Zend_Auth and database session SaveHandler - zend-framework

I have created Zend_Auth adapter implementing Zend_Auth_Adapter_Interface (similar to Pádraic's adapter) and created simple ACL plugin. Everything works fine with default session handler. So far, so good.
As a next step I have created custom Session SaveHandler to persist session data in the database. My implementation is very similar to this one from parables-demo. Seems that everything is working fine. Session data are properly saved to the database, session objects are serialized, but authentication does not work when I enable this custom SaveHandler.
I have debugged the authentication and all works fine up till the next request, when the authentication data are lost.
I suspected, that is has something to do with the fact, that I use $adapter->write($object) instead $adapter->write($string), but the same happens with strings.
I'm bootstrapping Zend_Application_Resource_Session in the first Bootstrap method, as early as possible.
Does Zend_Auth need any extra configuration to persist data in the database?
Why the authentity is being lost?

I have found the cause of the problems.
I used 'data' as a column name. Session SaveHandler from parables-demo was calling code similar to this:
$string = 'test'
$doctrineModel->data = $string;
echo gettype($doctrineModel->data); // displays 'Array', not string as some would expect
So the data I wanted to save were accidentally converted to arrays.

Related

Set default Global XSS filter- Session - CodeIgniter 3x

Hope someone can help me explain some of my questions in order:
1. When i set application/config/config.php:
Determines whether the XSS filter is always active when GET, POST or
COOKIE data is encountered.
$config['global_xss_filtering'] = TRUE;
So if I set the default value is FALSE. What benefits will I get? For example, the performance or processing speed of the server?
2. Session
function save(){
$data = $this->input->post('number',TRUE);
$this->session->set_userdata('TEST',$data);
}
//Suppose Client request GET to action
function insert(){
$num = $this->session->userdata('TEST');
//Do I need to filter data in session?
$num_clean = $this->security->xss_clean($num );
$this->model->run_insert($num_clean);
}
I do not trust the user. And I still do not understand much about: session activity
The server just sends the ID Session to the client. Does the server send the data, which I set up to the session, to the client?
Best way xss_clean for session Which i am using is: Filter the client data by xss_clean input class. Is that enough? And need to re-filter session again?
Hope someone helped me because I just using only Codeigniter's XSS filter. Thanks
part 1:
From CodeIgniter User Guide Version 2.2.6
XSS Filtering
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
So answerto your 1st part of question : yes ,
setting $config['global_xss_filtering'] = false; has performance benefits. also in codeigniter 3 its This feature is DEPRECATED. So i prefer to set it false.
part 2 :
Session is different from cookie
Unlike a cookie, the information is not stored on the users computer. So when you store a session ,its safe to trust the session data.
session data are stored in server. Most sessions set a user-key on the user's computer that looks something like this: 765487cf34ert8dede5a562e4f3a7e12. Then, when a session is opened on another page, it scans the computer for a user-key. If there is a match, it accesses that session, if not, it starts a new session.
here is a simple guide to session to read https://www.w3schools.com/php/php_sessions.asp
deftailed one : http://php.net/manual/en/intro.session.php
in short $num_clean = $this->security->xss_clean($num ); this is unnecessary.

Where/How does Symfony2 serializes and writes its session data?

