I'm trying to set a session variable when I log in, which seems to work, but I can't get this variable in another function of another controller.
(SecurityController.php)
public function login(RequestStack $requestStack): Response
{
//$session = $requestStack->getSession();
$session = $requestStack->getCurrentRequest()->getSession();
$session->set('uuid_user', $user->getUuid());
$this->logger->info($session->get('uuid_user')); //I can access this and it works here
}
(CityController.php)
public function getCity(RequestStack $requestStack): Response
{
//$session = $requestStack->getSession();
$session = $requestStack->getCurrentRequest()->getSession();
$uuidUser = $session->get('uuid_user');
$this->logger->info($uuidUser); //I can't access that here, it just returns null
}
Do you have any idea what I'm doing wrong?
When the user logs in, the session changes (look at your PHPSESSID cookie). You probably set the uuid_user on the old session and not the new one.
Set the uuid_user on onAuthenticationSuccess in your Authenticator (in folder src/Security) should work
Related
The following example code successfully performs a callback to the Google App Script:
var SCRIPT_ID = "1eC5VsM2vkJXa9slM40MTKTlfARGAGyK1myMCU3AB_-Ox_jGxQaoPM8P2";
function getURL() { return getCallbackURL('testCallback'); }
function getCallbackURL(callback) {
var state = ScriptApp.newStateToken().withTimeout(3600).withMethod(callback).createToken();
return 'https://script.google.com/macros/d/'+SCRIPT_ID+'/usercallback?state='+state;
}
function doGet(e){ return HtmlService.createTemplate(" <div><p><a href='<?=getURL()?>' id='start-auth'><?=getURL()?></a></p></div>").evaluate()); }
function testCallback(e){
Logger.log('myVariable1= ' + e.parameter.myVariable1); // this doesn't work
Logger.log('myVariable2= ' + e.parameter.myVariable2); // this doesn't work
return HtmlService.createHtmlOutput('<b>Success. You can close this window. !</b>')
}
However I need to return a variable to the "testCallback" method as part of a HttpRepsonse redirect. I've tried settings a cookie and also setting a header variable in my asp.net C# application as follow:
HttpCookie cookie = new HttpCookie("myVariable1");
cookie.Value = "someValue1";
cookie.Expires = DateTime.Now.AddMinutes(1);
Response.Cookies.Add(cookie);
Response.AddHeader("myVariable2", "someValue2");
Response.Redirect(applicationCallbackUri, true);
but it's not clear whether the header or cookie variables are available to Google's callback method:
function testCallback(e){
Logger.log('myVariable1= ' + e.parameter.myVariable1);
Logger.log('myVariable2= ' + e.parameter.myVariable2);
return HtmlService.createHtmlOutput('<b>Success. You can close this window.
!</b>')
}
I've also tried using the .WithArguments method when creating the a new state token, but I'm not sure if its possible for my asp.net application to update the state object's arguments as part of the redirect/return.
I've also tried appending the variable to the Google Callback URL, e.g.
https://script.google.com/macros/d/1eC5VsM2vkJXa9slM40MTKTlfARGAGyK1myMCU3AB_-Ox_jGxQaoPM8P2?state=ADEpC8w0dL6mBVmDQHX3XcYcBP0JqQ5_etc&myVariable1=someValue1
However Google throws an "invalid state" error
The event object passed to your testCallback(e) function cannot reference HTTP headers or cookies and appending arbitrary url variables to the redirect url won't work either (the authorization server that does the redirect will omit them to ensure security).
The only valid way to send state vars is using the withArguments() method. However, your Logger.log() calls won't work b/c the calls (to the testCallback(e) function) are asynchronous and they are not tracked in the editor. Instead, try enabling StackDriver Logging from the Apps Script Editor's View menu and replace those Logger.log() calls with console.log(). Your logs should then show up under StackDriver Logging in your Google API Console for the project.
The system I am working on does not use standard ASP.NET Auth/ Membership facilities for logging users in/ out. Therefore after logging the user in I want to issue a new Session ID to the user in order to prevent Session trapping/ Hijacking. The problem i have is that although I have been able to successfully create a new session with a new ID and copy the various components to the newly created session eg. session["value"]. By the end of the code excerpt below the newly created session is the current HTTPContext's session, and has the session values that were copied accross. However after performing a Response.Redirect the new session is in action, but none of the session["values"] have persisted across the two requests. As you can see from the code below i've tried adding the values to a number of collections to avail.
