I use CakePHP 2.4. I have an OAuth signin in my website. %99.5 of signins are successfull but %0.5 fails. I have this error for months. I tried many things to debug and log but still I didn't solve the problem. Although most of the requests are good I need to solve the small part.
Scenario is like this:
oauth_token
in user's sessionaaa1234
CakePHP creates PHPSESSID cookie and save session id in this cookie.
I redirect user to Twitter server and user confirms my application
oauth_token
and oauth_verifier
and get access_tokens
. session ID is aaa1234
. everything good.oauth_token
in current session. When I check session ID, I see that ID changed, ID is now bbb2345
For the scenario b:
It seems like user has new session ID now. oauth_token
can't be found in new session. But note that old session data exists in /tmp/sessions/
folder.
Session ID cookie doesn't exists for session aaa1234
. But another tracking cookie that I set 2 days ago exists in cookies.
I check user agents.
It is same when user first comes and user comes back from Yahoo server.
This failure scenario happens in Chrome, Firefox, mobile browsers or other browsers, so I can't accuse browser type.
What should I check more to diagnose?
My CakePHP core.php settings:
Configure::write('Session', array( 'defaults' => 'cake' ));
Configure::write('Session.cookie', 'MYPHPSESSID');
Configure::write('Session.timeout', 120);
Configure::write('Security.level', 'medium');
Other settings are default as mentioned in file: https://github.com/cakephp/cakephp/blob/2.5/app/Config/core.php#L182
Edit: By using this answer I checked for cookies. 20% of the erroneous users disabled cookies. I asked personally and user confirmed cookie option. But it seems like other users didn't disabled cookies. Also some of users reach my website by using Android WebViews. In WebView clients I'm sure that I don't disable cookies. Also 99% of the WebView users can successfully use website.
Your session id might be lost because of a redirect between schemes. In case your user received a session id on HTTP and then came back on HTTPS (or vice-versa) his session would be lost/replaced by an old session he had previously on that scheme.
This is not 100% certain, but if I were you, I'd try to give it a look (it happened to me also in a past project).
EDIT
Explanation:
The clients obtain their session on HTTP, they are redirected for oauth purposes, and when they come back, they come via HTTPS.
PHP Normal sessions ($_SESSION) are lost when moving between HTTP and HTTPS. The session itself is kept on server side, but the client loses the session_id, thus the server doesn't recognize him and the session is lost, so I you were using pure PHP, 100% of your clients were to lose session on their way back.
CakePHP handles this common problem via cookies that save the sesion id, and then when the client comes back without session_id on the request headers, its session is restored because of the cookie. The 0.05% of your clients that fails, are clients with one (or more) of the following:
Possible solutions:
initialize the cookie on HTTPS to begin with (i.e first check if the user is on HTTP, then redirect him to HTTPS, then init the session, then redirect him to oauth endpoint) - I personally recommend it.
some oauth providers take parameters for the url to redirect the user when he finishes his authentication. You can use this and send its session id as a parameter. - I don't recommend this, because then you might expose your client's session id to attackers.
Good luck!
I'd imagine that CBroe is on the money here. I've run into this before as well (not specifically with OAuth, but with other redirects that set a session cookie).
More info here: Losing session variables after redirect
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With