Yii2: HttpBasicAuth broke Session

Created on 17 Feb 2018 · 15Comments · Source: yiisoft/yii2

Using HttpBasicAuth makes Session unusable, because PHPSESSIONID regenerates to new every request. Authentication is working fine, but session become empty.

Example, adding auth behavior.

class Sync1CModule extends Module {
    public function behaviors() {
        return [
            'basicAuth' => [
                'class' => HttpBasicAuth::class,
                'auth' => function($username, $password) {
                              ... 
                }
            ]
        ];
    }
}

The reason is in yii\web\User::switchIdentity()

    public function switchIdentity($identity, $duration = 0)
    {
         .................
        $session = Yii::$app->getSession();
        if (!YII_ENV_TEST) {
            $session->regenerateID(true);
        }
       ..................
}

| Q | A
| ---------------- | ---
| Yii version | 2.0.13
| PHP version | 7.0
| Operating system | Debian 8

bug

Source

dicrtarasov

All 15 comments

                'auth' => function($username, $password) {
                              ... 
                }

What's inside?

SilverFire on 17 Feb 2018

Not matter.... strcmp username and password.

 $session = Yii::$app->getSession();
        if (!YII_ENV_TEST) {
            $session->regenerateID(true);
        }

destruct session anytime.

dicrtarasov on 17 Feb 2018

Not matter.... strcmp username and password

No, it matters. Please, post the code here

SilverFire on 17 Feb 2018

👍1

Thanks for posting in our issue tracker.
In order to properly assist you, we need additional information:

When does the issue occur?
What do you see?
What was the expected result?
Can you supply us with a stacktrace? (optional)
Do you have exact code to reproduce it? Maybe a PHPUnit tests that fails? (optional)

Thanks!

_This is an automated comment, triggered by adding the label status:need more info._

yii-bot on 17 Feb 2018

Ok :))))))

$user = UserModel::find()->where(['email' => $username])->one();
return !empty($user) && $user->validatePassword($password) ? $user : null;

So usermodel returned ok, authentication done, so how it prevent yii\web\User from

if (!YII_ENV_TEST) {
            $session->regenerateID(true);
        }

My workaround is to set User::$enableSession to false.

dicrtarasov on 17 Feb 2018

Would you please check if it works with 2.0.13.1?

samdark on 17 Feb 2018

Already have 2.0.13.1

dicrtarasov on 17 Feb 2018

define('YII_ENV_TEST', true) is also workaround :)))

dicrtarasov on 17 Feb 2018

Would you then please try code from master branch?

samdark on 17 Feb 2018

ok, 15 minutes, please ...

dicrtarasov on 17 Feb 2018

same result, PHPSESSIONID changes every request.
To resolve this problem temporary I have to turn session off:

\Yii::$app->user->enableSession = false;

dicrtarasov on 17 Feb 2018

https://image.prntscr.com/image/fLdy8MalQcKL3e0mBVTL3A.png

dicrtarasov on 17 Feb 2018

Thank you for the report, fixed. Please, try code in master branch to confirm

SilverFire on 17 Feb 2018

@dicrtarasov did the fix solve your problem?

SilverFire on 17 Feb 2018

Thank you very mutch. Your modification of User component completely fix this problem.

dicrtarasov on 18 Feb 2018

👍1

Was this page helpful?

0 / 5 - 0 ratings

Related issues

there's no way to limit results in a hasMany relation

jpodpro · 3Comments

Enhancement: ActiveRecord::link()

Locustv2 · 3Comments

could not find driver: Caused by: PDOException

newscloud · 3Comments

Failed to create the object for unknown reason.

psfpro · 3Comments

Question: How to disable extension bootstrapping?

schmunk42 · 3Comments