search

ZF-Commons / zfc-rbac

Role-based access control module to provide additional features on top of Zend\Permissions\Rbac
BSD 3-Clause "New" or "Revised" License
181 stars 111 forks source link

Very strange session regeneration issue when using ZfcUser with ZfcRbac #369

Closed rarog closed 7 years ago

rarog commented 7 years ago

I get a very strange session regeneration issue. It's enough to have ZfcUser and ZfcRbac active.

My session is mostly set up like in the Zend SessionManager tutorial. If I activate ZfcRbac with default auth module from its config, then I get a new cookie every time I actively use session_regenerate_id or of if in ZfcUser\Authentication\Storage\Db the line "new Storage\Session" is called. On each reload I get the new cookie with new session. If ZfcRbac isn't included into my application, then session_regenerate_id or the mentioned call in ZfcUser\Authentication\Storage\Db do not provoke a new session.

What could cause such issue?

basz commented 7 years ago

Perhaps an Error while it saves or retrieves the user entity? I have found that serialized entities must be reattached to the entity manager.

Op 26 apr. 2017 om 17:47 heeft rarog notifications@github.com het volgende geschreven:

I get a very strange session regeneration issue. It's enough to have ZfcUser and ZfcRbac active.

My session is mostly set up like in the Zend SessionManager tutorial. If I activate ZfcRbac with default auth module from its config, then I get a new cookie every time I actively use session_regenerate_id or of if in ZfcUser\Authentication\Storage\Db the line "new Storage\Session" is called. On each reload I get the new cookie with new session. If ZfcRbac isn't included into my application, then session_regenerate_id or the mentioned call in ZfcUser\Authentication\Storage\Db do not provoke a new session.

What could cause such issue?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or mute the thread.

rarog commented 7 years ago

I found the reason and have now a workaround. But I'm not sure, if this can be fixed properly otherwise or should just be a NOTA BENE to prevent such behaviour.

ZfcRbac was included before Application in my application's modules.config.php, this triggered in ZfcUser\Authentication\Storage\Db the line new Storage\Session and this created a session object before my application created its own. This also created 2 cookies - PHPSESSID first and later through my application bootstrap the one with my cookie name. When I experimented with removing my own session name, it worked. After putting ZfcRbac after Application and thus ensuring, that a session is already created and named properly, the problem was gone.

basz commented 7 years ago

Great