ZF3 - ZfcUser cant take identity from session - zend-framework3

I have very strange problem. I use ZfcUser as authentication module. I made a lot of projects on lot of different environments using ZF3 and ZfcUser module. I have nevere experienced such kind of problem which I will explain bellow. In my current project I cant login into system on production server. I succesfuly log from local env, or other test environments.
I try to investigate whats going on. I went to login page on production, entered my credentials and system redirects me to home page. No errors, no warnings... notihnig. But I was not logged in. I check the identity from the framework (identity()) - it was null. I thought that may be it is server issue with the php sessions. I checked the sessions on server. It appears that the problem was not there.
The framework succesfully stored the data it needs in sessions. I found the Zend_Auth key, the identity key and the value for logged user. It seems that with php sessions everything is OK.
I am powerless and cant even think about what is going on here and where is the problem. No errors are thrown. I trace the execution of code on local and production environment. Everything is same. The frameworks seems to work properly. But the IDENTITY is allways null

Found the problem.
So, the site was runing under a subdomain. Let say sub.domain.tld. This site is different from main domain which is domain.tld. In the programm code, the favicon of application was requested form the domain.tld not from the sub.domain.tld.
As a result when you hit the http://sub.domain.tld the browser stores two PHPSESSID cookies. One under sub.domain and another under domain.tld which couses Chrome to messed up
Interesting is that, Firefox and IE didnt messed with the sessions and the site was working porperly. I dont say that Crhome is guilty. Obviously the programm code was cousing the problem. But Chrome recognize that one domain is sub domain of the other
Thats why, when I was trying to run project on different environments as local setup or different domain e.g. test.different-domain.tld, ther were again two PHPSESSID cookies set, but in this time Chrome didnt messed up with the sessions becouse test.different-domain.tld is not recognized as subdomain of domain.tld
Very small and silly mistake, but cousing big problems

Related

users unable to login to Plone site

Here is the problem that I'm having. Often times, I cannot login to my Plone site. Other users have the same issue as well. Basically what happens is that when I click "Log In", the web page just refreshes but it doesn't log me in. In order to correct this problem, I had to clear the browser history and cookies in order to log in successfully. Sometimes I had to do this a few times in order to work. I would like at least 50% of the time I had to clear the history before I can login. Other times, it just works and it logs me in without any issue.
This problem started quite some time ago, perhaps almost a year now. I just never had time to look into it. However it seems like this problem is related to newer version of web browsers because I never had this problem before around one year ago.
I'm running Plone version 4.0.4. Can anyone suggest how I should troubleshoot this problem? Should I upgrade a particular component within my Plone setup?
FYI, I'm using the building authentication component and not anything external like LDAP. I manage my users in Site Setup -> Users and Groups.
Thanks in advance.
Things to look into:
go to /acl_users/session/manage_propertiesForm and check the settings here to make sure they make sense
check cookie settings for if they are valid on non-ssl and that you are logging in via ssl urls.
use a web browser web inspector(like chrome) and inspect that login cookies are set properly after you're logged in(look for the __ac cookie)
Finally, look into your caching. If you're using plone.app.caching, make sure to NOT cache for logged in users. If you're overriding caching at the web server, make sure you're not caching when the __ac cookie is present.
If you're not caching at the web server, make sure cache headers for the browser are also getting set appropriately
inspecting caching will also require using a browser to inspect the headers getting returned

ASP.NET Initial Load in Production - IPrinciple Isnt Set

I've got a situation that I'm a little confused by as I cannot replicate it on any of my other environments.
The site is still in development and therefore has practically no traffic other than the two of us working on it. So if the site is in a dormant state (all IIS instances closed etc) when I first log in the IPrinciple doesn't get set correctly (in time?) and so subsequent security checks obviously fail. I can then immediately go back to the login page, perform an identical log in and all is fine.
This also occurs irrespective of which user I test with so it's not specific to an account.
I can then log in and log out with any user accounts and this never occurs again. This never occurs in Development on my local machine and I also have an instance of the system in my local IIS instance I use as a faux staging environment. I only ever see this on an idle Production environment.
What can I do to prevent this situation from ever occurring? Is this also suggesting there maybe an issue elsewhere?
After having done a bit of experimentation it turned out that the problem was only manifesting in Google Chrome. All other browsers were performing as expected.
The solution was actually an oversight on my part. It seems Google Chrome has stricter rules around how cookies are dealt with in relation to domains.
Setting the domain attribute on the authentication cookie fixed the issue and now Google Chrome also logs in as expected.