Any help would be amazing!! Thanks in advance
bool IsAdded = false;
bool IsRedirect = false;
HttpSessionState state = HttpContext.Current.Session;
SessionIDManager manager = new SessionIDManager();
HttpStaticObjectsCollection staticObjects = SessionStateUtility.GetSessionStaticObjects(HttpContext.Current);
SessionStateItemCollection items = new SessionStateItemCollection();
foreach (string item in HttpContext.Current.Session.Contents)
{
var a = HttpContext.Current.Session.Contents[item];
items[item] = a;
}
HttpSessionStateContainer newSession = new HttpSessionStateContainer(
manager.CreateSessionID(HttpContext.Current),
items,
staticObjects,
state.Timeout,
true,
state.CookieMode,
state.Mode,
state.IsReadOnly);
foreach (string item in HttpContext.Current.Session.Contents)
{
var a = HttpContext.Current.Session.Contents[item];
newSession.Add(item,a);
}
SessionStateUtility.RemoveHttpSessionStateFromContext(HttpContext.Current);
SessionStateUtility.AddHttpSessionStateToContext(HttpContext.Current, newSession);
manager.RemoveSessionID(HttpContext.Current);
manager.SaveSessionID(HttpContext.Current, newSession.SessionID, out IsRedirect, out IsAdded);
return newSession.SessionID;
Maybe I'm missing something here but won't this work:
Session["mysession"] = mySessionObject;
Basically it appears it's not possible since you can only add session variables once there has been one round trip to the client to create the corresponding session cookie. Therefore I had to create the new new session (with new ID) so that by the time I came to adding session variables, the client cookie had the appropriate session id: annoying since this in reality is issuing the new session ID before the user is authenticated.
Interestingly, it seems a little strange that issuing a new Session ID is exactly what the standard asp.net authentication/ membership functionality does but is able to maintain session variables, and yet doing it manually it doesn't....are there some methods for this that are not being exposed to us mere developers maybe....
I'm reading an ASPX file as a string and using the returned HTML as the source for an email message. This is the code:
public string GetEmailHTML(int itemId)
{
string pageUrl = "HTMLEmail.aspx";
StringWriter stringWriter = new StringWriter();
HttpRuntime.ProcessRequest(new SimpleWorkerRequest(pageUrl, "ItemId=" + itemId.ToString(), stringWriter));
stringWriter.Flush();
stringWriter.Close();
return stringWriter.ToString();
}
HTMLEmail.aspx uses the ItemId query string variable to load data from a DB and populate the page with results. I need to secure the HTMLEmail.aspx page so a manipulated query string isn't going to allow just anybody to see the results.
I store the current user like this:
public User AuthenticatedUser
{
get { return Session["User"] as User; }
set { Session["User"] = value; }
}
Because the page request isn't made directly by the browser, but rather the SimpleWorkerRequest, there is no posted SessionId and therefore HTMLEmail.aspx cannot access any session variables. At least, I think that's the problem.
I've read the overview on session variables here: http://msdn.microsoft.com/en-us/library/ms178581.aspx
I'm wondering if I need to implement a custom session identifier. I can get the current SessionId inside the GetEmailHTML method and pass it as a query string param into HTMLEmail.aspx. If I have the SessionId inside HTMLEmail.aspx I could maybe use the custom session identifier to get access to the session variables.
That fix sounds messy. It also removes the encryption layer ASP automatically applies to the SessionId.
Anyone have a better idea?
As far as I can see, your best bet is to pass on all the values you need inside HTMLEmail.aspx to it via the query parameters, just like you do with ItemId.
Apart from that, you can probably get away with just sending in the UserId of the user to that page and make it hit the DB (or wherever you are storing your users) to the User object, instead of trying to read it off the Session variables.
Edit:
Why don't you use:
public string GetEmailHTML(int itemId)
{
string pageUrl = "HTMLEmail.aspx";
StringWriter stringWriter = new StringWriter();
Server.Execute(pageUrl, stringWriter);
stringWriter.Flush();
stringWriter.Close();
return stringWriter.ToString();
}
instead? As far as I can see Server.Execute inherits the same http request.
I'm trying to develop an application where simultaneous users can interact and i need to have a persistent remote shared object with the list of users currently in session.
