I am facing a session loss issue while integrating FB login to the application.
FB login gets succeeded, when user get redireced to my app it creates Auth session.
$this->Auth->login($user['User']);
$this->redirect('/dashboard');
After redirecting it looses the session & redirect user to the login page.
I am just reading some articles, and trying out the solutions but nothing helped till.
Thanks,
Vijay
For Facebook login, after successful authentication you need to append/write the user details on Auth session like that,
$this->Auth->user($this->request->data);
Related
I setup a PKCE authentication system for an API using Laravel Passport.
At the moment this API is used by a SPA.
The authentication flow is the following :
User clicks on "login" on the SPA
User is redirected to the API /oauth/authorize endpoint (with all the pkce required parameters)
Now, that API endpoint requires the user to be authenticated. So the login page is shown (its a php Laravel served view)
The user logs in, clicks on authorize, and is redirected to the callback url of the SPA, which will then send a request to obtain the JWT token.
From this point all communication from the SPA and the API will use the JWT token only.
Everything works. Except I now have a few doubts.
Is it correct for the login on step 3 to be session based ? To set that up I simply used Laravel UI, which provides an already setup login functionality, which is session based.
If I visit the API login page again, by its own url, I am actually session logged in (which is normal). Of couse if I logout from that page (it has also a logout button), I can still use the SPA normally, as I still have my JWT token which is used by Passport.
To solve the logout problem I had to implement a 'double' logout, one that clears the JWT from local storage for the SPA, and one to logout the user from the session login of the Laravel api (in case that was still active at the time).
All this seems a little off, should I refactor the login function of Laravel UI to not start a session (if that is even possible) ? Or maybe log the user out in some way(how ?) after the redirect to the SPA callback url ?
Thanks
I have installed Shibboleth SP in local. I am trying to test it with TestShib IDP. Ii was succeded to regiter with Testshib and able to login.
When i am trying to Logout from testshib IDP(https://www.testshib.org/Shibboleth.sso/Logout). It is giving Status of Local Logout: Logout completed successfully.
But when i am trying to login again it is not asking for Login page it is automatically logging the user.
Can you please tell me solution.
Well unfortunately there is no solution to this flow.
It is not in SP's hand to get user logged out. Shibboleth may keep session on or it is possible for idP to keep the session on.
So it is safe to keep in mind that it will never be logged out manually.
I'm using laravel Auth. When I login into my website all works great. When I try to refresh or go to another page (still using Auth middleware) my session is expired, I'm directly logged-out and I must login again. How can I fix this so I remain logged in when refreshing the page or browsing to another?
Hi I have a static website running at localhost:8080/site. Here I display a login form. The form's action is project:8888/app_dev.php/login_check
My Symfony application, running at project:8888/app_dev.php/ also has it's own login form with the same action, at project:8888/app_dev.php/login
When I login using the login form in my Symfony application all works fine.
When I submit the login form on the static website, I get the following security error:
Your session has timed out, or you have disabled cookies
I assume this is a security matter, which makes it impossible to post login credentials from another domain? Is there a way to work around? Thanks in advance.
I use Spring Security 3 in my JSF2 webapp.
I have a security rule to provide session timeouts:
<session-management invalid-session-url="/faces/paginas/autenticacion/login.xhtml?error=1" />
So that when the session has expired and the user clicks on any link, he is redirected to the login page. In this page I check for the error param, and show a message to the user saying the session has expired.
But I have 2 problems:
(1) When I startup the app the first time (it tries to show the home page), I'm redirected to the login page saying session has expired. I think that this may be happening because the 1st time you run the app, the session is a new one, and Spring Security perhaps "thinks" he has expired (doesn't distinguish betwen a new session and a timeout).
(2) If the session has expired for anonymous users (not yet authenticated), I'm redirected to the login page timeout too. I don't want this behaviour for non-authenticated users, I just want to check the timeouts for authenticated users.
How can I solve both of these problems?
Thank you in advance.
You want to use the expired-session-url property for expired sessions, not the invalid-session-url. They are for two different things.