i have some strange behaviour in IE on my magento shop with loosing the frontend (session) cookie. does anybody has a clue, where in the magento code the frontend cookie gets set?
Thanks!
Afaik, the 'frontend' cookie gets set right before the current action is being dispatched.
Have a look at Mage_Core_Controller_Varien_Action::preDispatch().
Session start
Looking into preDispatch(), find the line which starts the session:
Mage::getSingleton('core/session', array('name' => $namespace))->start();
Which usually (if not overridden) finally maps to
Mage_Core_Model_Session_Abstract_Varien::start()
This is the place where all the standard session stuff gets initialized, including cookie settings by using session_set_cookie_params.
Revalidation
Be aware though, that once the cookie already exists, first cookie mangling may already happen while the core session gets instantiated, i.e. before start() is called. That's because the constructor calls revalidateCookie() while instantiating the core session. See:
Mage_Core_Model_Session_Abstract_Varien::init()
Related
I am trying to configure sessions for an asp.net core 2.0 website, but the session cookie is never set.
I call ..
app.UseSession();
...in Startup.Configure and ...
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(10);
options.Cookie.HttpOnly = false;
options.Cookie.Name = "WS_AUTH_ID";
});
... in the ConfigureServices method.
In the Controller I can acess ...
HttpContext.Session.Id;
... but the id is always different for every request.
Am I missing something?
Update: I should metion that I can set cookies "manually" and the browser will "receive" them.
HttpContext.Response.Cookies.Append("Test_cookie", "yo");
This was the cause for me:
The extension Microsoft.AspNetCore.CookiePolicy (UseCookiePolicy) was blocking the session cookie. Removing this extension and running the app in a new browser window fixed the issue.
Rationale: this extension blocks the cookies sent to the browser until the user accepts them. Since the session key is stored in a cookie and cookies are blocked by this extension... No cookies, no session.
Another workaround could be to enable the application to work without session until the user accepts cookies (I didn't test this workaround).
Hope that helps.
If you have the cookie policy turned ON the session cookiewon't be created until the user accepts the use of Cookies, this is to comply with the EU's GDPR.
You can remove the line
app.UseCookiePolicy();
from you Startup and then it will work, otherwise your users will need to agree to the use of cookies before you can use the cookie for session control.
For me the problem was solved by one of the comments on the question:
The cookie isn't written unless you add something to the session.
So just requesting the Session.Id won't help, you actually have to set something.
In my case it was a variable that was only set after some condition, and before that condition was met, it would create a new session ID over and over again.
You have to type the following in your ConfigureServices method:
services.AddMvc()
.AddSessionStateTempDataProvider();
services.AddDistributedMemoryCache();
services.AddSession(options =>
{
options.IdleTimeout = TimeSpan.FromMinutes(30);
options.Cookie.Name = ".MyApplication";
});
In your Configure type the following
//enable session before MVC
app.UseSession();
app.UseMvc();
Alright so this is an odd one. I initially ran into some problems setting session values, but it turned out that it was because I wasn't returning anything from the controller method that was setting the session value.
I resolved that and got my user controller to work, and it's been working just fine.
I'm setting like this in my UserController. It seems like the docs reference a few different ways to interact with the session, but the session() method seems to be the more standard way - at least based on the lumen docs (http://lumen.laravel.com/docs/session).
session([
'is_logged_in' => true,
'username' => $user->getUsername(),
'user' => $user,
]);
And I'm doing my gets like so:
$user = session('user')
Now I'm trying to introduce some new functionality in a separate controller AdminController. I want to set an additional variable in there:
session(['new_variable' => 1])
But that session variable isn't actually saving to the session.
Now here's where it gets weird. I'm doing this with the cookie driver currently. If I change to the file driver then everything works completely as expected.
Also, with the cookie driver, if I set that variable from within the original UserController that's logging them in, as opposed to in the AdminController, then it also properly persists the session data.
But setting that session data from the AdminController using the cookie driver just doesn't work.
I thought perhaps this might have to do with the path setting on the cookie, but it seems that all of the cookie paths are set to '/' (as you would expect). Also there isn't any different domain being used for this other controller - it's on the same domain.
