CMS- Joomla! 2.5
Task- When i login to www.domain.com(A), i should be automatically be logged into test.domain.com(B) and vice-versa.
Implementation
When i visit site A, a session cookie is set to have the session id. Once i login to site A, the user credentials are checked and then the session record in j25_session table is updated with user id. Once this is done, i can freely navigate through the site A, as the session id is on the session cookie.
The cookie id and the session id stored in the cookie is the same on site B. This is because i have set the cookie domain on both websites as .domain.com and i am using the same secret value in the configuration file. Also Site B has access to the session data of site A, as the tables are being shared(created views).
So ideally even if i move from site A to B, the session should be valid and i should be logged in.
Issue
The session becomes invalid when i move from site A to B. As far as i've investigated, this is due to the token that is in the login form. the token in the form and the token saved in the session differs, this makes the session to die.
Any thoughts ?
There are a few problems you would need to face if you want do do this manually.
First of all there's a great component - JFusion with good support but I'm not sure if it allows bi-directional sessions between two joomla sites. Check it out, you could save many hours if not days!
Users
In order to authenticate someone an a different joomla site there must by the same database record in both #__users table on site A and site B, with the same IDs and usernames in addition to the same session cookie.
A few ways to solve this:
create a user plugin which synchronizes entries in #_users and #_user_usergroup_map from site A to B and vice versa. This must handle creating data after registration, removing records after deletion and updating it.
use MySQL replication (Master <-> Master) to synchronize #_users and #_user_usergroup_map tables between site A and B and vice versa
Sharing sessions
In order to share a valid session between 2 Joomla webites both need to have access to the same session cookie and #__sessions table, which you already implemented from what I understand, right?
If not, this is the biggest issue you have to face. A few ways to solve it:
use curl to get login form of the site B
use regular expressions to pull out the token from
send a POST request to the component users with login task on site B
the other is:
assuming #__users table is the same on both sides
after successful authentication on site A create the same session record in table #__sessions on site B
another, and the best solution:
use MySQL replication (Master <-> Master) to replicate #__sessions table between both sites
Sessions expiration
Even when you implement shared sessions you may need to face this issue. Sessions on site A and B will have different expiration time. That means when you login on site A the session on site B may expire earlier so that you won't be logged in on site B when you visit it.
You could solve it by:
setting up the same "Session expires after" setting in Joomla backend on both sites.
replicating #__users table either with MySQL replication or users plugins on both sites.
There's lot of work to achieve this, but even if you decided to do it manually check out a few extensions just to see how they do it.
Good luck
EDIT: I also recommend checking out this extensions:
http://extensions.joomla.org/extensions/core-enhancements/multiple-sites/19249
http://extensions.joomla.org/extensions/core-enhancements/multiple-sites/7557
http://extensions.joomla.org/extensions/core-enhancements/multiple-sites/5550
http://extensions.joomla.org/extensions/core-enhancements/multiple-sites/14863
Related
I am trying to implement a feature similar to Slack where my application is a multi-tenant app, and a user can be logged into multiple accounts. Each account will be tied to a different domain. If logged into 2 different accounts, the user should be able to switch back and forth between the accounts. Also, the sessions should be managed independently. If one session expires, and the user needs to login, that expired session should not affect the other active sessions.
View Slack Image
The issue I am seeing is the different domain sessions override each other. This is a react frontend with Okta
Thanks for your time.
There are some gaps which require details, but here are few pointers that might help you.
Post authentication, you should be storing the authentication information like the session expiry, username in some form (local / session storage)
If I login to your application and choose a domain like (acme.com), the session information should be stored in a key like acme.com or hash(acme.com) so that how much ever domains, I login into, there will be unique keys to identify sessions and there will be no conflict of keys.
Once the domains are changed (like you switch workspaces in slack) there will be a new login session established (first time), which sets up the session information like described above.
For every workspace / domain change, the authentication libraries would be called and they would validate the stored session information, which gives the right data and expiry and user gets to use the application without issues.
Do share your implementation details or any issues had you implemented this solution.
I have auth working fine. Users can log in and out, no problem. The thing is, if users share a login, they can all be logged in at the same time as the one user. Not good.
I need to have CakePHP know when a user is logged in, which I assume is a process started using:
'Session' => [
'defaults' => 'database'
]
As per the Sessions book page.
It's then I get lost. Unless I have missed it there is no reference to limiting users to one active session each. Has anyone come across this before and, if so, how did you work around it?
To clarity:
All sessions deleted from DB & all cookies deleted in browser = nothing set in either when visiting the /users/login page (incidentally, this has been set up as per the tutorials - nothing fancy).
Login = session set in db with id corresponding to cookie in browser. Exactly what you'd expect.
Logout (which then redirects back to login) = old session removed then replaced by another in DB and cookie. Different id. So something is picking up the expired cookie and refreshing it. Hmm.
The information held in the cookie is just the session id. In the DB it's simply:
Session id | a blob | expiry time
I assume you save users and sessions in a database (by default in cakePHP it is named sessions).
Add an active_session field, update it upon login, check it on requests to ensure that current user session id matches the last one stored in the database.
On Login action do:
UPDATE `users` SET `active_session`='$session_id';
When user goes to a page that requires login, you search that value:
SELECT * FROM `users` WHERE `active_session` = '$session_id';
If the user signs in other place, the previous session key gets overwriten, and the SELECT above returns an empty result-set.
It's possible to clean the old session token before the update, so this way old session will be destroyed on per user basis.
Be careful, if you are using AuthComponent, it might rotate sessions itself, for more information you may find in the corresponding section of CakePHP manual.
