When making an auth request to the Google API (gapi), it's returning false on the checkOrigin.
I have removed any client id's or anything that would link directly to my account and replaced it with a regex indicating what the data is for reference.
Url: https://accounts.google.com/o/oauth2/iframerpc?action=checkOrigin&origin=https%3A%2F%2Flocal.tools&client_id=(\d{21})
My origin url is a local url, which is https://local.tools
Result: {valid: false}
I'm using the example found here without deviation (except for replacing clientid with my 21 digit clientid): https://ga-dev-tools.appspot.com/embed-api/third-party-visualizations/
The items I'm trying to display show up nicely on the demo site, but aren't getting past the Not valid origin for the client error on my local.tools site.
Clear your browser cache. Started getting this error in Chrome and then I created a new client id and was still getting the issue. Opened firefox and it worked, so I cleared the cache on Chrome and it started working.
I received the same console error message when working with this example: https://developers.google.com/analytics/devguides/reporting/embed/v1/getting-started
The documentation says not to overlook two critical steps ("As you go through the instructions, it's important that you not overlook these two critical steps:
Enable the Analytics API [&] Set the correct origins"), but does not clearly state WHERE to set the correct origins.
Since the client ID I had was not working, I created a new project and a new client ID. The new project may not have been necessary, but I'm retaining (and using) it.
Here's what worked:
Create a new project
Add and Enable the Analytics API
Create a new credential - ensure that it is an OAUTH credential (scroll to the bottom of this page for instructions https://developers.google.com/api-client-library/javascript/start/start-js#Setup).
During creation of the credentials, you will see a section called "Restrictions
Enter JavaScript origins, redirect URIs, or both". This is where you can enter your origins.
Save and copy your client ID (and secret).
My script worked after I created the new OAUTH credential, assigned the origin, and used the newly generated client ID following this process.
try clear caches and then hard reload, i had same error but when i tried to run on incognito browser in chrome it worked.
Key Point: Add both http://localhost and http://localhost:port_number to the Authorized JavaScript origins box for local tests or development.
Credentials do not work if API is not enabled. In my case the next steps were needed:
Go to https://console.developers.google.com/apis/library
Enter 'People'
From the result choose 'Google People API'
Click 'Enable'
Creating new oauth credentials worked for me
You probably use Client ID like this: <CLIENT_ID>.apps.google.com
Make sure your client ID is without ".apps.google.com"
For me - I just went here:
https://console.developers.google.com/apis/credentials
Then chose the right project; then choose the credential with the same ID shown in your console error message. When editing the credentials you can add multiple origins to the white list.
After updated Authorized JavaScript origins browser still caching old data, so I need to Empty cache and hard reload then it works
1. Change Authorized origins
2. Open Dev Tool (F12) then right-click into reload button
Clearing the cache on chrome works!
Please find the steps below to clear the cache.
Open dev tools (Right-click on the page and select inspect/ press F12)
Right-click on the chrome reload button while the dev tool is opened. (You will find the option to clear the cache and reload the site)
clearing the cache works for me.
for React developers try to restart the project otherwise it will show the same error again and again.
It was a referrer-policy problem.
This has been such a pain for a long time to me too...
Found the issue, my website instance had a referrer policy set to
no-referrer. After setting it to no-referrer-when-downgrade, the One
Tap prompt showed up as expected.
https://stackoverflow.com/a/63039142/15565029
If you are using Django, SECURE_REFERRER_POLICY is 'same-origin' by default. Change it by adding the below code in your settings file.
# settings.py
SECURE_REFERRER_POLICY = 'no-referrer-when-downgrade'
https://docs.djangoproject.com/en/3.2/ref/settings/#std:setting-SECURE_REFERRER_POLICY
Similar to few answers at above but with screenshots. If you created project for Firebase, may also use the same steps to configure at Google Cloud Platform console.
Select the project at https://console.cloud.google.com/
Navigate to Credentials
Click Edit button for the related OAuth 2.0 Client ID
Add URI into Authorized JavaScript origins
Don't forget to Save
That worked for me after trying for an hour:
On https://console.cloud.google.com/apis/credentials :
Edit Client Outh (mine was: Web Client (Auto Created by Google Service), which was created by my Firebase Web Project)
Enter JavaScript Origin for the Client ID (mine was: localhost:NNNN)
and don't forget to Save.
Try google login for half an hour: didn't work
Enabled Google Analytics as suggested above
Empty Chrome cache and hard reload as suggested above
Try google login for half an hour: didn't work
Sign Out from https://console.cloud.google.com, and sign in again
Empty Chrome cache and hard reload
Now it worked
I don't know which one of the above fixed the problem.
May be it was just a matter of time for cloud.google to
recognize my new JavaScript Origin.
I got the error because of Allow-Control-Allow-Origin: * browser extension.
Trying on a different browser(chrome) worked for me and clearing cache on firefox cleared the issue.
(PS: Not add the hosting URIs to Authorized JavaScript origins in API credentials would give you Error:redirect_uri_mismatch)
I was getting the same error but tried publishing my app and now it shows as below:
Long story short: I have hacked jasny/sso to work with Laravel. It works extremely well except when the primary/root session has expired.
