I implemented the HttpUserAgent and RemoteAddr validators in Zend Framework 2 to help prevent session hijacking.
use Zend\Session\Validator\HttpUserAgent;
use Zend\Session\SessionManager;
$manager = new SessionManager();
$manager->getValidatorChain()->attach('session.validate', array(new HttpUserAgent(), 'isValid'));
It does seem to stop hijacked sessions however, it doesn't let me display a nice error message or reroute the user to the login page, Instead I get this PHP Error message:
Fatal error: Uncaught exception 'Zend\Session\Exception\RuntimeException'
with message 'Session validation failed' in \zendframework\library\Zend\Session\SessionManager.php on line 111.
Is there a callback or something else that I'm not doing to prevent the code from just dying?
This is php we don't use callbacks, but throw exceptions. You need to catch the exception and handle it from there on out.
I would recommend using the event manager and listening on the dispatch event to validate the user.
Related
I use the default Laravel Exception handler, but I have a question regarding good practices.
When I have a condition in which the controller must throw an exception, I do the following:
if($blah) {
abort(500, "The user should not be here");
}
and then on the frontend, I have a view that handles the error as this:
#section('message', __($exception->getMessage() ?: 'Whoops, something went wrong on our servers.'))
So that works great as long as I have the following on the .env file:
APP_DEBUG=true
Whenever I change this value to false, (as it should in production), all I get on the error page is: Server Error instead of my custom message.
How can I keep my custom error message, and have APP_DEBUG=false in production?
If you want to customize you HTTP errors for specific views or conditions, then you will have to look into Rendering exceptions section that will show you how to show a custom view for a specific exception. With this you can throw an exception like
throw new UserNotFoundException();
and listen to that exception and render a specific view as required.
I have the default config for this since I'm new to Laravel. When I type the mail in /password/reset view it keeps loading till a timeout error is thrown in /password/email view.
I'm using the following code to redirect to another page,
<p:commandButton value="myRedirectButton" value="#{myBean.val}" rendered="#{myBean.renderThis}"
onclick="remoteRedirect();"/>
<p:remoteCommand name="remoteRedirect" actionListener="#{myBean.redirectToPage}"/>
And the actionListener in java is as follows:
public static void redirectToPage(String url){
FacesContext ctx= FacesContext.getCurrentInstance();
ExternalContext ext=ctx.getExternalContext();
String encodedUrl=ext.encodeRedirectUrl(ctx.getApplication().
getViewHandler.getActionUrl(ctx,url),
new HashMap<String,List<String>>());
ext.redirect(encodedUrl);
}
On clicking the 'myRedirectButton', a js error pops up just before the page redirects saying
"This message is only sent, because project stage is development and no other error listeners are registered".
Does anyone have any ideas on why this is happening?
This message is only sent, because project stage is development and no other error listeners are registered
This will show up when you're using MyFaces, and you have javax.faces.PROJECT_STAGE set to Development in web.xml, and you don't have any jsf.ajax.addOnError listener, and the current request is an Ajax request, and the JS code has thrown an error during that request.
Basically, it's just trying to tell you that you should look in the JS console for the actual error, and/or that you should configure a jsf.ajax.addOnError for more fine grained JS error handling. Once having the detail about the actual JS error, you can easily naildown the cause and solve the problem.
As to the concrete problem, you're basically sending multiple ajax requests at the same time on click of the <p:commandButton>, first one via <p:remoteCommand> and immediately thereafter second one via <p:commandButton>. The first one will perform a redirect and hereby unexpectedly abort the second one before its response can be processed, hereby causing a JS error.
There are basically 2 ways to solve your timing problem:
Move the action from the <p:remoteCommand> to the <p:commandButton> and then remove the onclick and <p:remoteCommand> altogether.
Add a return false; in the end of the onclick to block the <p:commandButton> from sending its own ajax request.
I have a simple authentication code like on a zf2 application
$this->auth = new AuthenticationService(new Session($this->namespace));
and the external modules used are
ZendDeveloperTools
BjyProfiler
Everytime, I try to authenticate, like
$this->auth->authenticate($adapter)
I get a "Session validation failed" error message.
When I disable ZendDeveloperTools module, I do not get this error but couldnot fix. I also checked Zend\Session\Container Session validation failed exception — Object(Closure) ZF2, but I do not have anywhere on my code
$sharedEvents->attach('', '', .. )
as suggested by Crisp
i had a same problem.
Look at:
ZendDeveloperTools/Listener/EventLoggingListenerAggregate.php Line: 64
$events->attach($this->identifiers, '*', array($this,'onCollectEvent'),
Profiler::PRIORITY_EVENT_COLLECTOR);
i uncomment it, then i don't get the error.
Hope it was helpful.
I work in a project which uses the session a lot. We have a db handler (the standard one from Zend) and currently i have this initialization (db handler + session start) in a plugin for the preDispatchLoop. Previously it was in preDispatch but because of it being called for each action (included those in the 'forwarded' action, it caused me problems.
My problem is that i began working in internationalization and i began using the router to detect the language in the URI: we use the form /language/controller/action). The router would like to use the session to read/store the language. But as you may know the router comes first and then the (pre/post) dispatcher stuff.
So the question would be: why not move the session initialization to the bootstrapping ? it's because it was there before but i had to move it because i need to test that the db (remember that the session uses the db) is accessible to prevent errors. And if there's an error i simply redirect (request->setController/setAction error). If i move back the session initialization code to the bootstrapping i can't make the redirect if the db is not accessible.
I've read other question and i've found many people asking to access the request object from the bootstrapping. But they all say: you can but shouldn't. but then, how would i do in this case ? my last option would be to move back the sessions initialization to the bootstrapping and if it fails, manually send headers and read the view but the error code but that's a horrible hack.
My thoughts are that the session shouldn't be used that early. They shouldn't be called in the bootstrapping as they're not yet fully aware of the controller/action requested. I think that to get the language i could simply rely in cookies (manual) and get it from there (as well as from the URI). And if eventually some day the session info must be used in the bootstrapping i would use a global variable.
What do you think ? is there an error in the way i'm controlling the application ?
Some questions seen:
Zend Framework: Getting request object in bootstrap
Best way to deal with session handling in Zend Framework
(Zend version 1.9.6, not using Application nor Bootstrap)
I would move the session initialization and db connection to the bootstrapping.
If you can't connect to your db during bootstrapp this should count as low-level error. It is not excepted to happen in production.
Simply wrap your bootstrapping process into a try catch block so you can output an error page.
// in your index.php
try {
$application = new Zend_Application(
APPLICATION_ENV,
APPLICATION_PATH . '/configs/application.ini'
);
$application->bootstrap()
->run();
} catch (Exception $e) {
header('Content-type: text/html; charset=utf-8');
header('HTTP/1.1 503 Service Unavailable');
header("Retry-After: 3600");
// Output some error page.
echo "<html><head><title>System Error</title></head><body>...</bod></html>";
?>