HttpBasicAuth broke Session #15658
Comments
'auth' => function($username, $password) {
...
}What's inside? |
|
Not matter.... strcmp username and password. $session = Yii::$app->getSession();
if (!YII_ENV_TEST) {
$session->regenerateID(true);
}destruct session anytime. |
No, it matters. Please, post the code here |
|
Thanks for posting in our issue tracker.
Thanks! This is an automated comment, triggered by adding the label |
|
Ok :)))))) $user = UserModel::find()->where(['email' => $username])->one();
return !empty($user) && $user->validatePassword($password) ? $user : null;So usermodel returned ok, authentication done, so how it prevent yii\web\User from if (!YII_ENV_TEST) {
$session->regenerateID(true);
}My workaround is to set User::$enableSession to false. |
|
Would you please check if it works with 2.0.13.1? |
|
Already have 2.0.13.1 |
|
define('YII_ENV_TEST', true) is also workaround :))) |
|
Would you then please try code from master branch? |
|
ok, 15 minutes, please ... |
|
same result, PHPSESSIONID changes every request. \Yii::$app->user->enableSession = false; |
|
Thank you for the report, fixed. Please, try code in master branch to confirm |
|
@dicrtarasov did the fix solve your problem? |
|
Thank you very mutch. Your modification of User component completely fix this problem. |
#18649) * Issue #18646 Cleanup auth data from session if findIdentity() returns null * Issue #18646 Refactor fix to remove stale identity data from session * Issue #18646 Fix test for HttpBasicAuth (#15658) Co-authored-by: Alexander Makarov <sam@rmcreative.ru> Co-authored-by: Bizley <pawel@positive.codes>
Using HttpBasicAuth makes Session unusable, because PHPSESSIONID regenerates to new every request. Authentication is working fine, but session become empty.
Example, adding auth behavior.
The reason is in yii\web\User::switchIdentity()
The text was updated successfully, but these errors were encountered: