I am using "file storage" for my session. When I run this:
Session::set('awesomekey', 'myVal123');
And refresh the page, I can see new files being created in /storage/session each time. I assumed it would update the same file each time. This basically means sessions don't work at all. In other words, if it keeps recreating a session file, this never works:
Session::get('awesomekey');
Or at least, it returns a blank. What am I missing that could possibly be causing a new session key to be created each time a page is loaded?
UPDATE
On further investigation, it seems the cookie is regenerated on each page load. What could be causing that?
I am not even looking at logging in yet, so this information is useless to me --> http://willworkforbanjos.com/2014/02/laravel-sessions-not-working-in-4-1/
My problem is happening when I simply put the above set and get code in the master.blade.php file. It should set it, store the info, and on the next reload get the right information from session. But it can't because on reload it changed the cookie to some other code.
Anyone know why this is happening?
UPDATE 2
Adding: 'lifetime' => 120 to session.php did not work. (#Sheikh Heera)
Placing the code in the controller only, does not work. (#Phill Sparks)
I tried chrome and firefox, same result (#The Shift Exchange)
Just to be clear on what I'm trying to do. I add the following code in HomeController.php:
public function index()
{
Session::put('awesomekey', 'myVal123');
return View::make('home.index');
}
Then I put this in my master.blade.php:
print Session::get('awesomekey');
I do not include any "dies" or random echos in my controller side of the code, except for this. When I open the file the first time, I can see myVal123 being printed out.
I then take out this part in the controller:
Session::put('awesomekey', 'myVal123');
And reload the page. It now prints nothing. I can see in my browser that the cookie has changed. Generating a new cookie will lose the reference to the session, so I'm stuck trying to understand why it's doing that each time, even though it saves the session on the first load.
Any more ideas?
UPDATE 3
I also tried:
Running "php artisan dump-autoload" ... still doesn't work
I went here: http://www.whatismybrowser.com/are-cookies-enabled ... and yes, cookies are enabled.
I'm really running out of ideas here...
UPDATE 4
I went to SessionManager.php and just underneath this:
$lifetime = $this->app['config']['session.lifetime'];
I printed out the value of life time:
print $lifetime; die();
And this code was never hit on page reload?! However, adding this in my controller:
$d = Config::get('session.lifetime');
print $d;
Does in fact print out my value for lifetime.... :(
The problem was this line:
'cookie' => 'xxxx.com',
in session.php. Apparently it loses the cookie if you have a "." in the cookie name. I can't believe Laravel doesn't like that. Or maybe it's browser's in general.
I believe you are using:
'lifetime' => 0 // number of minutes
in your app/config/session.php file. Make it something like this:
'lifetime' => 120 // number of minutes or whatever you want
It'll work. I tried same settings as you described and just used 0 and I get same result, each time a new file is being created but once I change it to 120 or so, it works. So, it make sense that, if it's set to 'lifetime' => 0 in the session config then every time it just creates a new file for a new session because the session doesn't live. So, go to your app/config/session.php file and you'll find something like this, change the value:
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
Update:
You may use following code to get the lifetime value set in the app/config/session.php file:
Config::get('session.lifetime');
Have a look at the cookie's expire time in Chrome developer tools, or Firebug. If it is set to 0 then the cookie will expire immediately.
Also, double-check if your clock is setup correctly - strange things could happen if there's a disparity between your host's and the browser's clock. Make both systems consult NTP to ensure this is not an issue.
I had a similar problem with the sessions, if you're using the model User and your users table doesn't have the primaryKey as Id, you must overwrite that variable at the model.
class User extends Eloquent {
protected $primaryKey = 'admin_id';
}
In /app/config/session.php check the "HTTPS Only Cookie" setting.
Make sure it's "secure => false" if you are not using SSL!
I've experienced issues related to this. The session file wasn't created every time but sometimes I just can't get the session variable displayed. After hours of experiments I found that the problem was related to Debugbar.
If you're using Debugbar and having session issues, disable it and try again to confirm.
