Level 122
if you remove the restriction on session domain?
Nov 5, 2020
23
Level 8
Can't keep session going when using SESSION_DRIVER=database
Here is my issue:
.env:
SESSION_DRIVER=database
SESSION_DOMAIN=.example.test
When using the above after every login the next route always redirects to login or expired page.
The session table is always inserting and not using the previous session that was inserted.
Also, when viewing the cookie laravel_session, value is always changed every url load.
if we do .env:
SESSION_DRIVER=file
SESSION_DOMAIN=.example.test
It does not happen, but we want to be able to share session between hosts using same database.
Level 8
Hi Snapey,
if I do that I get 419 | Page Expired every time.
SESSION_DRIVER=database
#SESSION_DOMAIN=.example.test
php artisan config:clear
Login again...
419 | Page Expired
Level 8
Then I clear the cookie and instead I get same issue
Always redirect to login screen
Level 8
If I use
SESSION_DRIVER=file
It works.
I has something to do with setting it to
SESSION_DRIVER=database
That is causing this issue.
Level 122
You do get a cookie?
Level 8
Yes, every time. But the cookie value is always changing. So it is not cookie related directly because the cookie is changing no matter what setting I use for SESSION_DRIVER?
Level 8
Here is the config/session.php
<?php
use Illuminate\Support\Str;
return [
'driver' => env('SESSION_DRIVER', 'database'),
'lifetime' => env('SESSION_LIFETIME', 120),
'expire_on_close' => false,
'encrypt' => false,
'files' => storage_path('framework/sessions'),
'connection' => env('SESSION_CONNECTION', null),
'table' => 'sessions',
'store' => env('SESSION_STORE', null),
'lottery' => [2, 100],
'cookie' => env(
'SESSION_COOKIE',
Str::slug(env('APP_NAME', 'laravel'), '_').'_session'
),
'path' => '/',
'domain' => '.example.test',
'secure' => env('SESSION_SECURE_COOKIE', false),
'http_only' => false,
'same_site' => 'lax',
];
If that helps
Level 122
I can think of a reason it would not work, but this would apply equally to database or file. The fact that it works with one and not the other is puzzling
Level 8
When using the database:
the sessions table's: user_id field is NULL. Could that help with resolving the problem?
Level 122
user_id will only be populated if logged in. You have sessions for guests also.
Level 8
Does anybody have any suggestions that I can try?
Here is an example of the sessions table
id user_id ip_address user_agent payload last_activity
id: 2eYD4PETxCuk4c75vdSCUUPOgxcwNcJRCuUTV4w0 user_id: NULL ip_address: 172.21.0.1 user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) Ap... payload: YToyOntzOjY6Il90b2tlbiI7czo0MDoiNGp2ZmEwRzcyM01iNE... last_activity: 1604584556
Nothing looks out of the ordinary, but for some reason it does not keep the session open... it closes right after login. Is there any reason that could happen?
Any files I can check to see where the behavior is coming from?
I am using Laravel 5.8.
Thanks
Desperately trying to get database sessions working @snapey @jeffery.
Level 8
Level 8
Level 8
I have updated my last post to make it user friendly, more viewable. If you click the View Image Full Size it will load the image in another tab for convenience so you can see it at full size :)
Level 8
How about this?
/**
* Determine if the session and input CSRF tokens match.
*
* @param \Illuminate\Http\Request $request
* @return bool
*/
protected function tokensMatch($request)
{
$token = $this->getTokenFromRequest($request);
dnd([
__METHOD__,
'$request->session()->all()' => $request->session()->all(),
'$request->session()->token()' => $request->session()->token(),
'$request->session()->getAttributes()' => $request->session()->getAttributes(),
'$request->session()->getVar()' => $request->session()->getVar('_token'),
'$request->session()->token()' => $token,
'is_string($request->session()->token())' => is_string($request->session()->token()),
'is_string($token)' => is_string($token),
]);
return is_string($request->session()->token()) &&
is_string($token) &&
hash_equals($request->session()->token(), $token);
}
output of dnd (same as dd but does not die)
To Store.php I added:
/**
* @return array
*/
public function getAttributes() {
return $this->attributes;
}
/**
* @param $key
* @return mixed
*/
public function getVar($key) {
if (isset($this->attributes[$key])) {
return $this->attributes[$key];
}
}
- When I run getVar('_token') I get _token
- When I run getAttributes() I get the _token
- When $request->session()->token() runs it returns null.
here is public function token
/**
* Get the CSRF token value.
*
* @return string
*/
public function token()
{
return $this->get('_token');
}
/**
* Get an item from the session.
*
* @param string $key
* @param mixed $default
* @return mixed
*/
public function get($key, $default = null)
{
return Arr::get($this->attributes, $key, $default);
}
Level 122
But you are sure it all works fine if you use file based session management?
Level 8
Level 8
And @snapey the tokens don't match. I think because it uses file it does not care about if the tokens match or not?
Level 122
The process is the same I think for both file and database. Csrf is secondary consideration to session maintenance since it uses session to remember the csrf token. No session reliability then csrf will never work.
Level 8
Hi @snapey
Here is something interesting
in my blade template I have
<meta name="csrf-token" content="7Oo2Ks3DuoBSdEruffYJeL3Z8mPk6yKtEMDj03DH">
in the login form:
<input type="hidden" name="_token" value="7Oo2Ks3DuoBSdEruffYJeL3Z8mPk6yKtEMDj03DH">
both on same page. After login It can load but one page of any kind (that requires login) and then the token do not match again. The database session driver is using the cookie value for checking if session is valid. You can see that in the previous posts.
To test the theory above, with the blade template, I made the redirect on login go to a page that does not exist. Then I manually go to that url and it loads the page. I then reload the page or go to another URL it will log me out due to a change in session.
Level 8
You are right, it is not related to CSRF token as I disabled the Middleware and it still works the same. So then it really does have something to do with the database session.
Level 8
Okay, so I could not ever get Database sessions and I don't know why... moving on....
Please or to participate in this conversation.