search

dre1080 / warden

More than just a user database auth package for FuelPHP
http://dre1080.github.com/warden
MIT License
46 stars 11 forks source link

Login without Cookie #51

Closed noxify closed 10 years ago

noxify commented 10 years ago

Hi,

after several times I found the time to update my fuel-administrator package.

Warden is working fine even when I use the "Remember Me" functionality. But if I want to use Warden without cookies I can't login.

I got the flash message that the login was successful, but I'm not logged in.

You can test it here:

http://webstone.info/fuel-adminify/public/ E-Mail: admin@local.tld Password: password

I checked the code but for me it looks okay.

Is it possible to use Warden without cookies? Where in the warden package will the session set if I don't use the remember me function (cookies).

In my config.php I have set an offset from 7200 and as timezone "Europe/Berlin".

Tested it locally (OSX, MAMP, PHP 5.4) and on my webserver (Linux, PHP 5.4) with the same result.

Thanks.

dre1080 commented 10 years ago

I think that has to do with your session store settings. Is your session using files, cookies, memcached, redis or?

Sent from my HTC

----- Reply message ----- From: "Marcus Reinhardt" notifications@github.com To: "dre1080/warden" warden@noreply.github.com Subject: [warden] Login without Cookie (#51) Date: Wed, Feb 5, 2014 23:45

Hi,

after several times I found the time to update my fuel-administrator package.

Warden is working fine even when I use the "Remember Me" functionality.

But if I want to use Warden without cookies I can't login.

I got the flash message that the login was successful, but I'm not logged in.

You can test it here:

http://webstone.info/fuel-adminify/public/

E-Mail: admin@local.tld

Password: password

I checked the code but for me it looks okay.

Is it possible to use Warden without cookies?

Where in the warden package will the session set if I don't use the remember me function (cookies).

Thanks.

— Reply to this email directly or view it on GitHub.

noxify commented 10 years ago

Hi,

at first i used the database as storage but i changed it to "file". I've tested it also with cookie as driver but it does not work :(

My app/config/session.php is the following:

<?php

return array(
    'auto_initialize' => true,
    'driver' => 'file',
    'match_ip' => false,
    'match_ua' => true,
    'cookie_domain' => '',
    'cookie_path' => '/',
    'cookie_http_only' => NULL,
    'encrypt_cookie' => true,
    'expire_on_close' => false,
    'expiration_time' => 7200,
    'rotation_time' => 300,
    'flash_id' => 'flash',
    'flash_auto_expire' => true,
    'flash_expire_after_get' => true,
    'post_cookie_name' => '',
    'header_header_name' => 'Session-Id',
    'enable_cookie' => true,
    'cookie' => 
    array(
        'cookie_name' => 'fuelcid',
    ),
    'file' => 
    array(
        'cookie_name' => 'fuelfid',
        'path' => APPPATH.'/tmp',
        'gc_probability' => 5,
    ),
    'memcached' => 
    array(
        'cookie_name' => 'fuelmid',
        'servers' => 
        array(
            'default' => 
            array(
                'host' => '127.0.0.1',
                'port' => 11211,
                'weight' => 100,
            ),
        ),
    ),
    'db' => 
    array(
        'cookie_name' => 'fueldid',
        'database' => null,
        'table' => 'sessions',
        'gc_probability' => 5,
    ),
    'redis' => 
    array(
        'cookie_name' => 'fuelrid',
        'database' => 'default',
    ),
);

/* End of file session.php */

The folder "app/tmp/" has CHMOD 777 and fuelphp wrote also some files so i don't think that is an write permission problem...

Now I changed the driver again to cookie and checked the session information (disabled cookie encryption) and i got the following result after login without Remember me:

a:3:{i:0;a:7:{s:10:"session_id";s:32:"425ab0fe3fe1a28d6c9d97b1fbf09737";s:7:"ip_hash";s:32:"337b0db6ccb90b6fe3ca8c0abae9181c";s:10:"user_agent";s:120:"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.107 Safari/537.36";s:7:"created";i:1391645015;s:7:"updated";i:1391645015;s:7:"payload";s:0:"";s:11:"previous_id";s:32:"226db7d8fb09af28919157c25fe30f21";}i:1;a:1:{s:6:"warden";a:1:{s:4:"user";a:1:{s:2:"id";s:1:"1";}}}i:2;a:1:{s:15:"flash::messages";a:2:{s:5:"state";s:3:"new";s:5:"value";a:0:{}}}}
dre1080 commented 10 years ago

It should work without cookies.

Session is set here: https://github.com/dre1080/warden/blob/master/classes/warden/driver.php#L325

and is used here: https://github.com/dre1080/warden/blob/master/classes/warden/driver.php#L65

What method are you using to check a user is logged in? Are you using roles? If so, does the user have the default role if set?

noxify commented 10 years ago

Hi,

my login action is the following:

public function action_login()
    {
        //check that the current user is not already logged in
        if ( \Warden::check())
        {
            \Messages::warning( \Lang::get('login_already') );
            \Response::redirect('/');
        }

        if (\Input::method() === 'POST') 
        {
            try
            {
                $remember   = (\Input::post('remember_me')==1) ? true : false;
                $user       = \Warden::authenticate(\Input::post('username_or_email'), \Input::post('password'), $remember);
                if($user)
                {
                    //login was successful
                    \Messages::success( \Lang::get('login_success') );
                    \Response::redirect('/');
                }
                else
                {
                    //invalid username and/or password
                    \Messages::error( \Lang::get('login_error') );
                    \Response::redirect('login');

                }
            } 
            catch (\Warden\Warden_Failure $ex)
            {
                //something goes wrong in the warden package
                \Messages::error($ex->getMessage());
                \Response::redirect('login');
            }
        }

        return \Theme::instance()
                        ->get_template()
                        ->set(  'content', 
                                \Theme::instance()->view('login')
                            );
    }

I have added the "session" class to the auto_load array in the config.php (to be sure that the class is loaded).

I have two roles

1 - User (Default) 2 - Admin

The Test User has only the Admin Role.

ANNNDDDOOOO ... You made my day (or night here in germany ;) ) DAMN... i used warden several times and now this stupid mistake...

After setting the users role also to my test user it works as designed.

Thanks...

Now it is working fine!