[ENHANCEMENT] make script keeping the session even on multiple vhost/alias setups
Closed this issue · 14 comments
Got the script working better now. But I've notice the script does not work on alias domain names.
Example: If I was using the script on testdomain.com and I have test-domain.com as an alias domain through Apache, the script does not keep the user logged in, but has to log in for every alias domain. (Using the same script/db/etc)
Is this a cookie setting or a session setting? So far I cant see anything in Login.php that would restrict the script to only work on the current domain and not others.
Which would bring up another issue that the script would not work as a universal user manager for several different sites.
I'm using it for a single sign on right now. But, generally you don't need your other sites to read the cookies for your login portal... I've added some post login methods to login to mediawiki and then I set the cookie domain to .domain.com
and path to /
which allows the other site which is on a different subdomain of login site to read them.
I looked at my cookies and for PHPSESSID
the domain = sub.domain.com
and the path is / which should work with an Alias. Perhaps yours is getting set to a path like /login in which case that would prevent it from working with a Alias.
Open up chrome, do inspect element, resources -> cookies and see what the path is being set to for the PHPSESSID. If it has a path, you'll need to figure out how to fix that in your php.ini I suspect. The login script as far as I can tell isn't setting this cookie explicitly it's being handled by PHP Sessions.
On a related note... here are my set cookie helper methods that I'm using for setting the cookies for another site...
define("MEDIAWIKI_COOKIE_DOMAIN", ".domain.com");
/**
* @param string $name
* @param string $value
* @param int $expiresIn optional by default is set to 3600. This value is added to time to set a future expiration.
* to expire in one month you'd set it to "31*24*60"
* @param string $domain optional sets the domain of the cookie, set it to MEDIAWIKI_COOKIE_DOMAIN
*/
function setCookieForDomain($name, $value, $expiresIn=3600, $domain=MEDIAWIKI_COOKIE_DOMAIN) {
setcookie($name,$value, time()+$expiresIn, '/', $domain);
}
/**
* Creates a "session" cookie.
* @param $name
* @param $value
* @param $domain - optional will be set to MEDIAWIKI_COOKIE_DOMAIN by default
*/
function setSessionCookieForDomain($name, $value, $domain=MEDIAWIKI_COOKIE_DOMAIN) {
setcookie($name,$value, 0, '/', $domain, FALSE, TRUE);
}
/**
* Sets the expiration time to 1 week ago so browser will immediately remove the cookie.
* @param $name
* @param string $value
* @param string $domain
*/
function deleteCookieForDomain($name,$value="Deleted", $domain=MEDIAWIKI_COOKIE_DOMAIN) {
setcookie($name,$value, time()-(60*60*24*7), '/', $domain, FALSE, TRUE);
}
I got curious so I looked into PHPSESSIONS...
You could add the session_set_cookie_params line like the one shown below in classes\Login.php
and that'll override your settings in php.ini. In the example below, I set the first param to 30 days... kinda neat that makes it so the person doesn't have to login again for 30 days... set it to 0 to be until the browser is closed.
Be sure to clear all your cookies before trying it... (can't just logout) as you'll still have a session cookie laying around.
/**
* the function "__construct()" automatically starts whenever an object of this class is created,
* you know, when you do "$login = new Login();"
*/
public function __construct() {
session_set_cookie_params((30*24*60*60),'/'),'.domain.com',false,true); // <---- The line I added...
// create/read session
session_start();
That's the thing. The other login scripts I was testing (a lot of them were forks from jpmaster77's old script, but not all of them) worked fine on alias sites. So I assumed it wasnt anything with my php configuration. Registered and logged in with testdomain.com and when I enter test-domain.com in the browser, I was still logged in. The login script is installed in the root directory on all of the testing, though the final project it will be working directly from members.domain.com. But I also realized that most of the other scripts had some sort of Remember Me function which this one doesnt. Maybe it has something to do with that. After inspecting the element, the path is /.
Also when I visit test-domain.com (no longer logged in) and go back to testdomain.com, I'm still logged in. Also the php.ini time out is 12 hours, which I did set the cookie time to bypass that already. Just trying to figure out how to get the script to hold the session on aliased sites. Kind of like when you sign onto Google.com, you're logged into YouTube, GMail, etc, though that's not exactly what I'm trying to achieve right now (but will be in the future), it wont keep me logged in for a site that is the exact same site, just using a domain alias.
@desynergy Which version of Apache are you using (i want to reproduce) ? And please have a look here Transfer Session Data Between Apache Virtual Hosts. Seems like Apache does not share session data between aliases by default.
My test server is running:
Apache 2.2.24
MySQL 5.0.51
PHP 5.3.25
But I'm pretty sure it's relying on the script. There's a generated hash token written in for the user in the database that is also set in the cookie and it is using it some how . Testing some things out now, was just seeing if anyone knew what I should be looking for directly.
btw MySQL 5.1+ is the minimum to run the script (see this in the readme.md! I dont know exactly anymore why it is like that, but there was something...). I'm always wondering how people get this thing to run with PHP 5.2 or MySQL 5.0 ;)
Anyway, THIS issue has nothing to do with mysql...
I didnt think it would of had anything to do with mysql, I just posted those 3 things since they all do tie into each other.
Actually now that you mentioned it, I did think that version was old and checked through an SSH shell. The version is really 5.1.70:
[root@s104n19 ~]# mysqladmin -u root -p version
Enter password:
mysqladmin Ver 8.42 Distrib 5.1.70, for unknown-linux-gnu on x86_64
Copyright (c) 2000, 2013, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Server version 5.1.70
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /var/lib/mysql/mysql.sock
Uptime: 17 hours 27 min 42 sec
Threads: 5 Questions: 12587 Slow queries: 0 Opens: 362 Flush tables: 1 Open tables: 155 Queries per second avg: 109.690
I guess the script that pulls version information from the servers isnt working for this server for quite a while. Oops.
OK, I'm pretty sure it has something to do with the cookie handling, hashed tokens, etc. I'll play with it some more and figure something out.
I just linked this ticket from the USEFUL STUFF section in the README.md, to give people who need this special case solution a guide how to do so. It's a special case i think and implementing this into the script by default should be discussed... Gimme a notice if you guys think this is really useful for a lot of people.
I'll close this ticket until this is request by more people.
Hi,
I have similar problem - just can't logout. When I press "logout" link it just taking me to index page and I'm still logged in.
@s1awekplease give some information. Which script/version ? What have you changed ? How does your session looks before/after logout ?
I am sorry you right I should give you more details.
The version is 4-full-mvc-framework. I haven't change anything just got script working by editing config.php and .htaccess files.
You can try it for yourself just go on http://www.wykoprawi.pl/php-login-master/4-full-mvc-framework/ and register.
If you need any other details I'll provide them as you request.
Cheers.