-
-
Notifications
You must be signed in to change notification settings - Fork 6.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HttpBasicAuth broke Session #15658
Comments
'auth' => function($username, $password) {
...
} What's inside? |
Not matter.... strcmp username and password. $session = Yii::$app->getSession();
if (!YII_ENV_TEST) {
$session->regenerateID(true);
} destruct session anytime. |
No, it matters. Please, post the code here |
Thanks for posting in our issue tracker.
Thanks! This is an automated comment, triggered by adding the label |
Ok :)))))) $user = UserModel::find()->where(['email' => $username])->one();
return !empty($user) && $user->validatePassword($password) ? $user : null; So usermodel returned ok, authentication done, so how it prevent yii\web\User from if (!YII_ENV_TEST) {
$session->regenerateID(true);
} My workaround is to set User::$enableSession to false. |
Would you please check if it works with 2.0.13.1? |
Already have 2.0.13.1 |
define('YII_ENV_TEST', true) is also workaround :))) |
Would you then please try code from master branch? |
ok, 15 minutes, please ... |
same result, PHPSESSIONID changes every request. \Yii::$app->user->enableSession = false; |
Thank you for the report, fixed. Please, try code in master branch to confirm |
@dicrtarasov did the fix solve your problem? |
Thank you very mutch. Your modification of User component completely fix this problem. |
#18649) * Issue #18646 Cleanup auth data from session if findIdentity() returns null * Issue #18646 Refactor fix to remove stale identity data from session * Issue #18646 Fix test for HttpBasicAuth (#15658) Co-authored-by: Alexander Makarov <sam@rmcreative.ru> Co-authored-by: Bizley <pawel@positive.codes>
Using HttpBasicAuth makes Session unusable, because PHPSESSIONID regenerates to new every request. Authentication is working fine, but session become empty.
Example, adding auth behavior.
The reason is in yii\web\User::switchIdentity()
The text was updated successfully, but these errors were encountered: