Laravel - Auth Session not expiring after browser close - authentication

I am having a problem about sessions, or cookies, I didn't understand the reason.
I log on to my site with Auth::attempt($userdata, false), which means Laravel should not remember my login, but it remembers whether I use true or false in attempt function.
in app/config/session.php, variables are determined as
'lifetime' => 120,
'expire_on_close' => true,
Also, when I log in with Auth::attempt($userdata, true), 'Auth::viaRemember()' function returns false.
Edit: Question solved. Cause of the problem is Chrome. See my answer for detailed information.

It is a desired behavior to be logged in after you re-open the browser.
You can change this in app/config/session.php by setting
'expire_on_close' => true,

I have solved my own question. It appeared that the problem is Chrome's problem. It continues to work in background, so the cookie values do not disappear. I tried my app with firefox and works perfectly.
For more info: https://code.google.com/p/chromium/issues/detail?id=128513

Related

How to detect private browsing in iOS 11 Mobile Safari or MacOS High Sierra Safari?

On the new iOS 11 Safari and MacOS High Sierra Safari, that trick of seeing if window.localStorage.setItem('test', 1); (see https://stackoverflow.com/a/17741714/1330341) throws an error no longer works, because it no longer throws an error, and it also properly sets the localStorage item. Has anyone figured out any other way to check for private browsing mode in the new versions of Safari?
Haven't actually tried it, but from reading Apple's document:
https://support.apple.com/kb/ph21413?locale=en_US
It lists various characteristics of private mode browsing (~snip):
When you use a Private Browsing window:
Each tab in the window is isolated from the others, so websites you
view in one tab can’t track your browsing in other tabs.
Safari doesn’t remember the webpages you visit or your AutoFill
information.
Safari doesn’t store your open webpages in iCloud, so they aren’t
shown when you view all your open tabs from other devices.
Your recent searches aren’t included in the results list when you use
the Smart Search field.
Items you download aren’t included in the downloads list. (The items
do remain on your computer.)
If you use Handoff, Private Browsing windows are not passed to your
iOS devices or other Mac computers.
Safari doesn’t remember changes to your cookies or other website
data. Safari also asks websites and others who provide those sites
with content (including advertisers) not to keep track of your
browsing, although it is up to the websites to honor this request.
Plug-ins that support Private Browsing stop storing cookies and other
tracking information.
From the above, in particular I found interesting that Safari specifically asks websites to "not track" the browsing. This could potentially be a mechanism to look for, to determine if using private browsing.
See this answer for an example:
Implementing Do not track in asp.net mvc
Again, haven't tested and unsure if it will work, but if not the list provides other potential options. HTH.
I find a solution here:
https://gist.github.com/cou929/7973956#gistcomment-2272103
var isPrivate = false;
try {
window.openDatabase(null, null, null, null);
} catch (_) {
isPrivate = true;
}
alert((isPrivate ? 'You\'re' : 'You aren\'t') + ' in private browsing mode');
Hope it helps :)
Quote from apple's website. https://support.apple.com/kb/ph21413?locale=en_US
Websites can’t modify information stored on your device, so services
normally available at such sites may work differently until you turn
off Private Browsing
So, store a test variable, change its value, then read the test variable.
If you get an exception, are unable to find the variable, the value didn't change or you get a null/undefined value back, they are most likely in private mode.
Alternatively, in private browsing, you have no stored search history accessible. So, redirect to a new page in your site on startup and then test if you have any previous history. If not and the fact that you are getting a Do Not Track most likely means your in private mode on safari.
Please note that I have not tested this. This is based off the information provided by Apple in the above link.
Thing that I realized is Safari throws a "Quota Exceeded" error in the Private mode. So here is what I did!
isPrivateMode: function () {
if (localStorage.length === 0) {
try {
localStorage.setItem('isLocalStorageAvaialble', 'That is being tested!');
localStorage.removeItem('isLocalStorageAvaialble');
return false;
} catch (e) {
return true;
}
}
}
Checking the length of localStorage is important for the fact that, if you are trying this method on a browser that supports localStorage, but is full, you still will get the "Quota Exceeded" error.
In private mode, the length of localStorage is always 0.
Hope this helps!

