My Zend session (I am using Zend_Session_Namespace) do not get destroyed on window close. I thought that was the default behavior and I would really like it to. Any idea?
Check and delete any code like this in your application.ini file
remember_me_seconds = 864000
In login controller use the the following piece of code, then it should work fine.
$remember=$form->getValue("remember")
if ($remember=="yes") {
$seconds=60 * 60 * 24 * 30; (remember for 30 days)
Zend_Session::RememberMe($seconds);
}
else {
Zend_Session::ForgetMe();
}
I don't know if this helps but here goes.
There are two ways to 'destroy' a session.
On the client side - the cookie
On the server side - the session namespace
The session on the browser is not really destroyed when the browser window is closed. What happens is that the browser will delete the cookie. When the browser goes to your site again it doesn't have a cookie anymore and has to get a new session.
If you set the 'life' of a session to be really short, then the session will be deleted on the server really quickly. Even if a browser with a cookie comes along, if there is no matching session on the server then it will end up getting a new session.
You have to find a way to set the cookie parameter that tells the browser to delete it on window close. I'm not sure what portion the rememberMe() function acts on,whether it's the cookie or the session on the server.
If you set this parameter, the browser will delete the cookie on window close and you'll have 'deleted' the session on the browser side.
Related
I'm using HttRequestMessage, and adding a cookie in an IHttpFilter as follows:
public IAsyncOperationWithProgress<HttpResponseMessage, HttpProgress> SendRequestAsync(HttpRequestMessage request)
{
var c = new HttpCookiePairHeaderValue("SSOAutologonCertificate", "true");
request.Headers.Cookie.Add(c);
return InnerFilter.SendRequestAsync(request);
}
Using Fiddler I can see that the cookie is correctly added to the outgoing request. However, the reply is an auto-redirect. When fiddler captures that outgoing request, that cookie is no longer set in the http header - it seems to have been forgotten.
Is this expected behavior? Or a bug? If it is expected behavior, is there anything I can do to alter it?
If, on the other hand, I add the cookie to the Cookie collection on a HttpBaseProtocolFilter object, then everything works as expected, and the cookie is there for every auto-redirect query. Of course, while that will work for now, that totally defeats the purpose of a IHttpFilter. :-) This behavior was observed on a windows store app (running on Windows 10 tech preview).
BTW, I spent some time trying to figure out how to step into the .NET source for the Windows.Web.Http namespace, but nothing seemed to work (I can into other .NET source). Is there a special trick for these windows component files (the module is Windows.Web.winmd).
Thanks in advance!
Is there a built-in way to destroy a session cookie generated by Dancer::Session::Cookie after a certain amount of minutes of it being idle? I noticed that it doesn't even destroy the session when I restart either the Nginx or Starman server, which is not what I want (for security reasons).
If there is no built in way is there anything inherently wrong with storing the last time the session was active in an SQL database and updating it after every action? Then if more than 15 minutes or so have gone by without that entry being updated the session cookie will be destroyed (with session->destroy). That doesn't seem like the best solution but maybe that's the only way. From my understanding you can also manually set a cookie expiration time in the HTTP header but that would only destroy the cookie on the client-side, correct?
I think you want to do the reverse.
When you generate the cookie, use the expires attribute to set it to, say, "15 minutes":
https://metacpan.org/pod/Dancer::Cookie#expires
Then every time you do something for that session, call the Dancer::Cookie init method:
https://metacpan.org/pod/Dancer::Cookie#init
... to refresh the cookie (if you're not using the default path, pass in the path).
The user's browser should expire the cookie for you after the given time.
(I have not actually tried this, but the code implies it should work - the documentation for the init method could certainly be clearer)
I have a GWT application on Jetty. After configuring different accessing ports etc, user can start this application many time (for example 2 times) on same server machine. We noticed when accessing those two different instances from same browser, they interfece each, e.g, one kicks other session out.
If accessing from different browser, e.g, ie and firefox or chrome, there is no problem.
Of course, there is no problem if two applications are running from different servers.
Does anyone see same behavior before? How to fix this problem?
