CodeIgniter/issues/3073) on session storage. Because this relies on a Database-Feature it is only possible to safely store session information in MySQL and PostgreSQL. Redis for example can not be used (see http://www.codeigniter.com/userguide3/installation/upgrade_300.html#step-6-update-your-session-library-usage).
Finally my question is: How does Laravel handle this Problem? Laravel can use Redis for session storage. So when does laravel regenerate the session id? And if Laravel doesnt regenerate it automatically on every http request, how can this be judged in context of security aspects?
Like pstephan1187 noted, "Laravel only regenerates the session ID when you sign in and sign out". CSRF Protection is used against cross-site request forgeries, and it consists of a field that is required by default (Laravel 5) in POST, PUT and DELETE requests.
Handling this in ajax-calls is outside the functionality offered by Laravel, but can be worked around pretty easily.
For more information about Laravel sessions, see the official documentation (Which, by the way, is a very nice and easy-to-understand read).

symfony 1.4 session without using cookies

I have a Symfony application which use a mysql database to store session data, and uses the SfGuard plugin to manage the authentication.
Despite that symfony allways save the authentication info in a cookie. Is there anyway i can disable cookies and store the authentication info in the database or in memory?
I might need in the future, to have a kind of single sign on feature, where the authentication state will persist between multiple applications, in different domains. Thats why I mostly want to eliminate the need to use cookies.
Thank you for your help.
You do not seem to understand how sessions work.
That cookie that gets sent to the cient is called the session id, and it's unique to the visitor. When he reqests a page from the server that cookie identifies the row in your session table where his data are - no data besides the ID is ever sent to the client.
Without that ID there's no way to pair a request to session data, that's why you could not log in anymore after disabling the cookies. The alternative to the cookie is to pass the session id some other way, like in the url - php can do that automatically, you just need to enable use_trans_sid in the php.ini.
Yes, you can store the authentication info in the database : See here how.

Resources