Session lost while on PythonAnywhere Web2Py but NOT locally

I use a session variable to pass some info with a redirect:
session.OrigText = XML(str(OrigText))
redirect(URL('SearchResultsOrigText'))
It arrives at the new URL / page / view - SearchResultsOrigText - and works Ok.
But when from that new URL - SearchResultsOrigText- I navigate away (and it doesn't matter where I go from this new page), when returning with the 'back" button of the browser, the session.OrigText is now empty (showing as 'None').
This behaviour is happening only on PA and not locally.
I do not use session.forget anywhere in my code.
Trying to pass the 'html heavy' content in the OrigText as a dictionary variable (not a session variable) gets me into another interesting issue...Python Anywhere says "Something's wrong 502- Back End".
(Silent failing ?) This happens on PythonAnywhere but NOT locally as well.
Sanitizing this var doesn't help...
But let's focus on the first question...
Why is the session variable lost after 1.redirect and 2.leaving the new page / view - when hosted on PythonAnywhere and NOT locally ?
Thanks
Flask sessions, by default use cookies, so it's possible that somewhere in your settings you have a setting for what domain to set the cookies on and that is not set correctly. It's also possible that you haven't set a secret key for sessions.
I faced the same problem recently in PythonAnywhere. I solved it by deleting my domain's cookies from Firefox. I still don't know how they were messed up, though.
Make sure there is no "session.forget(response)" in your code or framework code along the way.

Javascript split working incorrectly in IE

I have one page checkout. My OPC works fine with other browsers but I get a fatal error with IE. IE's Javascript console says Object doesn't support this property or method.. The method in question is var items = field_name.split(reg) from the file: order-address.tpl.
I have no idea what is causing the problem. Because of this error, I cannot login properly from one page checkout when using IE. It seems that there are a lot of people with the same problem. What's the issue?
This error is present in 1.4.9, 1.4.10, and 1.5.3.
SOLVED. It turns out the issue is not with coding but with settings of IE.
All I had to do was reset IE from Tools => internet options => advanced => reset (including personal settings)
That did it for me. Thank you altafhussain for trying to help me out.

Reliably getting favicons in Chrome extensions, chrome://favicon?

I'm using the chrome://favicon/ in my Google Chrome extension to get the favicon for RSS feeds. What I do is get the base path of linked page, and append it to chrome://favicon/http://<domainpath>.
It's working really unreliably. A lot of the time it's reporting the standard "no-favicon"-icon, even when the page really has a favicon. There is almost 0 documentation regarding the chrome://favicon mechanism, so it's difficult to understand how it actually works. Is it just a cache of links that have been visited? Is it possible to detect if there was an icon or not?
From some simple testing it's just a cache of favicons for pages you have visited. So if I subscribe to dribbble.com's RSS feed, it won't show a favicon in my extension. Then if I visit chrome://favicon/http://dribbble.com/ it won't return right icon. Then I open dribbble.com in another tab, it shows its icon in the tab, then when I reload the chrome://favicon/http://dribbble.com/-tab, it will return the correct favicon. Then I open my extensions popup and it still shows the standard icon. But if I then restart Chrome it will get the correct icon everywhere.
Now that's just from some basic research, and doesn't get me any closer to a solution. So my question is: Is the chrome://favicon/ a correct use-case for what I'm doing. Is there any documentation for it? And what is this its intended behavior?
I've seen this problem as well and it's really obnoxious.
From what I can tell, Chrome populates the chrome://favicon/ cache after you visit a URL (omitting the #hash part of the URL if any). It appears to usually populate this cache sometime after a page is completely loaded. If you try to access chrome://favicon/http://yoururl.com before the associated page is completely loaded you will often get back the default 'globe icon'. Subsequently refreshing the page you're displaying the icon(s) on will then fix them.
So, if you can, possibly just refreshing the page you're displaying the icons on just prior to displaying it to the user may serve as a fix.
In my use case, I am actually opening tabs which I want to obtain the favicons from. So far the most reliable approach I have found to obtain them looks roughly like this:
chrome.webNavigation.onCompleted.addListener(onCompleted);
function onCompleted(details)
{
if (details.frameId > 0)
{
// we don't care about activity occurring within a subframe of a tab
return;
}
chrome.tabs.get(details.tabId, function(tab) {
var url = tab.url ? tab.url.replace(/#.*$/, '') : ''; // drop #hash
var favicon;
var delay;
if (tab.favIconUrl && tab.favIconUrl != ''
&& tab.favIconUrl.indexOf('chrome://favicon/') == -1) {
// favicon appears to be a normal url
favicon = tab.favIconUrl;
delay = 0;
}
else {
// couldn't obtain favicon as a normal url, try chrome://favicon/url
favicon = 'chrome://favicon/' + url;
delay = 100; // larger values will probably be more reliable
}
setTimeout(function() {
/// set favicon wherever it needs to be set here
console.log('delay', delay, 'tabId', tab.id, 'favicon', favicon);
}, delay);
});
}
This approach returns the correct favicon about 95% of the time for new URLs, using delay=100. Increasing the delay if you can accept it will increase the reliability (I'm using 1500ms for my use case and it misses <1% of the time on new URLs; this reliability worsens when many tabs are being opened simultaneously). Obviously this is a pretty imprecise way of making it work but it is the best method I've figured out so far.
Another possible approach is to instead pull favicons from http://www.google.com/s2/favicons?domain=somedomain.com. I don't like this approach very much as it requires accessing the external network, relies on a service that has no guarantee of being up, and is itself somewhat unreliable; I have seen it inconsistently return the "globe" icon for a www.domain.com URL yet return the proper icon for just domain.com.
Hope this helps in some way.
As of Oct 2020, it appears chrome extensions using manifest version 3 are no longer able to access chrome://favicon/* urls. I haven't found the 'dedicated API' the message refers to.
Manifest v3 and higher extensions will not have access to the
chrome://favicon host; instead, we'll provide a dedicated API
permission and different URL. This results in being able to
tighten our permissions around the chrome:-scheme.
In order to use chrome://favicon/some-site in extension. manifest.json need to be updated:
"permissions": ["chrome://favicon/"],
"content_security_policy": "img-src chrome://favicon;"
Test on Version 63.0.3239.132 (Official Build) (64-bit)
chrome://favicon url is deprecated in favor of new favicon API with manifest v3.
// manifest.json
{
"permissions": ["favicon"]
}
// utils.js
function getFaviconUrl(url) {
return `chrome-extension://${chrome.runtime.id}/_favicon/?pageUrl=${encodeURIComponent(url)}&size=32`;
}
Source: https://groups.google.com/a/chromium.org/g/chromium-extensions/c/qS1rVpQVl8o/m/qmg1M13wBAAJ
I inspected the website-icon in Chrome history page and found this simpler method.
You can get the favicon url by --
favIconURL = "chrome://favicon/size/16#1x/" + tab.url;
Don't forget to add "permissions" and "content_security_policy" to Chrome. (https://stackoverflow.com/a/48304708/9586876)
In the latest version of Chrome, Version 78.0.3904.87 (Official Build) (64-bit)) when tested, adding just img-src chrome://favicon; as content_security_policy will still show 2 warnings:
'content_security_policy': CSP directive 'script-src' must be specified (either explicitly, or implicitly via 'default-src') and must whitelist only secure resources.
And:
'content_security_policy': CSP directive 'object-src' must be specified (either explicitly, or implicitly via 'default-src') and must whitelist only secure resources.
To get rid of them use:
"permissions": ["chrome://favicon/"],
"content_security_policy": "script-src 'self'; object-src 'self'; img-src chrome://favicon;"
Now you can use chrome://favicon/http://example.com without getting any errors or warnings.

