session_id restart after one time use in endpoint
Less
More
-
Posts: 6
-
Thank you received: 0
-
-
7 years 2 months ago #6308
by vacidesign
As a temporary fix using jQuery I've added in;
$.ajaxSetup({
xhrFields: {
withCredentials: true
}
});
Which allows the cookies to be passed. However doesn't resolve the underlying issue of session_id essentially getting ignored after the 1st attempt. I didn't have much luck trying to fix it as of yet.
Please Log in or Create an account to join the conversation.
Less
More
-
Posts: 3194
-
Thank you received: 441
-
-
7 years 2 months ago #6309
by admin
You are right, with the latest version only the first request works, but after this, the session id is deleted and no longer works. I am working to fix it.
Thanks
Please Log in or Create an account to join the conversation.
Less
More
-
Posts: 6
-
Thank you received: 0
-
-
7 years 2 months ago #6319
by vacidesign
It may be worth moving away from Joomla's session ID and instead incorporate something like JWT stateless authentication
jwt.io/#libraries passed through headers e.g. Authentication: bearer {token}. It can run without the database, although incorporating a custom "token" table in jBackend would enable token revoking functionality.
Please Log in or Create an account to join the conversation.
Less
More
-
Posts: 3194
-
Thank you received: 441
-
-
7 years 2 months ago - 7 years 2 months ago #6320
by admin
The problem is you need to "reload" the user's session for the authenticated user. This session is identified with its session_id and Joomla supports only cookies to save the session on the client side. If you can't send the cookie, joomla won't identify the session. This is true despite the "alternative" method you would like to add to identify the session (it could be a JWT, as well as a session_id token).
When the cookie is not sent (e.g. a REST request), joomla creates a "guest" new session with its session_id, and when jbackend must identify the user, joomla has already done this, so jbackend needs to replace the existing session with the one associated to the session_id.
With the latest joomla versions, the session restart tricks doesn't work anymore, so I need to find a way to get the same result using a different approach. And I'm still thinking about it... all suggestions are welcome
Kind regards,
Luigi
Last edit: 7 years 2 months ago by admin.
Please Log in or Create an account to join the conversation.
Less
More
-
Posts: 6
-
Thank you received: 0
-
-
7 years 2 months ago - 7 years 2 months ago #6321
by vacidesign
I've got JWT working for JBackend using HS512 (i've overridden the user plugin on a local build and the libraries for RS256, HS256, etc are there) but it's not comprehensive enough as of yet (I'd like more parameters to enable database checking / token revoking and deeper integration to tell joomla what's going on).
Simply I create a JWT token after a successful login which the client keeps. Then for each call after that I can check both JWT and Cookies (for browser) where JWT can validate the token against a private key (I've got that in a locked config.php file for speed but could be in the component options stored in the db for more global / friendly use) and if it hasn't been tampered with I can take the uid from the token and get the user from there. Then your usual JFactory::getUser($uid); and you can do everything you need from there.
If you want I can share a private Github repository with you?
P.S. The JWT library checks both the validity (based on the signature with private key) and expires of the token.
Last edit: 7 years 2 months ago by vacidesign.
Please Log in or Create an account to join the conversation.
Less
More
-
Posts: 3194
-
Thank you received: 441
-
-
7 years 2 months ago #6335
by admin
Hi,
sorry for delay but I am already working to fix this and other issues related to the latest joomla version. I will release the next version within a couple of days, and all active subscribers will receive a mail notification.
BTW, I thank you for your offer, but as I told you my problem is not to deal with the user authentication (I already know how to do this), but I need to reload / replace the user session. The JWT support will be added probably in the next version, but is independent to this problem.
Kind regards,
Luigi
Please Log in or Create an account to join the conversation.
Time to create page: 0.163 seconds