The reason I did not post any code is that it is pretty much straight
out of the popular tutorials linked to in Frequent Discussions.
It is pretty stripped down now that I have started poking around. No
ACL or anything like that.
The "wrong page" is defined as: not the page that AuthComponent is
designed to send me to (as I understand the code in Auth at least).
AuthComponent writes an URL to the Session but is subsequently unable
to find that URL in the Session on next request (when the login page
is requested).
I am not externally feeding Auth with a redirection URL. The problem I
have found is the internal redirection-setup inside the Component.
around line 311 (may be off since I have added and removed a few log-
lines in my file by now.) we have this code-block:
if (!$this->user()) {
if (!$this->RequestHandler->isAjax()) {
$this->Session->setFlash($this->authError, 'default', array(),
'auth');
$this->Session->write('Auth.redirect', $url);
$controller->redirect($this->loginAction, null, true);
return false;
...
As I read this here is where Auth writes the current URL (which is
determined about 30 lines above) to the Session and then redirects to
the logjn page. Next when we are on the login page we end up at line
288 (or close to it) where we find this:
if (empty($controller->data) || !isset($controller->data[$this-
>userModel])) {
if (!$this->Session->check('Auth.redirect') && env('HTTP_REFERER')) {
$this->Session->write('Auth.redirect', $controller->referer());
}
return false;
}
My read: If we have no posted data we check for a stored redirect in
the session. If none is found but we do have a referer then write that
to the session.
The funny thing here is that every time we let a session expire these
two bits of code are both run (I have log-lines to read the
redirection values) and both write to the Session. This is what leads
me to believe that the session is deleted between these statements and
that this is a bug or problem of some kind.
The easiest way to test this for yourself is to set the session TTL to
10s or something really quick.
Request a page and wait for session to time out.
Click a link.
Enter your login data on the login-page you are redirected to.
Watch where you are redirected to after login.
I believe you should end up on the page you clicked for but I always
end up on the page I "was on" when I clicked.
Redirects work just as I expect when there is no existing session
(fresh browser or no timeout). This only happens when a session times
out and you then directly access a protected page.
Here is my auth-code for you to take a look at. It is pretty simple:
app_controller->beforeFilter:
if ( isset($this->Auth) )
{
$this->Auth->fields = array('username' => 'email', 'password' =>
'password');
$this->Auth->loginAction = '/users/login';
$this->Auth->autoRedirect = true;
$this->Auth->loginRedirect = '/';
$this->Auth->logoutRedirect = '/';
if (in_array(low($this->params['controller']), $this-
>publicControllers))
{
$this->Auth->allow();
}
$this->set('auth', $this->Auth->user() );
}
users_controller:
function login()
{
$this->pageTitle = 'login_heading';
}
function logout()
{
$this->Session->setFlash( $this->Lang->show('login_logout'),
'default', array(), 'ok');
$this->redirect($this->Auth->logout());
}
On Feb 23, 12:01 am, Baz <[EMAIL PROTECTED]> wrote:
> You can't make statements like "wrong page" etc, if no one has a clue as to
> what your setup is. At least show your Auth setup.
>
> I haven't expirenced your issues (I'm not even sure what your issues are),
> but there is some funny behavior when the session expires.
>
> Basically, I lose my Flash Message when trying to access a restricted area.
> This is because there are multiple redirects and the flash is written to an
> "invalid" session. Read all the yummy goodness:
>
> http://groups.google.com/group/cake-php/browse_thread/thread/91c716ad...
>
> On Fri, Feb 22, 2008 at 3:21 PM, [EMAIL PROTECTED] <
>
> [EMAIL PROTECTED]> wrote:
>
> > Hi,
> > I got interested in poking around in AuthComponent since I found some
> > odd redirecting when sessions expire. Have I managed to cause this
> > somehow or is this a problem known to you all? I have read a lot about
> > strange redirections but my problem has been boiled down to a very
> > specific behavior.
>
> > When I login I get redirected to the wrong page.
> > If I am on a page, let the session expire, and then click a link: I
> > expect to be redirected to the page I clicked for after login. What
> > happens is that I am redirected to the page I was on when I clicked.
>
> > If I type an url or refresh (no referer) a page that has expired: I am
> > redirected to the default page set in Auth.
>
> > What happens is that Auth writes the current url to the session (as
> > Auth.redirect) before redirecting to the login action. This session is
> > then "renewed". At least I guess so since the session data is empty
> > when the login action checks for the value. The session-data is then
> > written again using the "wrong" referer.
>
> > I have checked all this by logging each time Auth referes to
> > 'Auth.redirect'. Auth does not actively kill the session so it is hard
> > to decide if Auth or the Session-class is to blame.
>
> > I haven't found out exactly where the session-data is being deleted.
> > SessionComponent calls destroy before the first Session-write in Auth
> > but not between the first write and the login-action. I thouht you
> > could kill a session and start a new one in mid-request so to speak?
>
> > It is getting late in my part of the world now. I'll add to this
> > thread if/when I find anything else related to this.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Cake
PHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
