So, at this very old project where there is still ZF1 running, we tried to put the http-only flag of the session-cookie to TRUE.
We already have this line in the application.ini: phpSettings.session.cookie_httponly = true
Then we went to the Session.php of the Framework itself. In line 106, there's the setting for cookie_httponly, as seen here: https://github.com/zendframework/zf1/blob/master/library/Zend/Session.php
Instead of null, we tried 'On', 'on' and even true. We even set a breakpoint in line 205, and it went into the if-block during runtime.
And yet, no matter how many times we delete the session cookie in the browser, there is NO flag shown under HttpOnly when the cookie is created again.
We also have Zend_Session::setOptions(array('cookie_httponly' => true)); in the code, as seen here in the index.php:
[...]
/** Zend_Application */
require_once 'Zend/Application.php';
// Create application, bootstrap, and run
$application = new Zend_Application(
APPLICATION_ENV,
APPLICATION_PATH . '/configs/application.ini'
);
Zend_Session::setOptions(array('cookie_httponly' => true));
$application->bootstrap('frontend')
->run();
We got no clue what else we should try.
I found a method that has been written by some ex-developer, where setcookie is used to create that session cookie. The one parameter named httponly was not set (standard value is false), after I set it to true, it finally worked.
So no matter what I tried (even tried Rob's suggestions, as seen above), it was this one line that had to be editet.
Related
In facebook documantion
require('include/facebook/autoload.php'); //SDK directory
$fb = new Facebook\Facebook([
'app_id' => '***********',
'app_secret' => '***********************'
]);
$helper = $fb->getRedirectLoginHelper();
$permissions = ['email', 'public_profile']; // optional
$loginUrl = $helper->getLoginUrl('http://www.meusite.com.br/login-callback.php', $permissions);
When direct it to the url $loginUrl, the return is:
Facebook SDK returned an error: Cross-site request forgery validation failed. The "state" param from the URL and session do not match
I had the same error.
The problem occurred because I did getLoginUrl(...) before getAccessToken()
So rid of getLoginUrl(...) in redirected URL and code should works.
I had the same issue and for me that error was occurring because I did not put session_start(); in my login.php page code before calling getLoginUrl(..) and also at the top of login-callback.php page.
Just put session_start(); in your "login" page and "login-callback" page and it will work surely just like it is working for me now.
There could be 2 reason for this error:
you didn't call session_start(); before getLoginUrl call
You executed getLoginUrl again in login-callback.php, so state value regenerated and mismatched with the redirected value
Possible Fixes : I used the following configuration settings .
Enable WebAuthLogin under the advanced tab . Provide the url in the WebAuthLogin settins as same as that you provide in $loginUrl ;
For example if you use $loginUrl as https://example.com/ use that same in the WebAuthlogin Url
$loginUrl = $helper->getLoginUrl('https://example.com/', $permissions);
This problem occures also in case that you generate 2 or more login links on the same page (e.g. one for login and other for registration - even both point to the same url, they have just different labels).
Facebook SDK creates/updates $_SESSION[FBRLH_state] for each new generated loginURL. So if there are 2 generated URLs (using $helper->getLoginUrl()) then the $_SESSION[FBRLH_state] is 2-times rewritten and valid only for the last generated URL. Previous login URL becomes invalid. It means that it is not possible to generate 2 valid loginURLs. In case that 2 same URLs are generated then return the first one and avoid call of Facebook SDK for generation of second one.
I had the same problem.
The reason for this error is because --->
When "$helper->getLoginUrl" calls, it create a session variable "FB_State", and this is something to FB uses to match the token. Every-time getLoginUrl calls, it create new state. Then after user authorized and redirect back, if you codes cannot detect this event and re-run "$helper->getLoginUrl", then this error will occur.
The solution ->
refine your coding, stop run "$helper->getLoginUrl" again if authorized.
if you already rerun, then set the session variable for the token to NULL if you have, then User can re-authorize again.
when user tries re-authorize, they can remove the authorized APP once or you need to generate new link with "$helper->getReRequestUrl"
Yet, token has be called by "getAccessToken()" before the "$helper->getLoginUrl" or "$helper->getReRequestUrl" runs.
Good Luck!!!!!
Finally, looking into FB code, I discovered that the problem "Cross-site request forgery validation failed. Required param “state” missing" and similars are caused by PHP variable $_SESSION['FBRLH_state'] that for some "strange" reason when FB call the login-callback file.
To solve it I store this variable "FBRLH_state" AFTER the call of function $helper->getLoginUrl(...). Is very important to do only after the call of this function due to is inside this function when the variable $_SESSION['FBRLH_state'] is populated.
Below an example of my code in the login.php:
$uri=$helper->getLoginUrl($uri, $permissions);
foreach ($_SESSION as $k=>$v) {
if(strpos($k, "FBRLH_")!==FALSE) {
if(!setcookie($k, $v)) {
//what??