When a new user enter in the session he get the server's object with the list. That list was supose to have all the others users in session but is undefined.
I'm doing this first:
users_so = SharedObject.getRemote("users_so", nc.uri, true);
users_so.connect( nc );
users_so.addEventListener( SyncEvent.SYNC, usersSyncHandler );
then i set property to shared object
remoteUsers = new ArrayCollection();
remoteUsers.addItem(displayName);
users_so.setProperty("usersID", remoteUsers);
and finaly i put users in the list.
Thanks!
I would say, that you need to use sharedObject.setDirty("usersID");
SharedObject can't know, that you changed content of ArrayCollection, because the reference to it didn't change. You can use setDirty() to force synch.
Note: The SharedObject.setProperty()
method implements the setDirty()
method. In most cases, such as when
the value of a property is a primitive
type like String or Number, you would
use setProperty() instead of setDirty.
However, when the value of a property
is an object that contains its own
properties, use setDirty() to indicate
when a value within the object has
changed. In general, it is a good idea
to call setProperty() rather than
setDirty(), because setProperty()
updates a property value only when
that value has changed, whereas
setDirty() forces synchronization on
all subscribed clients.
I am using simple dynamic object for this. Client has read-only SharedObject and server decides when to add/remove client from this SharedObject.
m_so is SharedObject (remote), m_userList is Object (local)
if(m_so.data.userList != null) {
for (var key:String in m_so.data.userList) {
if(m_userList[key] == null) {
_addUser(m_so.data.userList[key]);
}
}
for(var clientId:String in m_userList) {
if(m_so.data.userList[clientId] == null) {
_removeUser(clientId);
}
}
}
application.onAppStart = function () {
userList = {};
so = SharedObject.get("roster", false);
so.setProperty("userList", userList);
}
application.onConnect = function (client /*Client*/, userId /*string*/) {
application.acceptConnection(client);
client.userId = userId;
userList[userId] = userId;
so.setProperty("userList", userList);
}
application.onDisconnect = function (client /*Client*/) {
var userId = client.userId;
delete userList[userId];
so.setProperty("userList", userList);
}
I found one solution that works better for me:
It consists in calling remote funcions on server and then broadcast to all clients. The clientes then apply the necessery changes making the solution a lot more stable.
I have some asp.net pages that read and write cookie values. During the life cycle of a page it may update the cookie value and then need to read it again further in the code. What I've found is that it's not getting the latest value of the cookie until a page refresh. Is there a way around this? Here's the code I'm using to set and get the values.
public static string GetValue(SessionKey sessionKey)
{
HttpCookie cookie = HttpContext.Current.Request.Cookies[cookiePrefix];
if (cookie == null)
return string.Empty;
return cookie[sessionKey.SessionKeyName] ?? string.Empty;
}
public static void SetValue(SessionKey sessionKey, string sessionValue)
{
HttpCookie cookie = HttpContext.Current.Request.Cookies[cookiePrefix];
if (cookie == null)
cookie = new HttpCookie(cookiePrefix);
cookie.Values[sessionKey.SessionKeyName] = sessionValue;
cookie.Expires = DateTime.Now.AddHours(1);
HttpContext.Current.Response.Cookies.Set(cookie);
}
What you're missing is that when you update the cookie with SetValue you're writing to the Response.Cookies collection.
When you call GetValue you're reading from the Request.Cookies collection.
You need to store the transient information in a way that you access the current information, not just directly the request cookie.
One potential way to do this would be to writer a wrapper class that with rough psuedo code would be similar to
public CookieContainer(HttpContext context)
{
_bobValue = context.Request.Cookies["bob"];
}
public Value
{
get { return _bobValue; }
set {
_bobValue = value;
_context.Response.Cookies.Add(new Cookie("bob", value) { Expires = ? });
}
}
I ran into needing to do similar code just this week. The cookie handling model is very strange.
Start using Sessions to store your information, even if it's only temporary.
Cookies rely on a header being sent to the browser before the page has rendered. If you've already sent information to the client then proceed to set a cookie, you're going to see this "page refresh delay" you've described.
If it's necessary to have this value, use a session variable between the time you set the cookie and when you refresh the page. But, even then I would just recommend avoiding settings cookies so late in the processing step and try to set it as early as possible.