Security provider not using the 'cookie options'

Wappler General Bugs
#1

I’ve had this site security provider properties:

image
image474×578 12.3 KB

Note the domain: .k**

This made it so if a user logs inon our main domain, let’s say k.com then they also remain logged in on subdomain.k.com

Here you can see I am printing $_SESSION and see a couple of session variables, namely the globalidentity: 22

image
image753×402 41.8 KB

Here I am on a subdomain:

image
image831×383 40.4 KB

The globalidentity (which is a ‘security identify’ action) is showing false.

Some time in the last few weeks this stopped working and it’s causing a few nasty issues.

I have checked git but nothing has changed to this file… I have no idea what did change… Perhaps it’s related to Redis?

Please help me debugging :slight_smile: !

#2

Bump

#3

I confirm the bug.

That, also don’t work.
The module JSON is saved correctly, but having problems on php 8.1.21 and 7.0.3
@Teodor

#4

Hey @karh, it helps if you include the Bug template details so you provide enough detail for troubleshooting.

Escpecially these details.

Wappler Version :
Operating System :
Server Model: 
Database Type:
Hosting Type:

It’s also helpful to know if you’re running the Stable or Beta channel in System options.

e.g. Channel: Stable

image

#5

In my case

Wappler Version : 5.8.2 (stable channel)
Operating System : w10
Server Model: php
Database Type: mysql
Hosting Type: localhost (php 7.0.2) / custom hosting (8.1.21)

I can’t attach any version of the modules, but in case they can’t recreate the issue, I can provide a ftp user to the team so they can inspect why the cookie option is not rendering correctly and do some test :slight_smile:

#6
#7

You’re right :slight_smile:

 Wappler Version : 5.8.2
Operating System : W11
Server Model: NodeJS
Database Type: Mysql
Hosting Type: Docker
#8

Did you use the remember me option with the login?

#9

Not in my case, changed to one, empty, reverted to post value, nothing changes

#10

The cookie options in the security provider are for the remember me cookie. For the session cookie you have to check the server configuration, for php in the php.ini file PHP: Runtime Configuration - Manual.

#11

Thanks patrick, didn’t know.
Would be nice an info on that step as I see many related topics.
There’s no wappler way to handle session cookies?.

#12

See this post for details

#13

It depends on the server being used. With PHP you have to setup the session handling in the php.ini, ASP.NET has the web.config file for configuring. For NodeJS you can edit the config.json.

For NodeJS we could probably make it editable using the UI, but for PHP we can’t since the ini file is located on your server and not within the wappler project.

#14

Yes I’ve had that on by default for probably 6+ months. image

(There’s no option, I’m just passing a hidden form field. I can give you the link in DM if you want it)

image
image1771×582 26.6 KB

#15

  1. Do you mean that we can edit this, for example see line 27 which is a new line:

    image
    image1072×853 50.5 KB

  2. Will this apply for all session cookies set?

  3. This won’t get overwritten by wappler updates?

#16

Edits in the config.js will be lost when that file gets an update, better to create a special user config file, it will be read by the server and extends the config.

create a file app/config/user_config.json.

inside it add:

{
  "session": {
    "cookie": {
      "domain": "mywebsite.com"
    }
  }
}

expressjs/session: Simple session middleware for Express (github.com)

#17

Aha, okay interesting!

But I think we’re having 2 topics now:

@patrick

  1. I think you gave an answer to this thread: How can I set the domain for all server side session variables?
    The answer is:

Correct?

  1. The current thread we’re in with the security provider cookie settings is a bug? Or that’s also fixable by editing the config.js?
#18

The security provider uses 2 cookies. It uses the session cookie for keeping track of the logged in user and the remember me cookie is used when the user session is expired and logs the user in again. The cookie options in the security provider properties are for the remember me cookie.

#19

Okay thanks, also helpful info!

But I think the OP is still unsolved :stuck_out_tongue:

It used to keep me logged in on subdomains, but now it doesn’t.

Any idea where it’s going wrong? I definitely have the ‘remember_me’ on.

I can DM login link and some login details if you want to check it out?

#20

I’m trying to replicate it again now but can’t replicate it. Seems to be fixed: now when I login on either the subdomain or main domain, I’m logged in on both of them! Just how it used to be.

Very frustrating though that I have no idea why it broke and why it’s fixed…
The only thing that I did now was removing a duplicate server provider (that wappler created when I tried to resave the security provider earlier this week).
image

I removed one with development target enabled, yet git showed it removed something in .wappler/targets/live production/modules/
So I reverted the removal in git, and deployed again.

@patrick
Do you have any idea what could be going wrong? I still believe it’s something in the wappler config perhaps not going well. The reason I believe that is because git didn’t show anything happening to the securityprovider or other files…
But I managed to break it and fix it without knowing how.