Use Session::put('value') instead of set.
http://laravel.com/docs/session#session-usage
Related
Context and Need
In my api routes file, I've written the following code following the documentation (https://laravel.com/docs/8.x/sanctum#introduction) :
Route::post('/tokens/create', function (Request $request) {
$token = $request->user()->createToken($request->token_name);
return ['token' => $token->plainTextToken];
});
I would want to set an expiration delay that would be used to compare the date of the creation of the token with the date of the current check of the token expiration: the token'd have a creation date of x, the current date'd be y, and the delay'd be d so the token would expire if y > x + d.
What I've done
So I've read some code in the directory vendor/laravel/sanctum, and I've found the class Guard.php.
The class Guard.php contains an object attribute named $expiration, a constructor that sets it (among other things), and the __invoke method that contains the following expiration check:
if (! $accessToken ||
($this->expiration &&
$accessToken->created_at->lte(now()->subMinutes($this->expiration))) ||
! $this->hasValidProvider($accessToken->tokenable)) {
return;
}
As you can see, it does exactly what I want. However, I can't figure out how to set my own value for the attribute $expiration.
In this same file, there are some allusion to an existing configuration file, like this one: config('sanctum.guard', 'web'). Also, the class SanctumServiceProvider instanciates Guard and passes to its constructor the following value: config('sanctum.expiration'). But I don't know how/where to define this config value. Perhaps https://laravel.com/docs/8.x/configuration config(['sanctum.expiration' => '1277126']);? Could you confirm it please? (but where to put this line?)
Question
My question is: in Laravel 8 Sanctum, how could I set my own value for the variable $expiration used for Sanctum tokens check? Should I edit a configuration file and if yes, how? Should I type a configuration command in a terminal?
You can publish the Laravel configuration:
php artisan vendor:publish --provider="Laravel\Sanctum\SanctumServiceProvider"
See https://laravel.com/docs/8.x/sanctum#installation
After this you are able to change all configuration options in config/sanctum.php. The configuration files in config will overwrite the vendor default configuration.
The documentation https://laravel.com/docs/8.x/sanctum#spa-configuration says that, for SPA, we can set a value for the configuration option SANCTUM_STATEFUL_DOMAINS in the file vendor/laravel/sanctum/config/sanctum.php. So it should be the same for expiration. This file, indeed, contains the following text:
/*
|--------------------------------------------------------------------------
| Expiration Minutes
|--------------------------------------------------------------------------
|
| This value controls the number of minutes until an issued token will be
| considered expired. If this value is null, personal access tokens do
| not expire. This won't tweak the lifetime of first-party sessions.
|
*/
'expiration' => null,
So I think I should modify it to set the number of minutes of tokens expiration.
The sole problem is: as this file is contained in the vendor directory, if I download an update of Sanctum, would it erase this modification (i.e.: the number of minutes of expiration I've written)? If yes, then I should look for a similar solution that would be permanent (overriding this configuration file? modifying the .env file?). If no, then there isn't any problem, it would be perfect.
Maybe https://laravel.com/docs/8.x/configuration#accessing-configuration-values would be interesting to know which decision to take. However, if anyone could advise me in a comment it woud be kind.
Final Solution
Important Edit: instead of vendor/laravel/sanctum/config/sanctum.php, there is also the following config file: <my_site>/laravel/sanctum/config/sanctum.php so the latter should be editable without any problem. I think this is the best solution.
I usually end up adding session_start() to the top of every page on my PHP sites (or in a header file which is in turn included on every page). I recently discovered that you can have sessions start automatically by using the following setting in php.ini:
session.auto_start = 1
What are the potential downsides (if any) of using this setting?
If you turn on session.auto_start then the only way to put objects
into your sessions is to load its class definition using
auto_prepend_file in which you load the class definition else you will
have to serialize() your object and unserialize() it afterwards. See.
Maybe this helps. It will create a session if there is no session created on page load.
if(!isset($_SESSION)): session_start();endif;
If you want to start a specific session, then use something like this:
if(!isset($_SESSION['your_session'])){
$data = array('default data');
$_SESSION['your_session']=$data;
}
I I've done a lot of looking around for code that'll delete a session variable, and the close I've got to success is with this:
<cfset StructDelete(Session,"username")>
It works the first time, then it never works again. I've spent the past hour on this and am going insane, any help would be much appreciated.
I'm not sure if this is related but when I modify a .cfm for some reason it doesn't always seem to "update" instantly. What I mean is, I'd change a page, access it and it won't use the new code. This is a horror when trying to debug...
