I am new to lift. I have been working with MVC model so far and using basic session management model i.e. storing a token in the session and check on each request.
I am trying to do the same with lift, but my session getting expired abruptly. even some time I just logged in and it logged out. I have analysis that whenever I gets log message like this:
INFO - Session ucjrn5flnq9q1ke52z5zixgtt expired
I have searched but I couldn't find any step by step tutor
Sessions are managed by your servlet container. Which one are you using? You should look at the container's documentation.
Do not attempt to use S.get et al to access session bound information. This is just plain dangerous. Do it like this:
class Thing {
object SessionThing extends SessionVar[Box[String]](Empty)
...
def someMethod = {
...
SessionThing.is // returns you a Box[String].
// operates on the session variable if it exists,
// otherwise provides a sensible default
SessionThing.is.map(_.toLowerCase).openOr("default")
...
}
}
You need to understand the snippet and state lifecycles really, as it seems you're not fully understanding how lift's session mechanics work.
I found the solution of the problem. I was using embedded jetty server, where I was using ServletContextHandler to register lift filter. I changed it to WebAppContext and it started working fine.
Puneet
Related
I am currently migrating an old Zend 1.1 website and need a replacement for the uses of Zend_Session_Namespace.
Does one exist for Yii2? Or alternatively is there a plugin or something to add this functionality?
-Edit:
Specifically the ability to set expiry timeouts and hop limits like Zend has.
Thank you.
UPDATE
The info you have added in the edit was never mentioned earlier and makes your question too broad you might create a separate question for that.
By default session data are stored in files. The implementation is locking a file from opening a session to the point it's closed either by session_write_close() (in Yii it could be done as Yii::$app->session->close()) or at the end of request. While session file is locked all other requests which are trying to use the same session are blocked i.e. waiting for the initial request to release the session file. this can work for dev or small projects. But when it comes to handling massive concurrent requests, it is better to use more sophisticated storage, such as a database.
Zend_Session_Namespace instances provide the primary API for manipulating session data in the Zend Framework. Namespaces are used to segregate all session data, if you are converting the script to Yii2 framework you might need to look into https://www.yiiframework.com/doc/api/2.0/yii-web-session
A simple example to compare both of the functionalities by example are
Zend Framework 1.1 Counting Page Views
$defaultNamespace = new Zend_Session_Namespace('Default');
if (isset($defaultNamespace->numberOfPageRequests)) {
// this will increment for each page load.
$defaultNamespace->numberOfPageRequests++;
} else {
$defaultNamespace->numberOfPageRequests = 1; // first time
}
echo "Page requests this session: ",
$defaultNamespace->numberOfPageRequests;
Yii2 Framework Counting Page Views
public function actionIndex()
{
$session = new \yii\web\Session();
$session->open();
$visits = $session->get('visits', 0);
$visits = $visits+1;
$session->set('visits', $visits);
return "Total visits $visits";
}
Hope someone can help me explain some of my questions in order:
1. When i set application/config/config.php:
Determines whether the XSS filter is always active when GET, POST or
COOKIE data is encountered.
$config['global_xss_filtering'] = TRUE;
So if I set the default value is FALSE. What benefits will I get? For example, the performance or processing speed of the server?
2. Session
function save(){
$data = $this->input->post('number',TRUE);
$this->session->set_userdata('TEST',$data);
}
//Suppose Client request GET to action
function insert(){
$num = $this->session->userdata('TEST');
//Do I need to filter data in session?
$num_clean = $this->security->xss_clean($num );
$this->model->run_insert($num_clean);
}
I do not trust the user. And I still do not understand much about: session activity
The server just sends the ID Session to the client. Does the server send the data, which I set up to the session, to the client?
Best way xss_clean for session Which i am using is: Filter the client data by xss_clean input class. Is that enough? And need to re-filter session again?
