Quantcast

Auth losting authentication with no reason

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Auth losting authentication with no reason

Rodrigo Mourão - WebJump
I use auth component in my cake app with success.
 
But, sometime the authentication is lost while using app and the login page is displayed.
This happend more often if i press F5 (refresh) browser many times without the page load is completed.
 
Thanks by help
 
Best regards,
Rodrigo

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
 
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Auth losting authentication with no reason

Onkel Judith
Same effect here
if you double-click a link you are also logged out. Maybe it's a
security feature?

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Auth losting authentication with no reason

Rodrigo Mourão - WebJump
Yes, i think that could be this.

But, the bad notice is that i have some ajax that sometimes are
loading in background and the user change the page. in this moment
sometimes the ajax load is canceled and the authentication is lost.

On Mar 18, 10:14 am, Onkel Judith <[hidden email]> wrote:
> Same effect here
> if you double-click a link you are also logged out. Maybe it's a
> security feature?

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Auth losting authentication with no reason

Alan Asher
In reply to this post by Onkel Judith
I had the same issue, it's a security feature for sure...
It will also happen if you follow a link from a cached page
in your app/config/core.php

Change your config:write to Configure::write('Security.level', 'medium');

And that should do the trick.  I don't remember where I found the answer to
this... but it has something to do with the 'high' level of security
checking against a unique session key that gets regenerated on each page
request.

-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On Behalf
Of Onkel Judith
Sent: Thursday, March 18, 2010 6:14 AM
To: CakePHP
Subject: Re: Auth losting authentication with no reason

Same effect here
if you double-click a link you are also logged out. Maybe it's a
security feature?

Check out the new CakePHP Questions site http://cakeqs.org and help others
with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Auth losting authentication with no reason

Rodrigo Mourão - WebJump
Thanks by help,

But i try medium and low, but does not work.

Any sugestion?



On Mar 18, 1:48 pm, "Alan Asher" <[hidden email]> wrote:

> I had the same issue, it's a security feature for sure...
> It will also happen if you follow a link from a cached page
> in your app/config/core.php
>
> Change your config:write to Configure::write('Security.level', 'medium');
>
> And that should do the trick.  I don't remember where I found the answer to
> this... but it has something to do with the 'high' level of security
> checking against a unique session key that gets regenerated on each page
> request.
>
> -----Original Message-----
> From: [hidden email] [mailto:[hidden email]] On Behalf
>
> Of Onkel Judith
> Sent: Thursday, March 18, 2010 6:14 AM
> To: CakePHP
> Subject: Re: Auth losting authentication with no reason
>
> Same effect here
> if you double-click a link you are also logged out. Maybe it's a
> security feature?
>
> Check out the new CakePHP Questions sitehttp://cakeqs.organd help others
> with their CakePHP related questions.
>
> You received this message because you are subscribed to the Google Groups
> "CakePHP" group.
> To post to this group, send email to [hidden email]
> To unsubscribe from this group, send email to
> [hidden email] For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Auth losting authentication with no reason

ecommy
I had this problem too, but then the website was installed in a
subdirectory for testing. As soon as I went live everything was just
fine!
so I am not sure what the problem was

On Mar 18, 7:21 pm, Rodrigo Mourão <[hidden email]> wrote:

> Thanks by help,
>
> But i try medium and low, but does not work.
>
> Any sugestion?
>
> On Mar 18, 1:48 pm, "Alan Asher" <[hidden email]> wrote:
>
>
>
> > I had the same issue, it's a security feature for sure...
> > It will also happen if you follow a link from a cached page
> > in your app/config/core.php
>
> > Change your config:write to Configure::write('Security.level', 'medium');
>
> > And that should do the trick.  I don't remember where I found the answer to
> > this... but it has something to do with the 'high' level of security
> > checking against a unique session key that gets regenerated on each page
> > request.
>
> > -----Original Message-----
> > From: [hidden email] [mailto:[hidden email]] On Behalf
>
> > Of Onkel Judith
> > Sent: Thursday, March 18, 2010 6:14 AM
> > To: CakePHP
> > Subject: Re: Auth losting authentication with no reason
>
> > Same effect here
> > if you double-click a link you are also logged out. Maybe it's a
> > security feature?
>
> > Check out the new CakePHP Questions sitehttp://cakeqs.organdhelp others
> > with their CakePHP related questions.
>
> > You received this message because you are subscribed to the Google Groups
> > "CakePHP" group.
> > To post to this group, send email to [hidden email]
> > To unsubscribe from this group, send email to
> > [hidden email] For more options, visit this group athttp://groups.google.com/group/cake-php?hl=en

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Auth losting authentication with no reason

logout
In reply to this post by Alan Asher
Well, I am not an expert, but I also had problems like You guys
describe.