I'd definitely go AuthComponent-way, and wouldn't re-invent the wheel in CakePHP.
I tie users to their cell phone. Every day they get a new 6 digit code via twilio sms. Makes it hard to share logins, but not impossible. Ultimately, I would like to track how many different machines a users uses per day and establish some fair use limitations. If a user uses three or four machines in a day, that's fine, but when they start using the same user id on twenty or fifty machines a day, that might be a problem.
I'm a nowise in ZF2 and need an advise from more experienced users.
I'm developing a small shop I want to make different lifetime for session storage and cookies.
For example when user logins server sends a cookie with 3 months lifetime and creates session storage record (for user data) with lifetime 30 minutes. Having cookie and unique session record user can buy goods, comment, and view their profile with secure data (e.g. credit card number, phone, etc).
After 30 minutes of no activity session record must be deleted but cookie must be left (cookies lifetime must be 3 months). Having only cookie user can make comments but can not buy anything or view his/her profile.
So my I'm interesting how can I realize it with ZF2 ? - As I understood "remember_me_time" must be equal to "cookie_lifetime" or they can be changed to different values ?
Does ZF2 have any standard mechanism to delete a session storage after some time for single user or I have to create such mechanism by myself ?
If you're using ZfcUser (and if you're doing user authentication on ZF2 you should be) check out the GoalioRememberMe(https://github.com/goalio/GoalioRememberMe) module, it does exactly what you're looking for (Caveat: I've never actually used it myself so I can't vouch for it's efficacy or security)
I also suggest reading this response by Anthony Ferrara (#ircmaxell) to a somewhat similar question. It contains some background information on what you should and shouldn't do, and the gist of it is: don't try to keep the PHP session open that long, use a "remember me" cookie instead and build a new session from the remember-me cookie for visitors that don't have an active session.
I'm currently making a site using GWT, being hosted on AppEngine. I'm making it with my own logins that I'm making (I know Google provides something with GWT, but I need my own login system), and I've been trying to figure out sessions for quite a while now. I've found a few tutorials, and one of the sites that I was reading is http://code.google.com/p/google-web-toolkit-incubator/wiki/LoginSecurityFAQ
There is a section there on "How to Remember Logins". I know how to get the session ID and store it on the client in a cookie through an RPC call. What I don't understand is, eventually after a day or so, the user comes back and I'm supposed to get the session ID from the cookie and send it back to the server. What am I supposed to do on the server in order to securely evaluate if session ID is still legal, and pull up all the necessary information about the user?
Additional questions:
1. What would make the session ID change?
2. What if the user was on a laptop, and the user went somewhere else. Would he still be able to be securely logged back in without having to type in his login and password again?
Thanks!
~Scott
Similar question: question on GWT, Cookies and webpage directing.
One important thing you should remember: don't rely on cookies alone - transfer the session ID/token in the payload of the request too and compare it with the cookie value on the server side. This will prevent XSRF attacks. That's the sort of thing you should be worried about.
The policy on how to deal with session IDs depends on how seriously you take security in your application and what type of application is it. For example, you can login with the same token on GMail from different IPs - I presume they allowed this because it's common that the user's IP changes over sessions. They did however add a feature that allows you to see from which IPs the user logged in recently. And don't forget about users with dynamic IPs (quite a large number) - if you keep track of tokens and IPs you will basically disallow those users to be kept logged in between sessions.
What am I supposed to do on the server
in order to securely evaluate if
session ID is still legal, and pull up
all the necessary information about
the user?
You should keep track of the session IDs/login pairs in your DB.
What would make the session ID change?
Either it expires or the user tries to log in with a token that is not bound to their IP. You could add your own rules too - like the number of logins, etc. For additional security, you can generate a new session ID/token on every new login/session (the user authenticates with the old token, the server checks that it's valid and sends back the user the new token he/she should use from now on).
To remember logins you need to securely generate a unique session id. Normally, this is placed in a cookie. I would recommend using a framework that does session cookies for you. Getting it wrong can leave your site wide open to abuse. Things to consider include:
Do you need to worry about cookie stealing. The user's IP address should be encoded in the session id, or linked to the session id. Check the IP address on every page access.
Ensure your logins are on encrypted sessions. Otherwise, you expose credentials in plaintext on the network.
How long should sessions last. They should time out after a fixed time limit. This can be hours or days long.
Remember me should be different functionality on a different cookie. It needs to contain something that can be used to indentify the user. Depending on your security requirments it may need to be an encrypted value. This cookie can have a longer timeout.
Answers to your additional questions are.
Nothing on the client side is likely to change the session id. The session id should be regenerated every login.
Depending on how secure the session id is, they may have to login. Secure session cookies often encode the IP address to prevent cookie stealing. If so, the laptop user would need to login again.
I am working on building a learners website (http:localhost:8080.xyz.com).This is being built on glassfish server using gwt.I need to integrate forums(http:localhost:8888.abc.com)into this site .The forum is built using php and is on Apache Server.
Both the websites share the same MySQL database and this database has a table named session table which has information about the user id and corresponding session id.
Now i am trying to integrate the forum into my website using an Iframe.
My first question here is,once the user logins into my website will my website and the iframe have the same session id?
If they dont have the same session id what would be the best way to implement the functionality that when user logins into my system he is also automatically logged in into the forum?
Thanks
Easy Solution:
Send the user (via iframe or ajax or whatever) to a page on domain B, providing the session ID as a get parameter (http:localhost:8888.abc.com/sso.php?sessid=the_sess_id), then create the cookie on domain B.
More complicated solution:
Setup one of the two servers as a reverse proxy so both apps share the same domain and cookies.