I need to keep Security.level set on medium for Ajax reason.
But I want that If the user close browser his session will destroy.
How can I do that?
Thanks in advance!
Config/core.php
Configure::write('Session', array(
'defaults' => 'php',
'cookieTimeout' => 0, //Lives until the browser is closed.
'checkAgent' => false //To fix a little the Chrome Frame problem
));
Unless you're persisting session data (ie: storing session data in a cookie with an expiration date in the future), then the session should be destroyed when the user closes the browser.
Unfortunately I'm not familiar with the CakePHP framework so I cannot comment on its API. However, if you want to explicitly end a session you can do so in PHP with session_destroy().
Hope that helps.
You could remove the session cookie with JS when the page is closed (remember: page close is also triggered when the user just navigates away - maybe just to the next page of yours).
i guess you could fire on ajax command on page unload to call session_destroy()
http://book.cakephp.org/view/1317/destroy for CakePHP - but yes, CakePHP does set a proper session cookie which is deleted by the browser when it closes.
What you really are probably concerned about is session hijacking - and so you really want some kind of a logout on site closure. You can't do this - the best alternative method that I know of is:
A short session timeout with an "Are you there?" AJAX refresh - the timeout can be controlled independently of the security level now using Configure::write('Session.timeout', $seconds);, where for medium security level the timeout seconds are multiplied by 100. Banks use this method.
Related
i am working on a Cakephp 2.x ... i am using auth component ... the problem write now is that the session automatically expires after some minutes.. i mean if the user does nothing then CakePHP logs them out after some period...i want to make the session time forever unless he click the logout button ..i dont know how to to do this .. any help would be greatly appreciated
Here's my config code:
Configure::write('Session', array(
'defaults' => 'php'
));
I think the problem is that you're using the default php sessions and they are configured (in php.ini) to expire sooner than you want to. See.
If you want your logins to live forever it's probably better to use cookie based login. See this plugin for instance.
Using latest version of cakephp v2.3.3
I have a problem with my session variables when a browser doesn't allow cookies.
I pass variables from one controller to the other and this works perfect as long as the browser has cookies enabled. I have tried it with the Session helper in the controllers, but no effort, same problem.
How to fix this, is there a work around???
Cookies are required to keep track of the session ID, but you can manually get or set the session ID using $this->Session->id(). By adding the code below to the App Controllers' before filter you can set the session ID as a URL paramter like http://example.com/posts/view/1?session=qkv108c2pqeubcpeos1q7ekds3, for example.
if (!empty($this->request->query['session'])) {
$this->Session->id($this->request->query['session']);
}
The session ID is required for every request which means you have to include it in every link. I would suggest extending the HTML helpers' url and link methods to automatically add it.
Edit:
You should verify that $this->Session->read('Config.userAgent'); or $this->request->clientIp(); has not changed since the user was authenticated to prevent session hijacking. Thanks to thaJeztah for pointing this out.
I'm using Drupal 7.
drupal?q=user
when we logged in , after that we close browser & reopen browser again then it should ask for login.
But it remains logged in
I have used session expire module & also set
ini_set('session.cookie_lifetime', 0); in sites/default/settings.php
but it didn't work anyone have solve?
You should set this in your settings.php
ini_set('session.gc_maxlifetime', 0);
ini_set('session.cookie_lifetime', 0);
But in FireFox session_cookies keep alive till the browser compeletly closed,(not terminate by closing only drupal tabs ) :(
Session Expire module create a instance on a table called session, that's why if you change session cookie on setting.php nothing happen... the only way to resolve it is creating an ajax that call the user/logout page on browser clousure.
I am trying to get this working without success, if you got finally the solution can you share with me, please!
see this link to get more information: http://eureka.ykyuen.info/2011/02/22/jquery-javascript-capture-the-browser-or-tab-closed-event/
i have some strange behaviour in IE on my magento shop with loosing the frontend (session) cookie. does anybody has a clue, where in the magento code the frontend cookie gets set?
Thanks!
Afaik, the 'frontend' cookie gets set right before the current action is being dispatched.
Have a look at Mage_Core_Controller_Varien_Action::preDispatch().
Session start
Looking into preDispatch(), find the line which starts the session:
Mage::getSingleton('core/session', array('name' => $namespace))->start();
Which usually (if not overridden) finally maps to
Mage_Core_Model_Session_Abstract_Varien::start()
This is the place where all the standard session stuff gets initialized, including cookie settings by using session_set_cookie_params.
Revalidation
Be aware though, that once the cookie already exists, first cookie mangling may already happen while the core session gets instantiated, i.e. before start() is called. That's because the constructor calls revalidateCookie() while instantiating the core session. See:
Mage_Core_Model_Session_Abstract_Varien::init()
My host requires me to use a different domain for SSL secured access (shared SSL), so I need to transition the user session between two domains. One part of the page lives at http://example.com, while the SSL'd part is at https://example.hosting.com. As such I can't set a domain-spanning cookie.
What I'm trying to do is to transition the session id over and re-set the cookie like this:
http://example.com/normal/page, user clicks link to secure area and goes to:
http://example.com/secure/page, which causes a redirect to:
https://example.hosting.com/secure/page?sess=ikub..., which resurrects the session and sets a new cookie valid for the domain, then redirects to:
https://example.hosting.com/secure/page
This works up to the point where the session should be resurrected. I'm doing:
function beforeFilter() {
...
$this->Session->id($_GET['sess']);
$this->Session->activate();
...
}
As far as I can tell this should start the session with the given ID. It actually generates a new session ID though and this session is empty, the data is not restored.
This is on CakePHP 1.2.4. Do I need to do something else, or is there a better way to do what I'm trying to do?
When Configure::write('Security.level') is set to medium or higher, session.referer_check is implicitly activated, which makes the whole thing fail. Setting the security level to low (or using a custom session configuration) makes everything work as it should.
There went about 5 hours of debugging... ( -_-;;)
My first thought is to use the Cake file sessions and copy the file over, and then perhaps try and start a new session with that phpsessid, although I'm not even sure if that would actually work or not :)
With Cake 2.6.1 -- This is what worked for me.
$this->Session->id("tfvjv43hjmsnjkh0v3ss539uq7"); // add session id you want to set
$this->Session->id();
$this->Session->read("key"); // hhoorray worked :)
with SessionComponent id() function needs to be called twice once with session id to set session_id(); and second time to start cake session.
First call does not really start the session ... I dont know how Cake Guys missed it .....
Upvote if this works for you.