Hope someone helped me because I just using only Codeigniter's XSS filter. Thanks
part 1:
From CodeIgniter User Guide Version 2.2.6
XSS Filtering
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
So answerto your 1st part of question : yes ,
setting $config['global_xss_filtering'] = false; has performance benefits. also in codeigniter 3 its This feature is DEPRECATED. So i prefer to set it false.
part 2 :
Session is different from cookie
Unlike a cookie, the information is not stored on the users computer. So when you store a session ,its safe to trust the session data.
session data are stored in server. Most sessions set a user-key on the user's computer that looks something like this: 765487cf34ert8dede5a562e4f3a7e12. Then, when a session is opened on another page, it scans the computer for a user-key. If there is a match, it accesses that session, if not, it starts a new session.
here is a simple guide to session to read https://www.w3schools.com/php/php_sessions.asp
deftailed one : http://php.net/manual/en/intro.session.php
in short $num_clean = $this->security->xss_clean($num ); this is unnecessary.
I have a jobque mechanism in ZF.
The jobque simlpy stores the the function call (Class, Method and params) and later executes it as CLI daemon. The daemon works, however at places the application looks for information from the request object, and when called from the CLI these places fail, or get no info.
I would like to store the original request object together with the job and when the job is processed set the request object back as if the job was done by the originall request, somethin along the line of the following pseudo code:
$ser_request = serialize(Zend_Controller_Front::getInstance ()->getRequest ());
-->save to db
-->retrive from db
$ZCF= new Zend_Controller_Front;
$ZCF::getInstance ()->setRequest (unserialize($ser_request))
The aim is to store and replay the jobs later withouth having to change the rest of the application.
Any suggestions how to do that?
I am not sure if this works, but here's an idea. Try to implement _sleep and _wakeup magic methods for the request object. Haven't tried it out, but maybe it's at least a starting solution.
I have created Zend_Auth adapter implementing Zend_Auth_Adapter_Interface (similar to Pádraic's adapter) and created simple ACL plugin. Everything works fine with default session handler. So far, so good.
As a next step I have created custom Session SaveHandler to persist session data in the database. My implementation is very similar to this one from parables-demo. Seems that everything is working fine. Session data are properly saved to the database, session objects are serialized, but authentication does not work when I enable this custom SaveHandler.
I have debugged the authentication and all works fine up till the next request, when the authentication data are lost.
I suspected, that is has something to do with the fact, that I use $adapter->write($object) instead $adapter->write($string), but the same happens with strings.
I'm bootstrapping Zend_Application_Resource_Session in the first Bootstrap method, as early as possible.
Does Zend_Auth need any extra configuration to persist data in the database?
Why the authentity is being lost?
I have found the cause of the problems.
I used 'data' as a column name. Session SaveHandler from parables-demo was calling code similar to this:
$string = 'test'
$doctrineModel->data = $string;
echo gettype($doctrineModel->data); // displays 'Array', not string as some would expect
So the data I wanted to save were accidentally converted to arrays.
I'm trying to get the rememberMe() function to remember users and retain sessions for months at a time.
I've read that if you pass a value through rememberMe() it will not work if the session has already been started. From the session_set_cookie_params() documentation in the PHP manual, "you need to call session_set_cookie_params() for every request and before session_start() is called."
By I am calling Zend_session::start() in my bootstrap as i thought I was supposed to. My problem is that rememberMe() doesn't seem to be working.
When I call session_get_cookie_params(); I get:
Array([lifetime] => 0 [path] => / [domain] => [secure] => httponly] =>)
Any thoughts?
I've solved the problem. sessions were being erased by another website on the same server which expires sessions every 24 minutes. To fix this I set the session.save_path to a new folder. I also set session.gc_maxlifetime and session.cookie_lifetime to be very large numbers.
problem solved!
Don't use the start() method. It should work fine if you are using MVC. The session_start must be called before any output is send and that's right before sending response (because of outputbuffering). The session is started automatically upon first Zend_Session_namespace usage.