ServiceStack google OpenID suddenly not logging in

Got a site still in dev that uses ServiceStack's Open ID implementation to sign in users. It's been working fine all this time, suddenly today morning Google's OpenID login started failing, Facebook still authenticates fine. No error is thrown, just redirects back to the default url with this appended to it:
#f=Unknown
On my localhost it works flawlessly, both Google and FB login ok, only in production does it fail. I have tried quite a lot:
Re-verified each and every file in my asp.net bin folder compared with local and production, no difference.
Re-routed the production domain name to my localhost (in the hosts file), in hopes to step through the creation of the session. No luck, still signs in flawlessly.
Connected via remote desktop to the server and tried logging in on it as localhost, fails. (yea, WTH?).
Is there a way I can get a log of what is going on as the authentication is happening? or does anyone have an idea of what could be the issue?
On a side note: I recently changed dns settings for the domain name and moved it to this new server, but that was around 3-4 days ago, and it's been working fine all this time, until today morning. Also noticed that a reverse DNS lookup on my IP resolves to a different domain, investigating that right now.
UPDATE
This issue reared it's ugly head again this morning. I'm not sure what could be causing it but I suspect windows automatic time synchronization to be somehow throwing things off. I'm turning it off and going to keep an eye on things to see if it returns. Also, this issue seems to throw my SSL settings into chaos, i have to manually reset IIS's SSL bindings in order for things to work, even WebDeply is affected. Very strange.
UPDATE 2
Issue happened again today. I'm now suspecting it's somehow related to IIS's web deploy feature cause it happened immediately after I published my site. Also now realised that I don't need to reboot, a simple iisreset seems to fix it. Will keep monitoring.
FINAL UPDATE
I finally found the culprit. Time. My virtual server was gaining time very fast and every few days it would be ahead of most other servers and so the authentication would fail. The limit seemed to be around 3-5minutes, within that range, the authentication works okay. More than that, it fails. To get around it, simply enable time syncing and it should not re-appear.
You can check your production server clock. The OpenID request synch with the internet time in order to validate the request. If the clock is off or it was off for a while just reboot and the problem will be solved.

ASP.NET sites unintentionally sharing login cookie

I have a few ASP.NET sites running on one IIS server, of course using different ports. The sites allow for logging in via forms authentication. Session state is stored on a local state server. My problem is that when a user logs into one sites and then navigates to another, they get an exception from the second site and have to close/reopen their web browser to be able to access it. My guess is that the cookie from the first site is making it appear that they're logged in on the second one as well (though I could be completely wrong about this).
I've tried a few things to fix it (which are probably dumb and have nothing to do with the problem, but I'm far from an ASP.NET expert) including:
1) giving the sites different cookie names in Web.config's sessionState tag, and
2) Moving the sites to different app pools, but the problem persists. Any help would be appreciated.
I'd recommend setting up different domains for each site. If this is local, use the host file to route local.site1.com and local.site2.com to the correct place. Obviously you'll have to keep the port. Then you should be setting cookie with a different domain for each site and not causing the confusion.

Suspected loss of session state in IIS 6

I have an ASP.NET web site that responds with multiple skins depending on the domain that it is accessed via.
The problem is that authentication and some other features seem to suffer random glitches where the user is sent back to the log in screen, or other session controlled values appear to have been lost - but only when accessed via one of the domains. The other domain does not suffer the same issue.
On our test system, the issues DOES NOT exist when accessing via any domain. On live, the issue will happen at varying times during the session, even with identical steps followed. It is for these reasons that I don't think it is a bug in the application software.
On the live system, where the issue is, two websites are set up in IIS, each with bindings to the required domain. One accesses the site through a virtual directory at http://mysite.com/myvirtualdir, the other accesses the site at the root path at http://myalternatesite.com/. I don't think that the virtual directory is the issue however.
I've now solved my problem, though still not sure what the exact cause was.
I opened up website properties for the two websites in IIS, the one that worked and the one that didn't and compared properties.
For anyone else trouble shooting this issue, these are the steps that I took, in order of how likely I think they were to be the cause of the issue.
Second website was using Default app pool. There is nothing particular about the Default app pool settings on this server that would cause session to be lost from what I can see, but I have now changed to use the same app pool as the site that was working all along.
Disabled windows authentication to match the working website.
Changed default documents so that only the required document was listed.
Limited connections to 500 to match the working website.
Hope this is of use to somebody else.

Resources