I suspect you mean it's coming back into existence and you think it should be gone. Look for any "cfparams" that set the variable. It might be deleted then reinitiated on the next request.
You can also add a boolean to check if it exists when you delete it.
<cfset exists= structdelete(session, 'username', true)/>
This will give you a "yes" if it exists and a "no" if it doesn't - allowing you to execute further logic if you wish.
You might also take a look at your application names, session timeout values onsessionStart() etc. I've seen problems where a new session was being instantiated with each request.
I just cfset the session variable to kill it...
<cfset session.allowin = "False">
And the application.cfm file is always looking for true...
I'm using the latest version of Codeigniter and tank_auth 1.0.9 on a site I'm building.
When using set_flashdata() and flashdata() respectivly, nothing is being returned on redirect but if I set sess_use_database to FALSE in the config it works.
I've searched around and couldn't find an answer -- Has anyone else run into this issue and fixed it?
I was having the same issue and figured out the problem. If you're storing sessions in the database, it will not work.
Tank Auth runs this code from the main library ( $this->tank_auth->logout() ):
$this->delete_autologin();
// See http://codeigniter.com/forums/viewreply/662369/ as the reason for the next line
$this->ci->session->set_userdata(array('user_id' => '', 'username' => '', 'status' => ''));
$this->ci->session->sess_destroy();
Then it runs this code from the auth controller ( $this->_show_message() ):
$this->session->set_flashdata('message', $message);
redirect('/auth/');
The problem is that since sess_destroy() was run prior to setting the flashdata, there is no database row to add the flashdata to, so the flashdata never gets set.
At this point there are a few solutions:
Option 1:
Add $this->ci->session->sess_create(); immediately after $this->ci->session->sess_destroy(); in function logout() in application/libraries/Tank_auth.php
This works because you are creating a new blank session where flashdata can be stored. A potential con for this is that you are performing more operations on the database (delete+insert).
Option 2:
Comment out/delete $this->ci->session->sess_destroy(); in function logout() in application/libraries/Tank_auth.php
This works because the session is not destroyed, allowing CI to perform only an update query to add flashdata. This is probably better than option 1 unless you absolutely need to destroy the session.
Option 3:
Set $config['sess_use_database'] to FALSE.
This works because a session is automatically created when it is requested again, as opposed to how it works when you store sessions in the database. Potentially less secure.
In the end, it is up to you to decide which option is best for your application.
if tank_auth does any internal redirects then you may lose the flash data on that redirect request.
Exactly.
CodeIgniter documentation specifies here:
http://codeigniter.com/user_guide/libraries/sessions.html
=============================
Destroying a Session
To clear the current session:
$this->session->sess_destroy();
Note: This function should be the last one called,
and **even flash variables will no longer be available**.
If you only want some items destroyed and not all, use unset_userdata().
=============================
I've digged into the system/libraries/Session.php file and saving flashdata triggers the sess_write() method which only UPDATES the database as you said.
To me a better fix is checking to make sure the session exist before setting the flashdata in show_message().
function _show_message($message)
{
// Patch for show_message() after logout(). Make sure the session exist before set_flashdata().
if(!$this->session->sess_read())
{
$this->session->sess_create();
}
$this->session->set_flashdata('message', $message);
redirect('/auth/');
}
As above: Is it possible to regenerate Code Igniter sessions manually? I'm looking for something similar to session_regenerate_id in PHP sessions, so that I could call it manually when a user went through privilege escalation.
Thanks,
Lemiant
CI automatically regenerates the session id every x seconds, which you can set in your config.
You could create a new function in Session.php the same as sess_update() but with the following removed from the top & the function renamed to regenerate_id().
// We only update the session every five minutes by default
if (($this->userdata['last_activity']+$this->sess_time_to_update) >= $this->now)
{
return;
}
This will regenerate the session id, update users_activity and keep the users data. Just call it by $this->session->regenerate_id();
I know this is an old post, but I came across it, so others might too.
You could also do the following so you don't have to hack the core files at all (making codeigniter more easily upgradable with future releases):
//Setting this to 0 forces the sess_update method to regenerate on the next call
$this->session->sess_time_to_update=0;
//Call the sess_update method to actually regenerate the session ID
$this->session->sess_update();
Credit to the original answer for leading me down this path though, thank you.