Can anybody explain session drivers to me? A search on "laravel session drivers" revealed nothing about the different types. I ask because the following tutorial suggested using an array driver for a REST API, but I don't know why. Tutorial: https://speakerdeck.com/akuzemchak/simple-api-development-with-laravel?slide=62
Here's the relevant section from app/config/session.php
/*
|--------------------------------------------------------------------------
| Default Session Driver
|--------------------------------------------------------------------------
|
| This option controls the default session "driver" that will be used on
| requests. By default, we will use the lightweight native driver but
| you may specify any of the other wonderful drivers provided here.
|
| Supported: "native", "cookie", "database", "apc",
| "memcached", "redis", "array"
|
*/
'driver' => 'native',
It's quite easy. Driver defines where session data will be stored.
native - session will be handled by internal PHP rutines
cookie - session will be stored in cookies
database - session will be stored in database (by default in table sessions)
memcached/redis - use one of this daemons as a session storage
array - session will be stored in a plain array (it's handled by MockArraySessionStorage)
array driver means that session is only per request (stored during PHP runtime), and after that it disappears :)
Related
This is a common problem seemingly with a variety of suggestions/solutions. I've read many previous topics and other sources but without success at my own problem.
Hosting a Laravel 6 app on Heroku. My session.php looks like:
<?php
return [
/*
|--------------------------------------------------------------------------
| Default Session Driver
|--------------------------------------------------------------------------
|
| This option controls the default session "driver" that will be used on
| requests. By default, we will use the lightweight native driver but
| you may specify any of the other wonderful drivers provided here.
|
| Supported: "file", "cookie", "database", "apc",
| "memcached", "redis", "array"
|
*/
'driver' => env('SESSION_DRIVER', 'file'),
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
'lifetime' => 120,
'expire_on_close' => false,
/*
|--------------------------------------------------------------------------
| Session Encryption
|--------------------------------------------------------------------------
|
| This option allows you to easily specify that all of your session data
| should be encrypted before it is stored. All encryption will be run
| automatically by Laravel and you can use the Session like normal.
|
*/
'encrypt' => false,
/*
|--------------------------------------------------------------------------
| Session File Location
|--------------------------------------------------------------------------
|
| When using the native session driver, we need a location where session
| files may be stored. A default has been set for you but a different
| location may be specified. This is only needed for file sessions.
|
*/
'files' => storage_path('framework/sessions'),
/*
|--------------------------------------------------------------------------
| Session Database Connection
|--------------------------------------------------------------------------
|
| When using the "database" or "redis" session drivers, you may specify a
| connection that should be used to manage these sessions. This should
| correspond to a connection in your database configuration options.
|
*/
'connection' => env('SESSION_CONNECTION', null),
/*
|--------------------------------------------------------------------------
| Session Database Table
|--------------------------------------------------------------------------
|
| When using the "database" session driver, you may specify the table we
| should use to manage the sessions. Of course, a sensible default is
| provided for you; however, you are free to change this as needed.
|
*/
'table' => 'sessions',
/*
|--------------------------------------------------------------------------
| Session Sweeping Lottery
|--------------------------------------------------------------------------
|
| Some session drivers must manually sweep their storage location to get
| rid of old sessions from storage. Here are the chances that it will
| happen on a given request. By default, the odds are 2 out of 100.
|
*/
'lottery' => [2, 100],
/*
|--------------------------------------------------------------------------
| Session Cookie Name
|--------------------------------------------------------------------------
|
| Here you may change the name of the cookie used to identify a session
| instance by ID. The name specified here will get used every time a
| new session cookie is created by the framework for every driver.
|
*/
'cookie' => env('SESSION_COOKIE', 'my_app_session'),
/*
|--------------------------------------------------------------------------
| Session Cookie Path
|--------------------------------------------------------------------------
|
| The session cookie path determines the path for which the cookie will
| be regarded as available. Typically, this will be the root path of
| your application but you are free to change this when necessary.
|
*/
'path' => '/',
/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/
'domain' => env('SESSION_DOMAIN', null),
/*
|--------------------------------------------------------------------------
| HTTPS Only Cookies
|--------------------------------------------------------------------------
|
| By setting this option to true, session cookies will only be sent back
| to the server if the browser has a HTTPS connection. This will keep
| the cookie from being sent to you if it can not be done securely.
|
*/
'secure' => env('SESSION_SECURE', false),
/*
|--------------------------------------------------------------------------
| HTTP Access Only
|--------------------------------------------------------------------------
|
| Setting this value to true will prevent JavaScript from accessing the
| value of the cookie and the cookie will only be accessible through
| the HTTP protocol. You are free to modify this option if needed.
|
*/
'http_only' => true,
];
I have SESSION_DRIVER=memcached, SESSION_SECURE=true, SESSION_DOMIN=my.heroku.host. Once logged in I have code that catches a 401 and asks user to log in again (click a button which logs them out in the backend and redirects to /login).
