I'm doing an API for a mobile application. The application is made with Unity3D (I'm not developping it) but the guy who makes it told me that the session is not stored in Unity because it doesn't suport cookies.
I tried with Laravel to stores "cookie" in a file, but that didn't solve the problem.
Actually, in Unity, here is what is happening :
- log the user // returns : "Ok, logged."
- check if connected // returns : "user not connected"
I tried to do Session::setId() but it didn't work. Why ? Because I think the user is not in the Session but in the "Auth::" class. I didn't find any way to load the user who was connected.
I'm searching for an ID to get the first time and pass it as parameter in the URL to set it in the PHP to retrieve the connected user.
Your help is welcomed.
Thank you.
IF Unity doesn't support cookies, then you shouldn't be using PHP or Laravel sessions.
The alternative is to pass SystemInfo.deviceUniqueIdentifier in every request (in a header or POST, or GET field) from app to API. And on your API server you should make a DB table to write down all info you need about particular device: unique_identifier => all_the_info_i_have_on_this_device.
This works even better than cookies, because because user is not able to delete cookies or clear session.
Related
So, I'm doing this app in Laravel and my client wants it to have a "lockscreen" after 3 minutes of inactivity, something like what new PayPal site is doing. So if you're not active for 3 minutes you are presented with lockscreen view and you have to type in your password to retrieve the session.
It would be awesome if I could achieve this without messing with core files, like via controller and new middleware.
You could use sessions for this and check for the time use waited with each new request. You could use middleware for that.
$request->session()->put('expire_time', \Carbon::now()->addMinutes(3));
Hey I have also applied this functionality on my app use this package.
https://github.com/orangehill/bootstrap-session-timeout
Its Awesome.
After the session times out you just on that request you break the user session and ask him to login again.
I'm writing an app that's supposed to run with MVC5 and using parse as a backend.
I'm using the new Identity feature of the MVC5 to login an user. I also tried to use this solution but I couldn't make it work.
What is happening is that when I login with the user A and then login with the user B in a different session (a incognito windows or a new browser) whenever I try to insert something related with a ParseUser object using the first user that was logged in I get an exception: UserCannotBeAlteredWithoutSessionError.
I'm not sure if I'm doing the implementation in a wrong way, or if it is a limitation of the Parse (I think it was designed to run using one user per device).
If you have a workaround for this situation please help me.
There is a good answer which may help: Parse Database Authorization - Security For User Objects.
So, it's a kind of Parse SDK limitation, when you can work with only one user per device (as ParseUser is cached locally). The only workaround that I can see is to perform SignOut/Login explicitly, when you need to do something from other user's context. There is no way to have two users work simultaneously from the same device.
Recently I have being playing with a project I found on github called Laravel Websocket Poker (https://github.com/troymccormick/laravel-pkr/). I have it all running and working well. When you open the game page, you a presented with a dialog for your chosen username. I want to modify this, so that the session data of the current user is able to be used within the websockets.
So my question is, how can I associate the users laravel session info with their websocket connection?
Thank you!
I've developed an app in laravel and sentry2 as ACL. Login occurs through SAML.
Whenever a user logs in from SAML is redirected to my app where I check server variables, and if credentials are correct I let him pass to the site with sentry.
My issue occurs when I try to log in with the same account in two different browsers. Looks like when I log in in the second browser the existing session in the other browser gets overrided.
I've found out this looking into sessions table:
http://pastebin.com/6iEnRkEs
Any ideas? Will appreciate your help on this very much.
Thanks a lot!
Pablo
EDIT:
The idea would be that the app work like gmail/fb that allows the user to be logged in both browsers at the same time.
It's correct the way it is.
Different browsers different sessions. This is a security feature/matter every single app should enforce.
If you log in a different browser how could Laravel tell if it's not a different person login in from a different computer in the same network? Log someone off in this case it's also the correct thing to do, because if some kind of exploit is happening, user will see something is wrong and, maybe, change his/her password.
Some (ie: banking) also do: different browser tabs, different sessions, but this is not the Laravel case.
Recently I was asked to add an XML API to one of the Symfony modules in my project. I did it, and it works well. For authentication, we use sfGuardPlugin. Symfony version is 1.3.11. Using Propel, not Doctrine.
The most recent request to me is this:
We will embed a Flash game into the website.
The Flash will do requests to the XML API.
The guy who is coding the Flash application says that it doesn't share cookies with the browser.
We want the Flash to be able to reuse the session of the currently logged in user (we won't allow to be even shown if no user is logged in).
I did try this would-be solution: (taken from other SO articles and various Google search results)
I was told that the Symfony session resides in the symfony cookie.
I was told that if I copy this value in another client (in my case, wget) and do session_id("stolen_session_id") I will be able to duplicate the session, have the same user logged in, etc.
This turned out to be wrong. Say my cookie symfony had the "blabla" value. I did this: wget --post-data='session_id=blabla' X.X.X.X:NN/api/bla.xml -O-. My server PHP code parses this POST parameter and feeds it to session_id function. It then reported in the logs that the session_id('blabla') was returning 1. However, calling $this->getUser()->getGuardUser() returns null.
I need a way to map a passed session_id to a valid sfGuardUser. Or find an alternative way of reusing a session which already exists.
Suppose I have full access to the cookies. I want to know which one of them (or all of them?) to duplicate in order to achieve this.
BTW, I am seeing in my Chrome dev tools that the symfony cookie is of a session type. So it's no wonder at all as to why my method doesn't work, but I am little lost as to how do I do this in Symfony, while using the sfGuardPlugin.
I do realize this is not one of the most informed questions, but ditto, I just need help.
Thanks for your time.
(Dimitar P.)
Oops, forgot to mention which cookies I see on my domain:
symfony
sfRemember
__utma
__utmb
__utmc
__utmz
I am guessing the last four are for Google Analytics, though.
I didn't want to do this, but I was unable to find other alternatives:
$ wget --header='Cookie: symfony=blabla' X.X.X.X:NN/api/bla.xml -O-
I wanted my XML API to be REST, but evidently, Symfony doesn't allow authenticated requests other way than using cookies (and to enable the session ID to be always included in the URL is not an option at all).
Still, if somebody shows up with a fully REST alternative, I will upvote his/her answer.
You will need some way of specifying which user is executing the (wget) request. And PHP sessions use a session ID by default.
A common way to do this is token-based authentication. The most common way to achieve this is OAuth, which has a lot of default libraries (both for Symfony and for your API consumers).
If you're the only one using this API, you can also create a custom token (random sha1 string) per user per session (you can store this somewhere in your database). Now you would create something like ` wget X.X.X.X:NN/api/bla.xml?token=asdfhdsfhf