会话在OAuth重定向后丢失 [英] Session is lost after an OAuth redirect

问题描述

我使用CakePHP 2.4。我在我的网站上有 OAuth登录。 ％99.5的登录已成功，但％0.5失败。我有这个错误几个月。我尝试了很多东西来调试和日志，但仍然没有解决问题。虽然大多数请求是好的，我需要解决小部分。

I use CakePHP 2.4. I have an OAuth signin in my website. %99.5 of signins are successfull but %0.5 fails. I have this error for months. I tried many things to debug and log but still I didn't solve the problem. Although most of the requests are good I need to solve the small part.

场景是这样的：

• 用户点击登录按钮


• 我从服务器获取请求令牌（例如yahoo，twitter）


• code> oauth_token
  
  例如会话ID为 aaa1234



• CakePHP在此Cookie中创建PHPSESSID Cookie并保存会话ID。

• User clicks Sign in button
• I get request token from server (for example yahoo, twitter)
• I save oauth_token in user's session
  for example session ID is aaa1234

• CakePHP creates PHPSESSID cookie and save session id in this cookie.

我将用户重定向到Twitter服务器，并且用户确认了我的应用程序

I redirect user to Twitter server and user confirms my application

对于场景b：

现在用户似乎有新的会话ID。在新会话中找不到 oauth_token 。但请注意，旧会话数据存在于 / tmp / sessions / 文件夹中。

For the scenario b:
It seems like user has new session ID now. oauth_token can't be found in new session. But note that old session data exists in /tmp/sessions/ folder.

会话ID cookie不存在对于会话 aaa1234 。但我在2天前设置的另一个跟踪Cookie存在于Cookie中。

Session ID cookie doesn't exists for session aaa1234. But another tracking cookie that I set 2 days ago exists in cookies.

我检查用户代理。

当用户第一次来到和用户

I check user agents.
It is same when user first comes and user comes back from Yahoo server.

这种故障情况发生在Chrome，Firefox，移动浏览器或其他浏览器中，因此我无法指控浏览器类型。

我应该检查更多诊断吗？

This failure scenario happens in Chrome, Firefox, mobile browsers or other browsers, so I can't accuse browser type.
What should I check more to diagnose?

我的CakePHP core.php设置：

My CakePHP core.php settings:

Configure::write('Session', array(  'defaults' => 'cake'  ));
Configure::write('Session.cookie', 'MYPHPSESSID');
Configure::write('Session.timeout', 120);
Configure::write('Security.level', 'medium');

其他设置是文件中提到的默认设置：
https://github.com/cakephp/cakephp/blob/2.5/app/Config/core .php＃L182

Other settings are default as mentioned in file: https://github.com/cakephp/cakephp/blob/2.5/app/Config/core.php#L182

编辑：使用此回答我检查了Cookie。 20％的错误用户停用了Cookie。我问个人和用户确认cookie选项。但似乎其他用户没有禁用Cookie。还有一些用户通过使用Android WebViews到达我的网站。在WebView客户端中，我确信我不禁用cookies。

By using this answer I checked for cookies. 20% of the erroneous users disabled cookies. I asked personally and user confirmed cookie option. But it seems like other users didn't disabled cookies. Also some of users reach my website by using Android WebViews. In WebView clients I'm sure that I don't disable cookies. Also 99% of the WebView users can successfully use website.

推荐答案

您的会话ID可能会因为重定向而丢失之间。
如果您的用户在 HTTP 上收到会话ID，然后又返回 HTTPS （反之亦然），则会话将丢失/由旧的

Your session id might be lost because of a redirect between schemes. In case your user received a session id on HTTP and then came back on HTTPS (or vice-versa) his session would be lost/replaced by an old session he had previously on that scheme.

这不是100％确定的，但如果我是你，我会试试看看（这发生在我身上）

This is not 100% certain, but if I were you, I'd try to give it a look (it happened to me also in a past project).

EDIT

说明：

EDIT
Explanation:

客户端会在 HTTP 上获取会话，并会被重定向到oauth用户，当他们回来时，他们会通过 HTTPS 发送。

The clients obtain their session on HTTP, they are redirected for oauth purposes, and when they come back, they come via HTTPS.

当在 HTTP 和 HTTPS 之间移动时，PHP正常会话（$ _SESSION）会丢失。会话本身保留在服务器端，但是客户端丢失了session_id，因此服务器不能识别他并且会话丢失，所以我使用的是纯PHP，你的客户端100％的用户都会失去会话背部。

PHP Normal sessions ($_SESSION) are lost when moving between HTTP and HTTPS. The session itself is kept on server side, but the client loses the session_id, thus the server doesn't recognize him and the session is lost, so I you were using pure PHP, 100% of your clients were to lose session on their way back.

CakePHP 通过保存sesion id的cookie处理此常见问题，然后当客户端在请求标头上返回而没有session_id时，会话由于cookie而恢复。您失败的客户中有0.05％是具有以下一种（或多种）客户：

CakePHP handles this common problem via cookies that save the sesion id, and then when the client comes back without session_id on the request headers, its session is restored because of the cookie. The 0.05% of your clients that fails, are clients with one (or more) of the following:

1. Cookie已停用/ li>
   
2. 在HTTP / HTTPS之间切换时，不保留来自同一网站的Cookie的浏览器

可能的解决方案：

1. 以HTTPS开始初始化cookie（即首先检查用户是否HTTP，然后将他重定向到HTTPS，然后初始化会话，然后重定向他到oauth端点） - 我个人推荐它。

1. initialize the cookie on HTTPS to begin with (i.e first check if the user is on HTTP, then redirect him to HTTPS, then init the session, then redirect him to oauth endpoint) - I personally recommend it.

一些oauth提供程序参数在用户完成身份验证时重定向用户的网址。您可以使用此并将其会话ID作为参数发送。 - 我不推荐这样做，因为那样可能会将您客户的会话ID暴露给攻击者。

some oauth providers take parameters for the url to redirect the user when he finishes his authentication. You can use this and send its session id as a parameter. - I don't recommend this, because then you might expose your client's session id to attackers.

这篇关于会话在OAuth重定向后丢失的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！