} else {
$_COOKIE[$k]=$v;
}
}
}
var_dump($_COOKIE);
And in the login-callback.php before calling all FB code:
foreach ($_COOKIE as $k=>$v) {
if(strpos($k, "FBRLH_")!==FALSE) {
$_SESSION[$k]=$v;
}
}
Last, but not least, remember also to include code for PHP session so..
if(!session_id()) {
session_start();
}
...
...
...
...
<?php session_write_close() ?>
I hope this response can help you to save 8-10 hours of work :)
Bye, Alex.
This issue was a bit confusing for me, because I had to change a line at the facebook src file:
src/Facebook/Helpers/FacebookRedirectLoginHelper.php
at the function: "validateCsrf" like this:
if ($result !== 0) {
throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
}
And change it into:
if ($result === 0) {
throw new FacebookSDKException('Cross-site request forgery validation failed. The "state" param from the URL and session do not match.');
}
I don't know if this makes a violation to the facebook SDK security, so I truly opened to any exlanation or recommendation for this answer.
You may also make the following changes at the facebook app manager:
add your site and callback-url into your facebook app account at:
setting->advanced:Valid OAuth redirect URIs
Don't forget to add another url with slash (/) at the end of each url and check all 4 checkboxes at Client OAuth Settings.
I had the same error. Are you using 1 file or 2? I was trying to get by using 1 file but my error was resolved when I split into login.php & fb-callback.php as the documentation recommended. My sessions were being re-written so the state was never saved properly.
Good luck!
Happens when the session in missing a needed variable.
might be caused by several things.
In my case I left the "www" out of the callback URL
You could actually be parsing the data from another domain... for example:
website.com is different from www .website.com
If you're parsing data from http ://website.com/login.php to http://www.website.com/fb-callback.php this would be a cross-domain problem and the error you are receiving would be because of that....
http ://website.com and http ://www.website.com are the same but the script identifies them as different..... hope that gives insight to the problem.
I'm using the devise gem with a rails 4.1.4 app, and needed to add some custom key-value pairs in a session variable right after a user has signed in. I overrode the following methods after_sign_in_path_for(resource)
after_sign_up_path_for(resource)
after_update_path_for(resource)
after_resetting_password_path_for(resource) methods as prescribed here:
https://github.com/plataformatec/devise/wiki/How-To:-redirect-to-a-specific-page-on-successful-sign-in
Yet, on signing in, I enter the after_sign_in_path_for multiple times, with the following output:
Started GET "/users/sign_in" for 127.0.0.1 at 2014-10-08 22:56:45 +0530
Processing by Devise::SessionsController#new as HTML
User Load (0.3ms) SELECT "users".* FROM "users" WHERE "users"."id" = 1 ORDER BY "users"."id" ASC LIMIT 1
Redirected to http://localhost:3000/users/sign_in
Filter chain halted as :require_no_authentication rendered or redirected
Completed 302 Found in 3ms (ActiveRecord: 0.6ms)
each time, before finally redirecting me to the root path. (The browser temporarily shows the redirect loop error message before redirecting me to the root).
EDIT:
So turns out that since I have 2 different devise models (users and admins), this line of code in after_sign_in_path_for:
sign_in_url = url_for(:action => 'new', :controller => 'sessions', :only_path => false, :protocol => 'http')
is creating the url "http://localhost:3000/admins/sign_in" instead of "http://localhost:3000/users/sign_in"
How do I make url_for default to the users model and not the admin model?
Thanks!
Ran into this issue myself. For whatever reason, url_for seems to default to the admin (no idea why) The good news is that you don't have to use url_for to accomplish this.
Instead, get rid of
sign_in_url = url_for(:action => 'new', :controller => 'sessions', :only_path => false, :protocol => 'http')
and replace
if request.referer == sign_in_url
with
if request.referer == new_user_session_url
The helper makes your code cleaner and allow you to specify which devise model you want.
I have a very strainge issue with Joomla 2.5 and I can't find any answer.
I have a page with some links. Each links are like www.myhost.com/joomla/custom_dev/myscript.php?foo=bar. myscript.php is an external script which is not a part of Joomla but I need Joomla's framework for some functions.
So I use the classical code :
// Get Joomla! framework
define( '_JEXEC', 1 );
define( '_VALID_MOS', 1 );
define( 'JPATH_BASE', realpath(dirname(__FILE__).'/../../'));
define( 'DS', DIRECTORY_SEPARATOR );
require_once ( JPATH_BASE .DS.'includes'.DS.'defines.php' );
require_once ( JPATH_BASE .DS.'includes'.DS.'framework.php' );
$mainframe =& JFactory::getApplication('site');
$mainframe->initialise();
It works great on my test environment.
But on the live server, I got a 404 error. With FireBug, I saw that the link to the external file doesn't work at all : it goes to a 303 redirection, then to a 404 error.
I tried many things... and now I've found what causes this issue :
$mainframe->initialise();
Without this line, there is no redirection and the link works. But I have not the framework functions (and I need them !).