Permission denied error in all.js

I am using all.js for facebook implementation. I used a facebook button on signup page . by logging through facebook i am getting user name and email of facebook user into the fields on sign up page.
It's working fine on Chrome, Safari and Firefox but its giving error on IE8.
the error is in all.js line 22
{FB.UIServer._loadedNodes[a.id]=b;if(a.params)b.fbCallID=a.id;
Please help me if any one knows why this problem is occuring .
Thanks
Udham
Try this out. It worked for me, may help some one.
FB.UIServer.setLoadedNode = function (a, b){FB.UIServer._loadedNodes[a.id] = b; }
Ideally attach debugger and see which method breaks up and hack it.
This is a known bug: http://bugs.developers.facebook.net/show_bug.cgi?id=19042
It is set as CLOSED FIXED, but many users are still reporting the error in the comments area.
A hack is suggested on comment #19:
FB.init({
....
....
});
FB.UIServer.setActiveNode = function(a,b){FB.UIServer._active[a.id]=b;} // IE hack to correct FB bug
It worked for some people. I must say it didn't work for me, but I thought it was worth to mention.
I just ran into this (or a similar problem). Mine was in all.js line 22, char 3160, right after document.documentElement.style.display='none'; It was a permission denied error.
In my case, it was because the channelUrl was using a different protocol (https) than my app's iframe was being loaded under (http). I tried //mydomain.com/channel.html, but that gave me a different error. I solved it by dynamically choosing http/https for channelUrl when generating the html.
I found a solution. Already posted an answer here https://stackoverflow.com/a/8504794/287604, but for the desperate the quick fix:
FB.init({
appId: 'xxxxx',
appSecret: 'xxxxxxxxx',
status: true
cookie: true
});
// this code solves the issue
FB.UIServer.setLoadedNode = function (a, b) {
FB.UIServer._loadedNodes[a.id] = b;
};
I am still struggling with this but an odd work around I just noticed is if when using fb:login-button when setting the show-faces attribute to "true" it suddenly works fine. I tried 2 side by side fb:login buttons and the button with show faces set to either false or not included would pass back the error every time.