search

UnionOfRAD / lithium

li₃ is the fast, flexible and most RAD development framework for PHP
http://li3.me
BSD 3-Clause "New" or "Revised" License
1.22k stars 237 forks source link

Auth class always using cookie session storage over php #1006

Closed leemason closed 9 years ago

leemason commented 11 years ago

im trying (without luck) to set the sessions used by my app to use the php adapter and not the default cookie method.

im not a super wiz, but know a bit and im pretty sure cookie session storage is a bad idea, so first why is cookie storage the default????

my real problem is i cant seem to tell the auth class to use my predefined session adapters.

here is my connections file:

<?php
/**
 * Lithium: the most rad php framework
 *
 * @copyright     Copyright 2013, Union of RAD (http://union-of-rad.org)
 * @license       http://opensource.org/licenses/bsd-license.php The BSD License
 */

/**
 * This configures your session storage. The Cookie storage adapter must be connected first, since
 * it intercepts any writes where the `'expires'` key is set in the options array.
 * The default name is based on the lithium app path. Remember, if your app is numeric or has
 * special characters you might want to use Inflector::slug() or set this manually.
 */
use lithium\storage\Session;

Session::config(
    array(
        'cookie' => array(
            'adapter' => 'Cookie',
            'name' => SESSION_NAME . '_cookie',
            'expire' => '+1 day',
            'httponly' => true
        ),
        'default' => array(
            'adapter' => 'Php',
            'session.name' => SESSION_NAME,
            'strategies' => array(
                 'Encrypt' => array('secret' => SESSION_SECRET)
            )
        ),
        'client' => array(
            'adapter' => 'Php',
            'session.name' => md5( SESSION_NAME ),
            'strategies' => array(
                 'Encrypt' => array('secret' => md5( SESSION_SECRET ) )
            )
        ),
        'contact' => array(
            'adapter' => 'Php',
            'session.name' => md5( SESSION_NAME . '_contact' ),
            'strategies' => array(
                 'Encrypt' => array('secret' => md5( SESSION_SECRET . '_contact' ) )
            )
        ),
        'admin' => array(
            'adapter' => 'Php',
            'session.name' => md5( SESSION_NAME . '_admin' ),
            'strategies' => array(
                 'Encrypt' => array('secret' => md5( SESSION_SECRET . '_admin' ) )
            )
        )
    )
);

/**
 * Uncomment the lines below to enable forms-based authentication. This configuration will attempt
 * to authenticate users against a `Users` model. In a controller, run
 * `Auth::check('default', $this->request)` to authenticate a user. This will check the POST data of
 * the request (`lithium\action\Request::$data`) to see if the fields match the `'fields'` key of
 * the configuration below. If successful, it will write the data returned from `Users::first()` to
 * the session using the default session configuration.
 *
 * Once the session data is written, you can call `Auth::check('default')` to check authentication
 * status or retrieve the user's data from the session. Call `Auth::clear('default')` to remove the
 * user's authentication details from the session. This effectively logs a user out of the system.
 * To modify the form input that the adapter accepts, or how the configured model is queried, or how
 * the data is stored in the session, see the `Form` adapter API or the `Auth` API, respectively.
 *
 * @see lithium\security\auth\adapter\Form
 * @see lithium\action\Request::$data
 * @see lithium\security\Auth
 */
use lithium\security\Auth;

Auth::config(
    array(
        'client' => array(
            'adapter' => 'Form',
            'model' => 'Clients',
            'fields' => array('email', 'password'),
            'session' => array(
                'persist' => array('id')
            )
        ),
        'contact' => array(
            'adapter' => 'Form',
            'model' => 'Contact',
            'fields' => array('email', 'password'),
            'session' => array(
                'persist' => array('id')
            )
        ),
        'admin' => array(
            'adapter' => 'Form',
            'model' => 'Admin',
            'fields' => array('email', 'password'),
            'session' => array(
                'persist' => array('id')
            )
        )
    )
);

?>

as you can see im trying to segment all jy auths into seperate sessions (the end game it to use mysql session storage, but for know i just need php adapter).

what am i doing wrong?

if i remove the cookie or default session configs my logins break, for reference the SESSION_NAME is a constant defined elsewhere, its nothing special.

regardless of what i do i see cookies being set with everything i try, and the php $_SESSION var is always empty.

chuckwh commented 11 years ago

I'm also having this problem. Any Lithium guys care to comment? I'd even be happy using encrypted cookies since I'm not storing critical stuff in them but plain text cookies are bad. The problem for me happens on any page I'm using Auth class but my entire site is HTTPS so not using that is not an option. I've tried similar stuff as the original poster.

I would rather, however, use MongoDB to handle my sessions. I've tried downloading a plug in for that but it's not working either. If someone has a working example of getting sessions to work with either encrypted cookies or, better, mongoDB, with a full example of how to make it work, I'd really appreciate that. I need something that works with a Auth:check(). Thanks

fitzagard commented 11 years ago

@chuckwh Here is an implementation using MongoDB to handle your sessions - https://gist.github.com/fitzagard/7072287

chuckwh commented 11 years ago

@fitzagard - Hey thanks I really appreciate the link. I tried this but still having trouble. I am getting a null value passed on _data in the Model.php class:

public function write($key, $value = null, array $options = array()) { $_data =& $this->_data; // $_data is null $test = $_data; $test2 = $_data; return function($self, $params, $chain) use (&$_data) { $_data->set(array($params['key'] => $params['value'])); return true; }; }

And my session.php looks like: 'default' => array( 'adapter' => 'app\extensions\adapter\session\Model', 'model' => 'Sessions' ),

where Sessions is Sessions.php with a class by that name. I created an empty mongodb collection called "sessions" but it really looks like Model.php is not aware of the collection for some reason. Model.php IS setting key value pairs on the session items, though - I can see that in the debugger, and then after the above failure cookies get set.

I'll keep debugging but I am posting this in case I am missing something obvious. Again, thanks for the link and code. It does feel like it is heading me in the right direction.

chuckwh commented 11 years ago

@fitzagard It works! Thanks again. My problem associated with above code was that I had used a "default" session name in the configuration. When I renamed it, everything whizzed along like magic. Thanks so much for demonstrating the power of collaborative development! :-)

mariuswilms commented 10 years ago

Related #457

mariuswilms commented 9 years ago

Closing in favor of #457.