I'm working on a shopping cart and facing an issue with FOSuserBundle registration flow :
My users can add whatever they want to their cart, being or not logged/registered, but before checking out, i want them to login/register.
The main important thing is that I want after login/registration they can get back the same shopping cart they had before. To achieve it, i'm saving into the user session a random key and i'm saving this random key in the database with all articles data.
I hava no problem with the login flow, the session is kept without any change (symfony preserves all session data), so the user retrieves his session, but my problem is with registration.
When the user wants to checkout and have not an account yet, he needs to register, and when the registration is complete (with FosuserBundle, sending an activation link by mail) the user session is completely resetted so the shopping cart is lost but has not really disappeared : Actually, a weird thing i observed is that the browser seems to deal with 2 different sessions at the same time but in 2 separate tabs, in the old browser tab (before registration), data is still here, but in the new tab the session is cleared
So my question is, is there a way to give back a user his session after a successful registration in Symfony2.1 and while using FosUserBundle?
Thank you in advance
My security config file was the cause
I had to set the option session_fixation_strategy to "migrate", that now works perfectly, thanks
Login/Logout is handled by symfony's 2 security component while registration is handled by FosUserBundle.
You can try to override the registration handler https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Resources/doc/overriding_controllers.md and migrate your old session: http://symfony.com/doc/current/components/http_foundation/sessions.html#session-api
Related
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
Ok, so on a completely vanilla MVC5 template, I am finding that if I Login, tick Remember Me, close the browser and open it again, and then go back to the website I am showing as logged in.
Request.IsAuthenticated returns true, and I can access pages protected by the Authorize attribute, but my Session is empty.
My question is, is there any way to retain the users Session at this point also, as long as the application pool hasn't been recycled etc.
Thanks
Session state (which is what i assume you're referring to) is unrelated to authentication.
I am stuck with a session handling problem for past few days.
I am working on an application where an user logs into his account and can register there details or change them. How to manage sessions in this case. I mean how can i access the attribute of a session in different action classes?
Also when i click on log out and after that i press the back button given in the browser it goes back to the previous page and user can change their details which should not happen. Please help !!
The back button "issue" is because you have not disabled page caching.
Sessions data is available in actions via the SessionAware interface.
Sessions are per-user (more or less, actually per-conversation, and how that's implemented varies somewhat across browser versions), not sure what you mean regarding concurrent users.
I have a CakePHP app where users have pages tied to their accounts. For example, the page ID 123 is tied to user 321.
Whenever the user logs in, all the pages tied to his account are saved in the session.
Admins are the only one who can tie a page to an user. And here is the problem. If an admin adds a new page to an user and if this user is logged, he won't see this new page tied to his account unless he logs out/in. In other words, while his current session is valid.
What would be the best way to deal with this? If there is any way...
Find the user session and... update? delete? Is this even possible and/or "elegant"?
Send a message to this user warning about the new page and tell him to logout/login?
Stop saving this info in the session and rely on database only?
You really should stop saving this info in session.
My web application requires a user to be logged in to view any webpage on it.
When a user logs in I store, in sessions, their username and password for retrieval later on. This all works fine but, if I rerun my project it seems to skip past authentication and go straight to the controller for that action.
What I presume is happening is that FormsAuthentication.SetAuthCookie(userName, createPersistentCookie); is remembering that the user is logged in but my sessions aren't updated.
How can I trap this scenario and update my sessions accordingly?
There are many ways of going about it.
First, you can choose, not to persist the cookie. But this will still cause the exception if the session has not expired and you recompile your project. Recompiling the project destroys the session state.
Though putting the password in session state is not the preferred way of going about it, I am sure you would have a valid reason of doing it that way.
However, if you want to do it that way, you can override the Application_AuthenticateRequest event in Global.asax. This event fires every time a request comes in and you can check if the request is authenticated (using HttpContext.Current.User.Identity.IsAuthenticated) and repopulate the session state.
By the way, can you elaborate why you need to store the user password in session state?
If I am correctly understood the issue,you can have base action class so and move the authentication mechanism there.So for every request this base will be invoked so you can make sure that the authentication mechanism is not skipped.