Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Auth class always using cookie session storage over php #1006

Open
leemason opened this Issue · 5 comments

4 participants

Lee Mason chuckwh Fitz Agard David Persson
Lee Mason

im trying (without luck) to set the sessions used by my app to use the php adapter and not the default cookie method.

im not a super wiz, but know a bit and im pretty sure cookie session storage is a bad idea, so first why is cookie storage the default????

my real problem is i cant seem to tell the auth class to use my predefined session adapters.

here is my connections file:

<?php
/**
 * Lithium: the most rad php framework
 *
 * @copyright     Copyright 2013, Union of RAD (http://union-of-rad.org)
 * @license       http://opensource.org/licenses/bsd-license.php The BSD License
 */

/**
 * This configures your session storage. The Cookie storage adapter must be connected first, since
 * it intercepts any writes where the `'expires'` key is set in the options array.
 * The default name is based on the lithium app path. Remember, if your app is numeric or has
 * special characters you might want to use Inflector::slug() or set this manually.
 */
use lithium\storage\Session;

Session::config(
    array(
        'cookie' => array(
            'adapter' => 'Cookie',
            'name' => SESSION_NAME . '_cookie',
            'expire' => '+1 day',
            'httponly' => true
        ),
        'default' => array(
            'adapter' => 'Php',
            'session.name' => SESSION_NAME,
            'strategies' => array(
                 'Encrypt' => array('secret' => SESSION_SECRET)
            )
        ),
        'client' => array(
            'adapter' => 'Php',
            'session.name' => md5( SESSION_NAME ),
            'strategies' => array(
                 'Encrypt' => array('secret' => md5( SESSION_SECRET ) )
            )
        ),
        'contact' => array(
            'adapter' => 'Php',
            'session.name' => md5( SESSION_NAME . '_contact' ),
            'strategies' => array(
                 'Encrypt' => array('secret' => md5( SESSION_SECRET . '_contact' ) )
            )
        ),
        'admin' => array(
            'adapter' => 'Php',
            'session.name' => md5( SESSION_NAME . '_admin' ),
            'strategies' => array(
                 'Encrypt' => array('secret' => md5( SESSION_SECRET . '_admin' ) )
            )
        )
    )
);

/**
 * Uncomment the lines below to enable forms-based authentication. This configuration will attempt
 * to authenticate users against a `Users` model. In a controller, run
 * `Auth::check('default', $this->request)` to authenticate a user. This will check the POST data of
 * the request (`lithium\action\Request::$data`) to see if the fields match the `'fields'` key of
 * the configuration below. If successful, it will write the data returned from `Users::first()` to
 * the session using the default session configuration.
 *
 * Once the session data is written, you can call `Auth::check('default')` to check authentication
 * status or retrieve the user's data from the session. Call `Auth::clear('default')` to remove the
 * user's authentication details from the session. This effectively logs a user out of the system.
 * To modify the form input that the adapter accepts, or how the configured model is queried, or how
 * the data is stored in the session, see the `Form` adapter API or the `Auth` API, respectively.
 *
 * @see lithium\security\auth\adapter\Form
 * @see lithium\action\Request::$data
 * @see lithium\security\Auth
 */
use lithium\security\Auth;

Auth::config(
    array(
        'client' => array(
            'adapter' => 'Form',
            'model' => 'Clients',
            'fields' => array('email', 'password'),
            'session' => array(
                'persist' => array('id')
            )
        ),
        'contact' => array(
            'adapter' => 'Form',
            'model' => 'Contact',
            'fields' => array('email', 'password'),
            'session' => array(
                'persist' => array('id')
            )
        ),
        'admin' => array(
            'adapter' => 'Form',
            'model' => 'Admin',
            'fields' => array('email', 'password'),
            'session' => array(
                'persist' => array('id')
            )
        )
    )
);


?>

as you can see im trying to segment all jy auths into seperate sessions (the end game it to use mysql session storage, but for know i just need php adapter).

what am i doing wrong?

if i remove the cookie or default session configs my logins break, for reference the SESSION_NAME is a constant defined elsewhere, its nothing special.

regardless of what i do i see cookies being set with everything i try, and the php $_SESSION var is always empty.

chuckwh

I'm also having this problem. Any Lithium guys care to comment? I'd even be happy using encrypted cookies since I'm not storing critical stuff in them but plain text cookies are bad. The problem for me happens on any page I'm using Auth class but my entire site is HTTPS so not using that is not an option. I've tried similar stuff as the original poster.

I would rather, however, use MongoDB to handle my sessions. I've tried downloading a plug in for that but it's not working either. If someone has a working example of getting sessions to work with either encrypted cookies or, better, mongoDB, with a full example of how to make it work, I'd really appreciate that. I need something that works with a Auth:check(). Thanks

Fitz Agard

@chuckwh Here is an implementation using MongoDB to handle your sessions - https://gist.github.com/fitzagard/7072287

chuckwh

@fitzagard - Hey thanks I really appreciate the link. I tried this but still having trouble. I am getting a null value passed on _data in the Model.php class:

public function write($key, $value = null, array $options = array()) {
$_data =& $this->_data; // $_data is null
$test = $_data;
$test2 = $_data;
return function($self, $params, $chain) use (&$_data) {
$_data->set(array($params['key'] => $params['value']));
return true;
};
}

And my session.php looks like:
'default' => array(
'adapter' => 'app\extensions\adapter\session\Model',
'model' => 'Sessions'
),

where Sessions is Sessions.php with a class by that name. I created an empty mongodb collection called "sessions" but it really looks like Model.php is not aware of the collection for some reason. Model.php IS setting key value pairs on the session items, though - I can see that in the debugger, and then after the above failure cookies get set.

I'll keep debugging but I am posting this in case I am missing something obvious. Again, thanks for the link and code. It does feel like it is heading me in the right direction.

chuckwh

@fitzagard It works! Thanks again. My problem associated with above code was that I had used a "default" session name in the configuration. When I renamed it, everything whizzed along like magic. Thanks so much for demonstrating the power of collaborative development! :-)

David Persson

Related #457

David Persson davidpersson added this to the 1.0 milestone
David Persson davidpersson removed the verified label
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.