I've got a CodeIgniter project using the Facebook Connect "official" PHP implementation. For the most part it works fine, except for when a user first allows permissions. I've traced the problem deep into the provide facebook.php, the getSession() function:
public function getSession() {
if (!$this->sessionLoaded) {
$session = null;
$write_cookie = true;
// try loading session from signed_request in $_REQUEST
$signedRequest = $this->getSignedRequest();
if ($signedRequest) {
// sig is good, use the signedRequest
$session = $this->createSessionFromSignedRequest($signedRequest);
}
// try loading session from $_REQUEST
if (!$session && isset($_REQUEST['session'])) {
$session = json_decode(
get_magic_quotes_gpc()
? stripslashes($_REQUEST['session'])
: $_REQUEST['session'],
true
);
/* HERE IS WHERE IT GOES WRONG */
$session = $this->validateSessionObject($session);
}
My comment in the code is where things go wrong. The if block above gets evaluated successfully, but the code inside the json_decode() function parameter returns the string:
a:4:{s:10:"session_id";s:32:"********";s:10:"ip_address";s:13:"********";s:10:"user_agent";s:50:"Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2";s:13:"last_activity";i:1304286136;}edc0c222265e0a16c0f3fe8a96decf77
This looks like my site session, rather than the facebook session that it's trying to access (which I can see in the URL). Why is this happening? What can I do about it?
In case anyone else hits this particular snag, I'll post how I solved it:
Just change $_REQUEST to $_GET
My guess is that CodeIgniter somehow puts your session information into the $_REQUEST array... why this happens is beyond me, but it solved the problem for me. Hope it helps!
Related
We have a small quiz type functionality built in Laravel to be embedded in a site via an iframe served from a separate domain (to work around CMS limitations).
It uses sessions to keep track of the user's progress in the quiz. This doesn't work in Safari (Mac/iOS), I believe because Apple disable cookies issued from within an iframe.
Assuming that limitation is one we're stuck with, has anyone had any success making Laravel sessions cookie-less? I found this code on Github, which looks promising but is old enough (and incompatible with current Laravel) that I can't tell if it's going to be a solution.
In case it helps someone else, or anyone can see any silly errors in my code, this is what I did (an adaption of the Github code, to work in Laravel 9).
I extended StartSession and SessionServiceProvider (to use my new StartSession). I created an override for handleStatefulRequest in Start Session, and where it adds a cookie to the reponse (it calls addCookieToResponse) did this:
if ($request->cookies->get($session->getName())) {
$this->addCookieToResponse($response, $session);
}
else {
// Add session ID to header
$this->addIdentifierToResponse($response, $session);
}
That new function looks like this:
protected function addIdentifierToResponse(Response $response, Session $session)
{
if ($this->sessionIsPersistent($config = $this->manager->getSessionConfig())) {
$response->headers->set("X-Session-Token", $session->getId());
}
}
I also changed the getSession method to get the session ID from that newly set header (when no cookie found):
public function getSession(Request $request)
{
return tap($this->manager->driver(), function ($session) use ($request) {
if ($request->cookies->get($session->getName())) {
Log::debug('1. Set session ID from cookie');
$session->setId($request->cookies->get($session->getName()));
}
else if ($request->headers->get("X-Session-Token", $request->input("sess_id"))) {
$sessionToken = $request->headers->get("X-Session-Token", $request->input("sess_id"));
$session->setId($sessionToken);
}
});
}
I created a Github repo containing the whole thing.
So currently building an oauth2 server with:
https://github.com/lucadegasperi/oauth2-server-laravel/blob/master/docs/authorization-server/auth-code.md
Auth Grant
laravel 5.2
Now no where in the instructions does it address what to do when the user is not logged in. (which most times will be the case)
So in that scenario - the user hits the auth middleware kicking them to the login screen... but what to do after that? There is nothing passed to the login page? so how do i know where to redirect the user back to?
Now yes of course I can just do this on my own, but before I do that I just want to make sure I am not missing anything? again it was not address in the documentation, so I can only assume this was thought through?
Let me know your thoughts.
Steve
So just ended up doing a work around in my Authenticate.php file. Incase anyone else is curious I did this:
$params = [];
if($request->has('client_id'))
$params['client_id'] = $request->client_id;
if($request->has('redirect_uri'))
$params['redirect_uri'] = $request->redirect_uri;
if($request->has('response_type'))
$params['response_type'] = $request->response_type;
if($request->has('scope'))
$params['scope'] = $request->scope;
if($request->has('state'))
$params['state'] = $request->state;
return redirect()->route('login', $params);
//return redirect()->guest('login');
Passed this to my loginController. Then in loginController:
$params = [];
if($this->request->has('redirect_uri'))
$params['redirect_uri'] = $this->request->redirect_uri;
if($this->request->has('response_type'))
$params['response_type'] = $this->request->response_type;
if($this->request->has('scope'))
$params['scope'] = $this->request->scope;
if($this->request->has('state'))
$params['state'] = $this->request->state;
if($this->request->has('client_id'))
{
$params['client_id'] = $this->request->client_id;
//dd($params);
return redirect()->route('oauth.authorize.get', $params);
}
Let me know if you see any issues.
