Comments (7)
crecent77
commented on May 18, 2024
It looks like this is the same issue as detailed in closed Issue #29.
from php-auth.
ocram
commented on May 18, 2024
Thank you!
Can you share the browser (name and version) that you're testing this in? Cookie handling is often specific to individual browsers.
The fact that $auth->check() passes at login is because that doesn't involve cookies at all. So we can safely ignore that case. So let's see if we can find out what's wrong with the cookie handling.
The first case might be due to different cookie settings, e.g. the Secure flag, the HttpOnly flag, etc. Can you check this? It's strange, by the way, that the old cookie is not picked up at first (which requires a new cookie to be set) but then the old cookie blocks the new cookie from working. Perhaps this is a browser-specific bug. Or a PHP bug. Or really something that we must fix in this library. We'll see. A simple solution may just be using a different session cookie for this library, either by calling \session_name('MYSESSID') before creating the instance of this library, or by setting session.name to a different value in php.ini. Would those solutions be acceptable to you?
The second case is definitely related to the other issue that you referenced. Can you try the steps that I suggested there for us to be able to re-produce this behavior? Thanks!
from php-auth.
acodispo
commented on May 18, 2024
Hi @ocram, I'm involved in dealing with this issue, too.
We've noticed this issue definitely on Chromium (Version 59.0.3071.109 (Developer Build) Built on Ubuntu , running on Ubuntu 16.10 (64-bit)), and I'm pretty sure that @crecent77 has seen it on Firefox as well.
I've actually refrained from clearing my cookies in one particular browser session so I can test this problem. The "old" cookie (pre-php-auth) is much like this:
Name: PHPSESSID
Domain: example.com
Path: /
Send for: Any kind of connection
Expires: When the browsing session ends
The new cookie (I believe created by php-auth) is:
Name: PHPSESSID
Domain: .example.com
Path: /
Send for: Same-site connections only
Expires: When the browsing session ends
It is domain and send for that differ.
I don't think that using a different session.name would be a problem, but I will have to check.
We will attempt to reproduce the other error for you as well.
Thanks for your help!
from php-auth.
acodispo
commented on May 18, 2024
I left a comment on #29. I was able to duplicate, but had to modify your described process slightly. See the comment for details.
from php-auth.
ocram
commented on May 18, 2024
Thank you!
The explanation and the possible solution that I suggested in #29 do probably affect your second problem described at the top, right? Though I'm not sure about the first problem.
from php-auth.
ocram
commented on May 18, 2024
The first problem is definitely caused by individual cookie attributes that don’t match between the old and the new cookies, and you have found those bad attributes already.
The second problem is because this library does not work on subdomains other than www without setting the desired cookie domain. This is explained and tracked in #29.
from php-auth.
ocram
commented on May 18, 2024
This has finally been fixed: #29
Thank you for your help!
from php-auth.
Related Issues (20)
- Normalize users table to reference email addresses in another table? HOT 3
- User "verified" status does not change HOT 4
- How to attach to already started session? HOT 3
- How to avoid resendConfirmationForEmail if user is already verified? HOT 1
- How do I remember the user after calling admin()->logInAsUserById? HOT 1
- Compatibility with Redis for User Sessions
- Random User Logout and Cookie Anomalies HOT 4
- $auth->forgotPassword creates fatal error HOT 2
- Use PHPAuth for a REST API ? HOT 1
- InvalidSelectorTokenPairException on every attempt to change password HOT 7
- periods in email addresses HOT 2
- Is compatible with php 8.1 ? HOT 2
- [php 8.2.4] - Deprecated: Automatic conversion of false to array is deprecated / multi-projects
- oAuth2 + PHP-auth implementation HOT 1
- The best way to send a re-confirmation email? HOT 5
- Encryption of PII HOT 1
- More documentation is required
- session is empty after redirect HOT 7
- Why use selector/token pair for password reset? HOT 1
- [Question] Logout everywhere after password reset. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from php-auth.