I also used a lot of ajax calls (actually, after the login there was
only ajax). So I lowered the security level to medium and disabled the
cache of the browser with $this->disableCache(); in the beforeFilter()
of the AppController.

A few thoughts though:

If the web server thinks you are just another user, it generates new
session, right? So your session actually gets lost - broken. But yet
there it is a session cookie, so the web server should know it is you
until you close the browser or the session expires (timeout). What I
noticed however is that if a normal cookie is used and you read it
every time, there is no problem with the authentication - you continue
to be logged since your app uses the session saved in the cookie,
right? So if the session gets lost, you read the cookie and you are
logged again, but this will not bring the old session back. I always
wanted to read an opinion of a specialist on that matter, but every
time someone asks about a session problem, it appears no one can give
a definitive and full answer. Only speculations like mine. And the
common answer here is usually: set your security to medium, because
when it is high, the session key gets regenerated on each page load.
OK, it regenerates, but this doesn't have to be a problem. And why the
session gets lost sometimes no one answers. Does it have to do
something with the web server itself? And if the answer is YES, how
can we deal with that. I know it is out of the scope of the Cake, but
I still can't find a full and thorough answer anywhere.

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Auth losting authentication with no reason

LunarDraco
This often times has to do with how PHP's session is setup. The Cake
Session object is a wrapper class around the PHP Session so your still
using the servers session if you want to understand Cake's Session it
would be worth your time to learn the basics of php $_SESSION and what
can be done with it.

One common problem is if the link you are following is from a
different HOST the php session has a session.referer_check which is
set to the HTTPS_HOST for security high and to HTTP_HOST for security
medium, it is not set for security low. This causes the session to be
reset if the referer is not the host that is being called. In other
words if you followed a link from an email or some other server that
points to your app. This also presents when going back and forth
between the root app/domain and a root/sub app/domain because the the
HTTP_HOST can changes (if one site is using blah.blah.com and the
other is using localhost or ip address)
Often we all have code to read in a cookie to remember a user that has
previously logged in. This often just masks and hides the problem. So
we don't notice most of the time when the session was dropped until we
start to rely on a saved value that we thought we saved to the session
or when the user cookie expires and we are redirected to the login
page. So these often times appear very random when in reality they are
not. If your having what appears to be intermediate session lost, its
very likely its occurring more than you think. Some debugging is
needed.

The only difference I can determine between security medium and
security low is timeout duration and setting the php
session.referer_check. I was always concerned about using low, but
I've learned that medium and high only get in the way. So I use low
and deal with security measures in my app_controller to control which
referer I allow to access specific controller actions. This is better
anyway (for my app) as before it was all or nothing.

To monitor your session info and see when its changing I place some
log statements in my app_controller beforeFilter and or beforeRender.

$this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.', request:'.
$this->name.'.'.$this->action,LOG_DEBUG);
$this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.',
Session.id:'.$this->Session->id(),LOG_DEBUG);
$this->log(__CLASS__.'.'.__FUNCTION__.', line:'.__LINE__.',
Session.error:'.print_r($this->Session,true),LOG_DEBUG);

I use the third line to get some detailed debugging, one thing you'll
notice is the sessions error will be set to "Config doesn't exist" and
the Session will still be valid. With referer_check set or security
set to medium or high, any link pointing to your site from another
host will have this error and the session will restart on the
following redirect (which is valid behavior most of the time). This
was a problem for me as I was passing control from an asp server to a
cakephp server using a user token and telling Auth to log the user in.
The user would get logged in and then I would redirect to the intended
controller action at which point the session would reset and the user
would be asked to login anyways. Setting security to low cleared this
up.

I hope this helps some of you I know I spent two days debugging and
trying to understand exactly what was going on with my session. The
loggin mentioned above proved to be the most help. Be concerned if you
see alot of sessions with the error "Config doesn't exist" and try
setting security to low.

LunarDraco

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to [hidden email]
To unsubscribe from this group, send email to
[hidden email] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

To unsubscribe from this group, send email to cake-php+unsubscribegooglegroups.com or reply to this email with the words "REMOVE ME" as the subject.
Loading...