Cheers
Citti
I'm implementing redirect to previous page after login and logout.
So in each methods of controller I've saved session like as follow.
$this->session->set_userdata('previous_page', current_url());
And after successful login and logout, I'm calling a library method as follows.
function redirect_to_previous_url() {
$url = base_url();
if($this->_CI->session->userdata('previous_page')) {
// Get previous_url
$url = $this->_CI->session->userdata('previous_page');
$this->_CI->session->unset_userdata('previous_page');
}
return $url;
}
But Its redirecting to base_url of the site. After checking the session value Its showing not found image path but not what I've saved it before.
I'm not able to find out what is the problem behind this.
Please help me to rectify and the work would be appreciated
Try this..
function redirect_to_previous_url() {
$url = base_url();
if($this->_CI->session->userdata('previous_page')) {
// Get previous_url
$url = $this->_CI->session->userdata('previous_page');
$this->_CI->session->unset_userdata('previous_page');
return $url;
}
return $url;
}
I would ensure the session was set. Like this;
if($this->_CI->session->userdata('previous_page')) {
show_error('The session is set');
}
If you don't see the error, the session isn't set. Then you know this isn't where the problem lies.
No need to store Previous URL in session.
In core php you can get previously visited URL in following server variable
$_SERVER['HTTP_REFERER'];
Same can be achieved in CodeIgniter as
$this->load->library('user_agent');
echo $this->agent->referrer();
Using CakePHP 2.0, when logging in the normal way, a helpful set of cookies is set and accessible via AuthComponent::user(). However, this does not get set when doing it the AJAX way. The verification works fine, but I would like to figure out how to set AuthComponent without a hard refresh.
Maybe I could do without AuthComponent and just store cookies, but I wanted to check to see if there's an easy way to do this before doing all of that work.
I've checked the JsHelper and Authentication pages in the CakePHP 2.0 documentation.
Any ideas?
Why dont you create a function in the user around the lines of:
public function autologin() {
$this->autoRender = false;
if ($this->request->is('post')) {
if ($this->Auth->login()) {
$cuser = $this->Auth->user();
$this->Session->write('Udata', $udata);
$fD = array('loggedIn'=>true,'vdata'=>$udata);
} else {
$fD = array('loggedIn'=>false,'vdata'=>'Your username/password combination was incorrect');
}
echo json_encode($fD);
}
}
and call this page with your ajax. with the JSON run some check;
I am developing a component that required login at some level, then if user is not logged in, I placed a login link, that take user to login page with following in query string.
return=<?php echo base64_encode($_SERVER['REQUEST_URI']);?>
After login, it comes back to that page, but is there some way to tackle this if user is not registered and user starts registering? Is there some way to do this without changing some thing in Joomla it self? like by just setting some thing in cookie e.t.c. Or I will need to change some thing in Joomla Registration component or module. Or is there some plugin for that?
Any response will be appreciated, please tell what ever way you know so that it may give me some better clue.
In your component you could try to store the referrer in the Joomla! session - I don't believe the session changes or is replaced during login. I haven't had time to try this but it should work.
To Save:
$session = JFactory::getSession();
$session->set('theReferrer', $_SERVER['HTTP_REFERER'], 'mycomponentname');
To Retrieve:
$session = JFactory::getSession();
$redirectTo = $session->get('theReferrer', '', 'mycomponentname');
Then you can just use a setRedirect before you return.
$this->setRedirect($redirectTo);
You can achieve this with a plugin (at least in Joomla 3.x - not sure how far back this will work off-hand). Key here is the onUserAfterSave event, which tells you whether the user is new or existing.
I wrote the code below some time ago, so can't recall the exact reason the redirect could not be done from within the onUserAfterSave event handler, but I think the redirect is subsequently overridden elsewhere in the core Joomla user management code if you try to do it from there, hence saving a flag in the session and checking it in a later event handler.
class PlgUserSignupRedirect extends JPlugin
{
public function onUserAfterSave($user, $isnew, $success, $msg)
{
$app = JFactory::getApplication();
// If the user isn't new we don't act
if (!$isnew) {
return false;
}
$session = JFactory::getSession();
$session->set('signupRedirect', 1);
return true;
}
function onAfterRender() {
$session = JFactory::getSession();
if ($session->get('signupRedirect')) {
JFactory::getApplication()->redirect($_SERVER['HTTP_REFERER']);
$session->clear('signupRedirect');
}
}
}