Love Fuel?    Donate

FuelPHP Forums

Ask your question about FuelPHP in the appropriate forum, or help others by answering their questions.
Session clears it self when set in different "windows"
  • tahataha
    Hi,

    I have an issue where the sessions/cookies are cleared if they were re-set (not sure if it's because they're re-set really) in a different window/browser. For example, If I login in Chrome, then if I login in FF, it logs me out of Chrome.

    For the login, I'm using the a custom driver in the Auth package. I'm using an independent instance of the Session class which is defined like below in the _init method.

    if((static::$session = \Session::instance($cookie_name)) === false)
    {
    	// Cookie instance
    	static::$session = \Session::forge(array(
    		'driver' => 'cookie',
    		'expiration_time' => 1209600, // Two weeks
    		'cookie' => array(
    			'cookie_name' => $cookie_name

    		)
    	));
    }

    Then I use static::$session to access the instance.

    I have no idea what's causing the sessions to be cleared that way. I should also note that this happens locally. On production/stage, the issue become even worse as when I view-source the page, it immediately clears the session. Also, if I view REST controller method in the browser (GET), refresh the page, it clears the session too.

    I've been debugging this for several days with no hope so I decided I'd post it here for help. I'm using Fuel 1.5.

    Thanks,
    Taha
  • kenjiskenjis
    Fuel 1.5 Session has bugs. You should use at least 1.5.1.

  • HarroHarro
    Accepted Answer
    Should have asked sooner. ;-)

    This has nothting to do with sessions, but with the fact that the Auth library doesn't support multiple login, courtesy of the login_hash column in the users table. For a different browser it will generate a new hash, invalidating the old one, so your next page request in the old browser logs you out.

    Concurrent logins where introduced on 27-04-2013, and released in v1.6.
  • tahataha
    Thanks for the quick reply!

    The windows issue was indeed due to the lack of simultaneous login ability in the Auth package.

    However, the other issue that I referred to that happened on production/stage only is not related to the Auth package. It seems like the app tries to call a non existent URI "favicon", which I have no idea why that happens. There are no broken URLs named favicon, at all! Either way, I did a *dirty* fix for the issue as a temporary fix (very unhappy about that :'() but will look into it in details when I get a chance :)

    Thanks for the help!
  • HarroHarro
    Some browsers fetch the favicon automatically, outside your control.

    As to the other issues, those could well be due to the session bugs in 1.5 that Kenjis mentioned.
  • tahataha
    I have *finally* got to the bottom of this issue. The cause was that in some cases, the Auth class is not initialised so the custom session instance is not initialised either. This would happen if the page you are viewing does not initialise the Auth object, say if your 404 happens before you check if the user is logged in etc...

    So just incase someone else gets this issue, the fix is to make sure that the Auth (and the custom Session) class is instantiated before any response is sent out.
Add a Comment

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Apply for Membership

Categories

In this Discussion