Using latest version of cakephp v2.3.3
I have a problem with my session variables when a browser doesn't allow cookies.
I pass variables from one controller to the other and this works perfect as long as the browser has cookies enabled. I have tried it with the Session helper in the controllers, but no effort, same problem.
How to fix this, is there a work around???
Cookies are required to keep track of the session ID, but you can manually get or set the session ID using $this->Session->id(). By adding the code below to the App Controllers' before filter you can set the session ID as a URL paramter like http://example.com/posts/view/1?session=qkv108c2pqeubcpeos1q7ekds3, for example.
if (!empty($this->request->query['session'])) {
$this->Session->id($this->request->query['session']);
}
The session ID is required for every request which means you have to include it in every link. I would suggest extending the HTML helpers' url and link methods to automatically add it.
Edit:
You should verify that $this->Session->read('Config.userAgent'); or $this->request->clientIp(); has not changed since the user was authenticated to prevent session hijacking. Thanks to thaJeztah for pointing this out.
I need to keep Security.level set on medium for Ajax reason.
But I want that If the user close browser his session will destroy.
How can I do that?
Thanks in advance!
Config/core.php
Configure::write('Session', array(
'defaults' => 'php',
'cookieTimeout' => 0, //Lives until the browser is closed.
'checkAgent' => false //To fix a little the Chrome Frame problem
));
Unless you're persisting session data (ie: storing session data in a cookie with an expiration date in the future), then the session should be destroyed when the user closes the browser.
Unfortunately I'm not familiar with the CakePHP framework so I cannot comment on its API. However, if you want to explicitly end a session you can do so in PHP with session_destroy().
Hope that helps.
You could remove the session cookie with JS when the page is closed (remember: page close is also triggered when the user just navigates away - maybe just to the next page of yours).
i guess you could fire on ajax command on page unload to call session_destroy()
http://book.cakephp.org/view/1317/destroy for CakePHP - but yes, CakePHP does set a proper session cookie which is deleted by the browser when it closes.
What you really are probably concerned about is session hijacking - and so you really want some kind of a logout on site closure. You can't do this - the best alternative method that I know of is:
A short session timeout with an "Are you there?" AJAX refresh - the timeout can be controlled independently of the security level now using Configure::write('Session.timeout', $seconds);, where for medium security level the timeout seconds are multiplied by 100. Banks use this method.
My host requires me to use a different domain for SSL secured access (shared SSL), so I need to transition the user session between two domains. One part of the page lives at http://example.com, while the SSL'd part is at https://example.hosting.com. As such I can't set a domain-spanning cookie.
What I'm trying to do is to transition the session id over and re-set the cookie like this:
http://example.com/normal/page, user clicks link to secure area and goes to:
http://example.com/secure/page, which causes a redirect to:
https://example.hosting.com/secure/page?sess=ikub..., which resurrects the session and sets a new cookie valid for the domain, then redirects to:
https://example.hosting.com/secure/page
This works up to the point where the session should be resurrected. I'm doing:
function beforeFilter() {
...
$this->Session->id($_GET['sess']);
$this->Session->activate();
...
}
As far as I can tell this should start the session with the given ID. It actually generates a new session ID though and this session is empty, the data is not restored.
This is on CakePHP 1.2.4. Do I need to do something else, or is there a better way to do what I'm trying to do?
When Configure::write('Security.level') is set to medium or higher, session.referer_check is implicitly activated, which makes the whole thing fail. Setting the security level to low (or using a custom session configuration) makes everything work as it should.
There went about 5 hours of debugging... ( -_-;;)
My first thought is to use the Cake file sessions and copy the file over, and then perhaps try and start a new session with that phpsessid, although I'm not even sure if that would actually work or not :)
With Cake 2.6.1 -- This is what worked for me.
$this->Session->id("tfvjv43hjmsnjkh0v3ss539uq7"); // add session id you want to set
$this->Session->id();
$this->Session->read("key"); // hhoorray worked :)
with SessionComponent id() function needs to be called twice once with session id to set session_id(); and second time to start cake session.
First call does not really start the session ... I dont know how Cake Guys missed it .....
Upvote if this works for you.