Level 63
What I don't understand is why the session has gone.
Can you share some code to help us understand ?
Jan 4, 2023
12
Level 1
Session logout after 3rd party website redirect
I'm trying to "add" (link) another account to an already created user. The user clicks a link button, it's redirected to 3rd party website, logged in, and again redirected back to the app to login callback.
And there's the problem. Now when I try to access auth()->user() or Auth::something at all, the user session is gone. I was looking for an answer and I found something about same_site setting and cross site session which make sense. When I set it to "null" it works but I'm concerned about the security of the app. It's okay being null?
Can I somehow "whitelist" only my 3rd party login page?
Level 1
@vincent15000 Sure.
I generate a login link and redirection URL, then redirect the user to the different page.
public function connectSkautis()
{
if (!is_null($this->skautis)) {
return;
}
$app_id = env('SKAUTIS_APP_ID');
$test_mode = env('SKAUTIS_TEST_MODE');
$skautis = Skautis::getInstance($app_id, $test_mode);
$url = $skautis->getLoginUrl('settings/' . auth()->id());
return redirect($url);
}
After successful login, the user is redirected back to my site to the callback route and 'loginSkautisCallback()' function in UserController. In this function, I can't call auth()->user(), because my login session is wiped.
1 like
Level 63
I have read your post once again : you mean that you have a button and when you click on the button it connects another user ?
Level 1
@vincent15000 In fact yes, it works like that. You're logged in as a regular user (locally), then you go to the settings and click "link" to connect your account with 3rd party website (like Google). Then you can log in to the app with a Google account.
The issue is, when you're redirected to the login page of 3rd party website and then come back, your local login session is lost.
Google is the only example, Google login operates via Laravel Socialite and that is workings just fine.
1 like
Level 63
@DaemonKeen I really don't understand because what you say is contradictory : you say yes at my question (do you connect as another user), and now you say that it's for example to connect to the app with the Google account. I can't help you if you don't explain clearly what you need.
Level 1
@vincent15000 Ok, I'll sum up what I'm trying to accomplish. I'm trying to connect external accounts (like Google, GitHub, Twitter etc...) to the regular one.
- You log in to the app as a regular user (email + password).
- Go to a settings page
- Click the "link" button next to the service you'll like to connect with
- Then you're redirected to the service login page
- You successfully log in and being redirected back to the app with callback POST request
- The app process the callback request and assign the new service to your local account (in DB)
Now you can log in to the app via 3rd party website (service you've linked with your account). Same as "Login with Google/Facebook" buttons.
The problem occurs, when I'm trying to process the callback, my login session is refreshed. That means I cannot access auth()->user().
1 like
Level 63
@DaemonKeen Ok that's clearer. But I'm not sure that you can do that.
You want to be able to login to Facebook with a Facebook button on your app ? That means that Facebook should have integrated this feature and use an API that you would create and share with Facebook.
But the reverse situation is possible. If some user have for example a Google account and want to login to your application, you can use the Google API to login to your application using the Socialite package. This is possible to create and/or login to your application.
1 like
Level 1
@vincent15000 I'm glad you understand now. I have login via 3rd party website already implemented. Now I'm talking about linking an additional account to your existing one.
A good example is Ubisoft. You can link another account to your Ubisoft account. I can't send here a link, because of my new account but you can google it by "Linking your Epic Games and Ubisoft accounts". Then the accounts are connected/linked.
Citation of instructions from their website: "Launch any Ubisoft game from the Epic Games Launcher. • From the pop-up, select Link your account. This will open a new window in your default web browser. • Log in to your Ubisoft account. If you do not already have an account, select Create a Ubisoft account."
I know the problem is in the same_site session setting in session.php config. It's set to lax by default. When I set it to null, the auth() functionally works all good. But my question is: Is it secure? Can I leave it to "lax " and whitelist only service login page?
1 like
Level 63
@DaemonKeen Ok now it once more clearer again. I really didn't understand this.
Setting same_site to null is not a good idea, but defining a whitelist is a good choice.
I think that you don't have any choice (according to me) if you want to do that.
I was in the same situation with a client for which I developed an application. He wanted to embed another website in a view in his application and the only way was to authorize this website in the headers.
You just need to take attention not to authorize all, but only the whitelist.
But I've never done what you are trying to do. Perhaps the opinion of somebody else would be welcome ;).
1 like
Level 1
@vincent15000 How exactly can I achieve this?
1 like
Level 63
@DaemonKeen My problem was solved with the headers, but your problem is a session problem and I don't know what to do.
Perhaps this page will help you.
1 like
Level 1
@vincent15000 Thank you for your help. Maybe someone else will comment on this issue.
1 like
Please or to participate in this conversation.