I also tried to access directly to my script.
www.myhost.com/joomla/custom_dev/myscript.php?foo=bar with $mainframe->initialise() -> got a 404 error (caused by many 303 redirections)
www.myhost.com/joomla/custom_dev/myscript.php?foo=bar without $mainframe->initialise() -> no error, displays what can be displayed without Joomla's framework...
I hope I was clear enough !
EDIT : I have deleted my custom 404 page, and the true 404 reason is that the category is not found. When I try www.myhost.com/joomla/custom_dev/another_script.php I have no error.
EDIT 2 : Another info : it seems that when I use $mainframe->initialise(), it automatically add the language somewhere in my URL, so it becomes www.myhost.com/joomla/custom_dev/en/myscript.php?foo=bar
Try using this with a few tweaks and removals:
define('_JEXEC', 1);
define('JPATH_BASE', realpath(dirname(__FILE__)));
require_once ( JPATH_BASE .'/includes/defines.php' );
require_once ( JPATH_BASE .'/includes/framework.php' );
require_once ( JPATH_BASE .'/libraries/joomla/factory.php' );
I don't know if I missed something while developing my application using Zend_Framwork, but here's my problem, I can't see any cookies, when I run my application on host server, but on my WAMP server everything worked well ..
I stock on sessions, user information to use it later, so on host server I can't login..
I use Zend_Auth and Zend_Acl, here's my bootstrap
$modelLoader = new Zend_Application_Module_Autoloader ( array ('basePath' => APPLICATION_PATH, 'namespace' => '', 'resourceTypes' => array ('form' => array ('path' => 'forms/', 'namespace' => 'Form_' ) ) ) );
$this->_acl = new Application_Plugin_Acl ();
$this->_auth = Zend_Auth::getInstance ();
I also use Zend_Auth getStorage()->write('...') to write infos in sessions.
And I have nothing related to sessions on my application.ini
So, it is WORKING on WAMP but, not on host servers. I presume you mean to say your VPS or dedicated server or say any cloud.
Zend_Auth uses $_SESSION and it has many functions operating on it. For instance, $_SESSION['Zend_Auth']['storage'] will give you information about what is in your hasIdentity() checking stuff.
So, what you should do is, get this pasted somewhere near the code and run it, just for your reference
echo '<pre>';
print_r($_SESSION);
Also, you can't see Cookies because they are session cookies which has 1 reference on client machine and rest all are on file system (if not configured) of the server.
Hope that helps.
Questions?
1) I have a controller "calendar" and have action "showDate" which gets date via url. So, url is something like "calendar/show-date/date/2012-07-22"
2) I have a link to display all entries, "calendar/"
So, I want to create routes so my links look like "kalendar/2012-07-22" and "kalendar/".
Can anyone help me?
According to this post:
http://www.z-f.fr/forum/viewtopic.php?id=5138
The solution is to add '#locale' => $lang to the params.
$this->url(array('lang'=>'it','#locale'=>'it'))
It works very well for me.
I've been looking into translating the URL with Zend_Translate and I came across this sites' plugin that attempts to auto-translate URL segments (module/controller/action).
http://blog.helmich.cz/305-howto-simple-multilingual-routes-in-zend-framework/
The nice thing is that it's a modified custom router class that can function similar to Zend_Router so it's relatively familiar off the bat.
$pages = new MyApp_Controller_Router_Route(
':locale/:#controller/:#action/*',
array(
'controller' =>; 'index',
'action' => 'index',
'locale' => 'cs'
)
);
$router->addRoute('pages',$pages);
The thing you'll need is to have a language ID in your URL (called :locale in the above example) so your Zend_Translate can set the proper language.
www.example.com/en/calendar/2012-06-22/
www.example.com/fr/calendrier/2012-06-22/
www.example.com/de/kalender/2012-06-22/
www.example.com/it/calendario/2012-06-22/
I've only slightly played around with this concept but I recall that it had promise. You'll have to get more familiar with Zend_Translate: http://framework.zend.com/manual/en/zend.translate.html
I hope that helps!
Cheers!
You could re-route all calls of calendar to kalendar. There are two possibilites, either you do it with Zend (preferable) or you change your webserver configuration to rewrite calls to calendar with a HTTP 302 (ugly).
You should however consult the official Zend Documentation, which is pretty good
You have to setup custom routes, this is my way:
in folder application/configs/ create file named "routes.ini"
Put in file your route:
;index-homepage, parameter date isn't required
;"index" is key of your route
routes.index.route = "kalendar/:date"
routes.index.defaults.controller = calendar
routes.index.defaults.action = show
routes.index.defaults.date =
So in your bootstrap.php define that config file:
protected function _initRoute() {
$router = Zend_Controller_Front::getInstance()->getRouter();
$router->addDefaultRoutes();
$config = new Zend_Config_Ini(APPLICATION_PATH . '/configs/routes.ini');
$router->addConfig($config, 'routes');
}
And that's it, you can call URL
www.website.com/kalendar
and
www.website.com/kalendar/2012-1-1
See answers in this question for details:
Simple rewrites in Zend Framework