I developed web application based on CakePHP 1.3 platform. Application uses Auth component, so only authenticated users can use it.
But some of the users have problem that application log them out for some of the time. Problem is that I can not find out why they are getting logged out, since I don't face that problem. Also tried to be loged in application for few hours, and I do not have those problems at all.
Just to mention that sessions are defined to be saved as 'cake' and security level as low, in core.php file:
Configure::write('Session.save', 'cake');
Configure::write('Security.level', 'low');
Also, they do not change ther IP address.
Can you give me some thoughts where can be a problem?
UPDATE: I need some of your thoughts... Can be a problem be caused by some of jQuery functions, that they kill some of the sessions or cookie values? Biggest issue here is that I can not simulate problems users have, because it works fine on my side... and only thing is to guess where problem is.........
They get logged out if their session expires. Take a look here to increase the time on the session http://php-freelancer.in/2009/11/30/cakephp-session-timeout-or-change-session-length-in-cakephp/
Edit: If security isn't that much of an issue, consider using cookies to remember the login.
Related
I've developed an app in laravel and sentry2 as ACL. Login occurs through SAML.
Whenever a user logs in from SAML is redirected to my app where I check server variables, and if credentials are correct I let him pass to the site with sentry.
My issue occurs when I try to log in with the same account in two different browsers. Looks like when I log in in the second browser the existing session in the other browser gets overrided.
I've found out this looking into sessions table:
http://pastebin.com/6iEnRkEs
Any ideas? Will appreciate your help on this very much.
Thanks a lot!
Pablo
EDIT:
The idea would be that the app work like gmail/fb that allows the user to be logged in both browsers at the same time.
It's correct the way it is.
Different browsers different sessions. This is a security feature/matter every single app should enforce.
If you log in a different browser how could Laravel tell if it's not a different person login in from a different computer in the same network? Log someone off in this case it's also the correct thing to do, because if some kind of exploit is happening, user will see something is wrong and, maybe, change his/her password.
Some (ie: banking) also do: different browser tabs, different sessions, but this is not the Laravel case.
This is a really strange issue and not directly "programming" but I'm hoping this is an okay place to ask.
Basically I have a user on the forums I run where they basically log in and are immediately being shown the public forums only. The forums are updating the "last login" field for this user so authentication is working fine. The really strange part that might also indicate the problem is that this issue occurs in IE, Firefox, and Chrome.
The user has tried other accounts and the same problem happens -- but when using another computer in the same house (same network), everything worked fine.
I'm sorta' stumped on what could cause this when it applies across all browsers.
Their computer isn't accepting cookies. SMF holds it's session data in the cookie. It will use the db to keep track of who's online, so they might appear on the list but without the cookie the session is over
I have MVC application which uses Forms authentication. For some reason any session variable that I declare are not saving whenever the user is not logged in. My application needs to support both authenticated and unauthenticated users. The applications works fine when ran locally. The issue only occurs on our remote server. We're using appfabric for session state. I'm trying trouble shoot the issue but I don't know where to start. Any advice would be welcomed!
Edit-when I change the value for httpCookies domain = "future.domain.com" to httpCookies domain="" it works fine. I was told by our admins that we need this setting to not change.
We have a CodeIgniter based SAAS application. Sessions are stored in the database.
We use this class as a replacement for CI sessions
With one specific customer ( same office, multiple users, same IP ), the session is getting reset or destroyed on a page refresh.
This has never happened before with any other users or from other location. I am not able to reproduce this issue.
Steps:
User Logs in & sees home Page.
User begins navigation by clicking some link
Session times out and they are prompted to login again
And this continues after each login.
Session expiration is set to 3000 s and time_reference is GMT and sess_time_to_update = 300 s.
Any help on how to go about investigating this issue will help.
This happens in IE , Chrome and therefore does not seem to be a browser issue.
This same set of users have never had this issue before.
check the size of the session cookie. maybe it is larger than the allowed size > 4096. I know it's a long shot, but try it out nevertheless.
This isn't easy to explain, but I'll try my best.
The issue has started happening in a site that was built some years ago using classic asp, the symptom is that the administrators log-in using a form and then an session variable is set, but suddendly when they request a new page they are prompted again to log-in.
This problem isn't specific to any browser, I've reproduced the problem with Firefox and IE8.
Using Fiddler I can see that suddenly the server sends a new Set-Cookie header, despite a previous session cookie being sent in the request.
From that moment, the server will switch between the two sessions randomly, none of the sessions seem expired, they preserve their own variables, but for the user it's useless because he might be asked to login and then the form data is processed in the already logged-in session.
What can I try to find out the problem?
The server is a shared hosting with IIS6, the hosting company isn't too friendly but the cost of moving everything to other place makes things stay as is.
Thanks.
Some further info:
Showing the machine name as suggested by Aaron D. always shows the same name, but I had stored the start time of the application in global.asa:
Sub Application_OnStart()
Application("Start") = now()
End Sub
And it turns out that when showing that info in a test page it does change as the detected session changes. So there are two servers (with the same name) or somehow it's running twice the application.
Is it possible?
I have a couple ideas but nothing definitive.
Are some requests over HTTPS and others over HTTP? Are the cookies set to only transfer over secure connections?
Are your requests alternating between a subdomain and the primary domain? Example, some requests go to www.foo.com and others to foo.com? The cookies may not be shared between the two unless you set the domain inside the cookie. This could also happen with multiple subdomains.
This one is a less common, but is the company hosting your site on multiple servers that are distributing the load? You could tell this by creating a page as specified here:
http://mentaljetsam.wordpress.com/2008/01/29/classic-asp-code-to-print-current-server-name/
If this turns out to be the case, the solution with be to change your session state model from "InProc" to use a shared resource such as a database.
Are you sure that it switches you between sessions and doesn't just expire your session away? It could be that your app is restarting (based on your edit) and this is killing your sessions, but the cached result makes it look like it's still valid. Can you try doing hard refreshes and/or check the results with an HTTP traffic watcher like Fiddler? That might give you a better clue about what requests are actually going across the wire.