I have the primary/root authentication set to "remember", so it can reauthenticate from the cookie when the session has expired.
When the 'attach' action happens on the SSO server and the primary/root session has already expired, I am running Auth::check() to bring the session back to life so that it can be attached properly.
All of my debugging indicates that everything is working exactly as I need it to except for this one little detail:
The new session generated by the 'attach' action is never written to the database because the DatabaseSessionHandler thinks it already exists. It is running an UPDATE instead of an INSERT.
As a result, my SSO client session attaches to a non-existent SSO server session.
For the life of me, I can not figure out why it thinks this new session already exists nor how to get it to correctly insert into the database.
Can anyone tell me why a new Laravel 4.2 session would be detected as "exists" and run UPDATE instead of INSERT on save()?
EXTRA DEBUGGING ATTEMPTS --
Attempt #1: I have tracked this to a false attachment to an expired session that hasn't been garbage collected yet. What I don't understand is how this session is being loaded while a different session ID is being presented. If this were the result of the migrate() or regenerate() methods, "exists" would be set to false, and it would save correctly. Somehow, it seems that the session ID is being updated without resetting "exists".
Attempt #2: The answer was staring me in the face the whole time. I kind of understand the downvote now. (see my answer below)
I was dramatically over-thinking this as I tried to uncover the mechanism behind the behavior instead of testing what looked like an easy solution:
If I call Session::setExists(false) prior to Session::save(), it will insert the new session correctly.
EDIT: If wrapped in an if-statement for Auth::viaRemember(), I can check if the auth happened via session or cookie/remember. If true, then I want to set "exists" to false.
I have table of 'users' having 'is_login' column. When a user logged in. 'is_login changes to 1' AND when log out 'is_login changes to 0'.
But if user closes browser, that 'is_login' column stays 1.
I need a method to update database, when session expires by closing browser.
I have tried this but not done:
How to exec a function when codeigniter session expires
I am open to other suggestions as well.
You would need to use some javascript/jQuery to catch when the browser is closed down and make an AJAX call to a script at your application that can set the logged in flag to 0. Using jQuery
$( window ).unload(function() {
$.post('location/of/your/script.php',{'identifier':'identifier_val'});
});
Then in script.php pick up whatever you post and act on it.
This is pretty unreliable in my experience and not a great experience for the user as this will fire if they reload the page. The other (equally nasty) way would be to use the heartbeat method. Essentially your jQuery needs to ping your server every minute. Then you would run a CRON job to check any user records that did not get a ping from the jQuery for more than 2 mins (or whatever you think is correct) and set those users to logged out.
Otherwise you need to open a socket connection with your server which is the proper way to do it.
My command line testing tool, which uses NSURLConnection, is interfering with Safari's cookies. How do I stop this from happening?
Here's what I'm seeing:
I log into the web site in Safari.
I run my command line based sync tool.
The sync tool logs in, and gets several pages of data. For each request, the cookie rolls over. (The sync tool does not log out.)
I return to Safari and click a link. The link returns me to the login screen.
If I skip step 2-3, the link in Safari works correctly. My tool is clearly the cause of this.
I'm creating my connections like this:
_connection = [[NSURLConnection alloc] initWithRequest: request
delegate: self
startImmediately: NO];
I'm not doing anything explicitly to the cookies, but just letting the default code handle them.
I'm not sure what's really happening here. If Safari and my app really shared the cookies, wouldn't Safari's copy of the cookie also be rolled over? While weird behaviour, everything would work and I wouldn't even know what was happening. This is something else.
Anyway, how can I stop my command line tool from logging people out of their session in Safari?
Seems like the right approach here is turning off default cookie handling entirely, so it doesn't touch the shared store. You can use -[NSMutableURLRequest setHTTPShouldHandleCookies:NO] to disable the default behavior, then read the cookie headers out of the responses, store them yourself, and insert them back into subsequent URL requests as appropriate.
We have an internal control panel that all employees in the office are logged into all day, including customer service. I'd like for it to be setup so that it keeps you logged in for 1 hour before your session expires. How can I change this in the PHP.ini? I made a change before I understood would keep the session open until the browser window was closed but it didn't stick.
There are two different values you can set:
session.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and potentially cleaned up.
and session.cookie_lifetime which is how long the cookie will last.
http://www.php.net/manual/en/session.configuration.php
both values can be set in the php.ini file, but might get overriden in .htaccess files or in your scripts using ini_set.
You can also do this client-side using JavaScript. Use an AJAX call to periodically 'check-in' with the server, keeping the PHP session alive. You can also monitor if the user is doing anything on the current page, show them a '2 minute warning' message, or even redirect them to a 'session terminated' page when the 1 hour inactivity period is reached. You could even use this to 'force' a user to be signed out.
This isn't as secure as doing it purely in PHP, but does give you more flexibility to build cool features.
The most secure place to implement this would be in your application. You can store the session update time in $_SESSION on each page load. Before you update it, you check if it has exceeded the 60 minute limit, in which case you can use session_destroy() to terminate the session, followed by a redirect to the login page (or similar).
I don't think this can be done from the php.ini file. I think you either want to store the login time on the server and compare that with the current time and delete if 60mins have passed, or alternatively, use cookies -- these can have an explicit lifespan. See this for more information on cookies.