Multiple users are reporting that when they get this (presumably after 120 minutes per session.php), and log back in they immediately get asked to re-login again, as though their session has expired immediately. I've been able to replicate on Heroku, sometimes I get redirected, sometimes I seem to get the dreaded 'Page expired 419' Laravel page.
I have #csrf on my login form. And a <meta name="csrf-token" content="{{ csrf_token() }}"> at the top of each page once logged in. I am also sending X-CSRF-TOKEN as a header in each ajax request. Further, I'm not only detecting 401 but also 419 and attempting to refresh the csrf-token when that happens.
Once encountered, nothing seems to fix it, clearing cookies, cache etc. When I restart the Heroku dynos, however, everything works again. I've also been able to replicate locally (by reducing session lifetime) and the intercept, logout, login sequence works fine. So it's some kind of issue on Heroku/config. Any ideas welcome at this point!
Every once in a while I get a token mismatch exception. I send the token so that can't be it. When I clear cache en delete my cookies it's fixed again. What could this be?
Additional info
It started happening when I cached all rendered html to make the website offline capable.
The token mismatch exception indicates that your session has expired.
You can properly handle this exception. Take a look in this forum.
you can increase the time limit of session in config/session.php
/*
|--------------------------------------------------------------------------
| Session Lifetime
|--------------------------------------------------------------------------
|
| Here you may specify the number of minutes that you wish the session
| to be allowed to remain idle before it expires. If you want them
| to immediately expire on the browser closing, set that option.
|
*/
'lifetime' => 30,
'expire_on_close' => true,
its 30 minutes by default..
I will be using stateless web app architecture. For authentication I will be encrypting the authenticationid and putting it in client cookie and sending it to client as described here.
But I see that when a get request is send to the server, the response contains a cookie named laravel_session. I've read that for a stateless architecture, there should be no session as otherwise it would mean that session state is stored at server.
How to remove any kind of session from laravel to make my app stateless?
Set session driver:
Laravel v5.7.0: config/session.php
Laravel v4.2.0: app/config/session.php
cookie - a cookie-based session driver where session data is encrypted in the user's cookies.
array - session data is saved in a PHP array. Take note that the array session driver does not support persistence and is usually only used in console commands and tests.
I'm working on an app that uses laravel as the backend, the login form works through ajax and the frontend is loaded locally so it's a cross domain, the problem is laravel doesn't set the cookie on the client side so the user doesn't stay logged in.
I'm thinking on getting the cookie manually and injecting it on the global ajax headers for the app but I can't find how laravel converts the session id to the giant string that sets as a cookie, how can i obtain it or how can i convert the session id to the value?
You should look at the domain variable in your session.php file:
/*
|--------------------------------------------------------------------------
| Session Cookie Domain
|--------------------------------------------------------------------------
|
| Here you may change the domain of the cookie used to identify a session
| in your application. This will determine which domains the cookie is
| available to in your application. A sensible default has been set.
|
*/
'domain' => null,
Here you can set the domain to your local domain.
I ended up making a workaround, generated a random hashed token and stored as key on redis with the id of the user as value, sent it back and stored it on the local storage in the front end, then set it on the global ajax header, and the server side just calls
Auth::loginUsingid($id)
from the token value sent by the client on every request, it's messy but it works around the problem of cross domains
As the manual says:
Note: The Session class does not utilize native PHP sessions. It
generates its own session data, offering more flexibility for
developers.
But when I store some data using $this->session->set_userdata(array('sample_key' => 'sample_value'));, in phpinfo() I can find sample_key and sample_value in that.
I hoped that the part
does not utilize native PHP sessions
to be meaning that it hides the session variables from phpinfo().
I'd always thought that it might be a security lack. Could it be?
As it seems, the values are urlencodeed.
CodeIgniter's "session" just stores the data in a cookie, and calls it a session. Native PHP sessions store the data on the server, and a "sessionID" in a cookie.
In phpinfo, you can see the variables, but it's your session, you can't see another user's session.