I'm using Connect.js and the connect-session module for managing session cookies. I noticed that Connect sets a session cookie on all routes except static files. The problem is that I process some static files like JS and CSS files before I send them so I can't use Connect's built-in static server, which means that connect-session sets a session cookie for these files. Since these files will be included on external sites, I don't want them to send cookies with them.
Is it possible to set session cookies only for specific routes?
if you are using express,you can put app.use(express.static(path.join(__dirname, 'public'))); before app.use(express.session());.
Alright I found my answer here: http://senchalabs.github.com/connect/middleware-session.html
You can ignore routes by using connect.session.ignore like so: connect.session.ignore.push('/robots.txt');
Related
Hello … l am finish Building website using Laravel and jQuery and bootstrap it's working good in local but when I upload to Heroku the file jQuery and bootstrap not working … it's work in local using http but in Heroku its need https its not working but when write http substitute of https it's working good like local and display Not Secure .. now any body know how can i allow website using https in Heroku or How can selection this problem
You should closely read all of Heroku's guide to getting started with Laravel.
The section titled "Trusting the Load Balancer" will resolve your issues.
Because of this:
This means that requests received by a dyno will have the last router’s IP address in the REMOTE_ADDR environment variable, and the internal request will always be made using the HTTP protocol, even if the original request was made over HTTPS.
Laravel sees HTTP requests coming in to the application, so it serves HTTP URLs for your various routes and asset URLs. As far as it knows, you're browsing via HTTP. The fix is to trust Heroku's "forwarded for" headers in your app's App\Http\Middleware\TrustProxies middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Http\Request;
use Fideloper\Proxy\TrustProxies as Middleware;
class TrustProxies extends Middleware
{
protected $proxies = '*';
protected $headers = Request:: HEADER_X_FORWARDED_AWS_ELB;
}
Had this issue myself awhile back, there are a few options and some are more heavy handed than others. If you want to gauruntee that everything is always https no exceptions first update your APP_URL to 'https://example.com' then in the boot method of your AppServiceProvider add Url::forceScheme('https');
The less heavy handed option is to find all of the places you use the asset() helper and change it to secure_asset instead. The asset helper should use your APP_URL to know the request is https but in my experience I couldn't rely on that so use secure_asset to make sure
Hello … l am finish Building website using Laravel and jQuery and bootstrap it's working good in local but when I upload to Heroku the file jQuery and bootstrap not working … it's work in local using http but in Heroku its need https its not working but when write http substitute of https it's working good like local and display Not Secure .. now any body know how can i allow website using https in Heroku or How can selection this problem
You should closely read all of Heroku's guide to getting started with Laravel.
The section titled "Trusting the Load Balancer" will resolve your issues.
Because of this:
This means that requests received by a dyno will have the last router’s IP address in the REMOTE_ADDR environment variable, and the internal request will always be made using the HTTP protocol, even if the original request was made over HTTPS.
Laravel sees HTTP requests coming in to the application, so it serves HTTP URLs for your various routes and asset URLs. As far as it knows, you're browsing via HTTP. The fix is to trust Heroku's "forwarded for" headers in your app's App\Http\Middleware\TrustProxies middleware:
<?php
namespace App\Http\Middleware;
use Illuminate\Http\Request;
use Fideloper\Proxy\TrustProxies as Middleware;
class TrustProxies extends Middleware
{
protected $proxies = '*';
protected $headers = Request:: HEADER_X_FORWARDED_AWS_ELB;
}
Had this issue myself awhile back, there are a few options and some are more heavy handed than others. If you want to gauruntee that everything is always https no exceptions first update your APP_URL to 'https://example.com' then in the boot method of your AppServiceProvider add Url::forceScheme('https');
The less heavy handed option is to find all of the places you use the asset() helper and change it to secure_asset instead. The asset helper should use your APP_URL to know the request is https but in my experience I couldn't rely on that so use secure_asset to make sure
I am building stateless restfull API in Yii2. So I created new APP in my advanced app layout (as preferred by Yii2 creators) and configure all necessary things and API worked.
Now I want to make it stateless - I want to disable session and I want it to be accomplished in config/main.php inside my API app to ensure it as global setting.
Also I want to disable cookies and auto login.
What I have been playing now so far is inside Module class
<?php
namespace api\modules\v1;
use \app\models\User;
use yii\filters\auth\HttpBasicAuth;
class Module extends \yii\base\Module
{
...
public function init()
{
parent::init();
\Yii::$app->user->enableSession = false;
\Yii::$app->user->enableAutoLogin = false;
}
...
}
But when trying to access data using POSTMAN on Chrome I can see that:
Cookies are set (PHPSESSID, _csrf, _identity)
I always get popup asking for username and password
Thanks for your help in advance!
Finally I found out what the problem is. Yii2 worked OK, but Postman had some data stored from the past when cookies and session were enabled. What helped me was deleting browser's history (including cookies), close all instances of browser and rerun.
Using latest version of cakephp v2.3.3
I have a problem with my session variables when a browser doesn't allow cookies.
I pass variables from one controller to the other and this works perfect as long as the browser has cookies enabled. I have tried it with the Session helper in the controllers, but no effort, same problem.
How to fix this, is there a work around???
Cookies are required to keep track of the session ID, but you can manually get or set the session ID using $this->Session->id(). By adding the code below to the App Controllers' before filter you can set the session ID as a URL paramter like http://example.com/posts/view/1?session=qkv108c2pqeubcpeos1q7ekds3, for example.
if (!empty($this->request->query['session'])) {
$this->Session->id($this->request->query['session']);
}
The session ID is required for every request which means you have to include it in every link. I would suggest extending the HTML helpers' url and link methods to automatically add it.
Edit:
You should verify that $this->Session->read('Config.userAgent'); or $this->request->clientIp(); has not changed since the user was authenticated to prevent session hijacking. Thanks to thaJeztah for pointing this out.
Because of european privacy law being harsly applied in the Netherlands and to keep my company's site user friendly without nagging the users with questions if it's okay to store a cookie on their computer that allows me to access their client data.
What I need is a way to "overwrite" the native php sessions class so that at the point where the native class requests the cookie that stores the phpsessid, that I can place my own code there that checks the browsers fingerprint and matches that to a session id which I can use to return the normal working of the native class.
My idea is:
table sess_fingerprints
Fields: fingerprint - phpsessid
function getsessionid()
{
$result = $this->db->query("SELECT phpsessid
FROM `sessiondatabase`.`sess_fingerprints`
WHERE `sess_fingerprints`.`fingerprint` = '$userfingerprint'");
if($result->num_rows() != 0)
{
return $result->row->phpsessid;
}
}
and at that point the native php session code just works as it would normally do.
So, my question is: is it possible to overwrite only the "cookie" part of the phpsession class? if so, how? because I haven't found that yet.
I'm aware of being able to pass along the session variable via urls etc, but that's not secure enough for my web applications.
PHP provides support for custom session handlers:
http://php.net/manual/en/session.customhandler.php
I think I have found the solution to my problem.
I'm going to override the functions related to cookies by using http://php.net/manual/en/function.override-function.php
Thank you all for thinking along.