To give an overview:
I have an app built on Symfony1 but I'm building the new parts with Symfony2. I've moved the login/logout actions on Symfony2 and made Symfony1 read the session data from Symfony2. By telling Symfony2 to write its session data in the default PHP $_SESSION, it works great, everything is there in arrays and Symfony1 can read the data and login my users automatically.
Now I'm moving the Symfony1 and the Symfony2 apps on their own respective VMs. So instead of writing in PHP $_SESSION, I save the session in a MongoDB (via the MongoDbSessionHandler). But now when I read the session data from the Symfony1 app, I end up with something like this:
_sf2_attributes|a:0:{}_sf2_flashes|a:0:{}_sf2_meta|a:3:{s:1:"u";i:1362655964;s:1:"c";i:1362655964;s:1:"l";s:1:"0";}
and it is definitely not unserializable. Symfony2 seems to serialize the data in its own way and I guess these _sf2_* stuff are the metadatabags. The thing is that I cannot find where this serialization is happening. To be able to unserialize it I need to find how it is serialized. The closest place I've found is in the SessionHandlerProxy:
public function write($id, $data)
{
return (bool) $this->handler->write($id, $data);
}
the $data passed here contains the serialized data, but I cannot find in the code where it is called.
Any luck?
The MongoDbSessionHandler gets set as the PHP session save handler here: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php#L349-L370
session_start() (https://github.com/symfony/symfony/blob/master/src/Symfony/Component/HttpFoundation/Session/Storage/NativeSessionStorage.php#L146) actually reads the contents of the session file/Mongo and create the global $_SESSION variable: http://www.php.net/manual/en/function.session-start.php
Have a look at PHP's session_decode function: http://www.php.net/manual/en/function.session-decode.php - this might be what you're looking for.

CreateDataSource not working with WCF and a stored procedure

I am trying to override the connection string in a WCF DataService with CreateDataSource. This seems to work fine for simple requests for tables, but when I try to use a stored procedure it fails...it's always trying to use the original datasource set up for the SP when i worked with the .edmx file.
My code is:
string mConnectionString;
mConnectionString = ConfgurationManager.ConnectionStrings["D7SG_DEVEntities"].ConnectionString;
return new SGEntities(mConnectionString);`
The error which occurs is
The specified named connection is either not found in the
configuration, not intended to be used with the EntityClient provider,
or not valid.
Anyone know how to make this work with a stored procedure ? (This procedure works fine when used with the hard-coded string in web.config)
In your service operation, you're creating the SGEntities without passing in the modified connection string. So it will pick the default connection string from your configuration. In order for this to work you can use this.CurrentDataSource instead of creating a new instance of the SGEntities in your service operation implementation. That will go through the CreateDataSource and should pick up the new connection string.

store and setRequest

I have a jobque mechanism in ZF.
The jobque simlpy stores the the function call (Class, Method and params) and later executes it as CLI daemon. The daemon works, however at places the application looks for information from the request object, and when called from the CLI these places fail, or get no info.
I would like to store the original request object together with the job and when the job is processed set the request object back as if the job was done by the originall request, somethin along the line of the following pseudo code:
$ser_request = serialize(Zend_Controller_Front::getInstance ()->getRequest ());
-->save to db
-->retrive from db
$ZCF= new Zend_Controller_Front;
$ZCF::getInstance ()->setRequest (unserialize($ser_request))
The aim is to store and replay the jobs later withouth having to change the rest of the application.
Any suggestions how to do that?
I am not sure if this works, but here's an idea. Try to implement _sleep and _wakeup magic methods for the request object. Haven't tried it out, but maybe it's at least a starting solution.

lift Session management

I am new to lift. I have been working with MVC model so far and using basic session management model i.e. storing a token in the session and check on each request.
I am trying to do the same with lift, but my session getting expired abruptly. even some time I just logged in and it logged out. I have analysis that whenever I gets log message like this:
INFO - Session ucjrn5flnq9q1ke52z5zixgtt expired
I have searched but I couldn't find any step by step tutor
Sessions are managed by your servlet container. Which one are you using? You should look at the container's documentation.
Do not attempt to use S.get et al to access session bound information. This is just plain dangerous. Do it like this:
class Thing {
object SessionThing extends SessionVar[Box[String]](Empty)
...
def someMethod = {
...
SessionThing.is // returns you a Box[String].
// operates on the session variable if it exists,
// otherwise provides a sensible default
SessionThing.is.map(_.toLowerCase).openOr("default")
...
}
}
You need to understand the snippet and state lifecycles really, as it seems you're not fully understanding how lift's session mechanics work.
I found the solution of the problem. I was using embedded jetty server, where I was using ServletContextHandler to register lift filter. I changed it to WebAppContext and it started working fine.
Puneet