If your server uses cookies to maintain sessions, and both browser instances share the same set of cookies, then when the second one logs in, it must kick the first one out - how can the same cookie have more then one value?
Options to try:
don't use cookies to track sessions
don't require the second tab/window to log in, but recognize that it is already logged in
don't support the same user pretending to be two users at one time
JSESSIONID is used for protection from cross-site request forgery attacks. Check how you set this cookie. Typically, you would set it like this:
<script type="text/javascript">
var info = "<%=XsrfTokenUtil.getToken(request.getSession().getId()) %>";
</script>
If you do it this way, you should get the same token (value) for each browser window, as long as you have a single session. Try to find out why you set a new value every time.
Also, if you need an ability to have multiple windows, you can allow duplicate cookies in XsrfTokenUtil:
final Cookie sessionCookie = getCookie(cookies, "JSESSIONID", false);
Replace false with true to allow duplicate cookies.
So, I've been at this for a while now, went through a bunch of different questions, and still no solution.
If I log in regularly, all is fine, I can logout as expected. But, if I login with facebook (authorize the app), then there is no way to logout unless I manually delete the cookies from within my browsers menu.
Following that logic, I wanted to destroy the cookies in the logout action using this code(after I modified my session settings to work across subdomains, for my particular case):
function logout() {
if ($this->Cookie->read('Auth.User')) {
$this->Cookie->delete('Auth.User');
}
$this->Auth->logout();
unset($_SESSION['fb_MYAPP_ID_user_id']);
unset($_COOKIE['fbm_MYAPP_ID']);
unset($_COOKIE['fbsr_MYAPP_ID']);
unset($_COOKIE['CAKEPHP']);
//pr($_SESSION);pr($_COOKIE);exit(); //here I see that the cookies are in fact deleted
$this->redirect($this->Auth->logout());
$this->redirect('/login');
}
But every time after the logout redirect it brings the user back, logged in, and the session/cookies recreated.
I went through a lot of SO questions and answers and none worked for me. Any ideas?
You cannot simply unset cookies from the cookie container, this is just the server side representation of the cookies contained in the request.
To delete cookies you need to set the exact same cookie (domain, path, name) but with an expiration that has passed - when read by the client this will cause the cookie to not be sent with the next request.
You can see how this is done in https://github.com/facebook/facebook-php-sdk/blob/master/src/base_facebook.php#L132.
I ended up using a combination of the following answers:
CakePHP + Facebook
$facebook->getSession() call breaks page below the call
The code on the first one is more complete, but is outdated. I also kept the unset() calls that I have in my question, and it seems to work good for now.
I am working in perl with Selenium RC, server version 2.19.0-b09 and I cannot figure out whether it is even possible to redirect to an external URL and come back to my application. I am trying to test Facebook OAuth in my application, which means I have to go to Facebook and come back to my app.
use Test::WWW::Selenium::Catalyst 'MyApp', -selenium_args => 'injectProxyMode -trustAllSSLCertificates -debug -log /home/me/browserlog.txt -firefoxProfileTemplate /home/me/.mozilla/firefox/SeleniumUser.default/';
my $selenium = Test::WWW::Selenium::Catalyst->start({
browser => '*chrome',
});
The reason I think this is possible at all is because a custom Firefox profile and the -injectProxyMode, *chrome browser and -trustAllSSLCertificates options enable me to post to and see all the redirects in my debug log, but my Remote Control window always disappears after the redirects. I can see the PROXY URL to which Facebook is trying to send me back, e.g., a URL on my own base domain. But it looks like there is no window for it to return to. In multiWindow mode I am left with my application in a Firefox window. In singleWindow mode my tests just end and all the windows close.
I have tried both -singleWindow and -multiWindow mode. I have gotten the list of windows after I make my post to https://www.facebook.com:443/login.php... and before all the redirects. I see a single window that is never available to select_window, and it always disappears on the second iteration if I run get_all_window_names in in a while loop: a window with a name like "_e_0RWG".
So, how could I conceivably do what I am trying to accomplish with Selenium? It seems so near and yet so far.