problem with session context not persisting

☆ A M B ☆
450 Posts

jrotering Reply #1, 11 years, 9 months ago

I have a context called 'secure'.

When an anonymous user hits certain restricted resources in the 'web' context, they are redirected to a particular resource on 'secure'. This resource is protected by Shibboleth authentication, so they are first prompted to log in via Shibboleth before MODX even serves the resource. Once they've done that, the 'secure' resource fires a snippet runs which does the following:

logs them in as user #35, a user who has access to lots of restricted resources in the 'web' context
uses 'addSessionContext' to add a session context for the 'web' context

My code looks like this:

$uid =  $modx->user->get('id');
if ($uid == 35) {
  if ($modx->checkSession('web')) {  
  }
  else {
    $modx->user->addSessionContext('web');
  }
}
if ($uid == 0) {
 // code that logs in the anonymous user as user #35';
}

That's the code that I'm calling in an uncached snippet in my resource on the 'secure' context. They first have to do the Shibboleth authentication, then they get the resource, which fires the code above and then redirects them back to the original resource they requested.

This is working exactly the way I want it to... most of the time.

However, for some users, the code runs but the 'web' session doesn't seem to stick. The code runs, they get redirected back to a restricted page on the 'web' context *and can view it*. But when they click on a link to another restricted page, they get the unauthorized page again. They click the link, hit the 'secure' page again (instantaneously, because the Shibboleth requirements are already satisfied), the code fires again (the 'web' session context is added, again), and they get redirected the page they wanted. For these unlucky users, the effect is that every page they request on the site, they have to see the unauthorized message & click on the link before getting the content. Every. Single. Time.

I have no idea what these unlucky users may have in common. I don't think it is an issue with a certain browser. I'm wondering if it may be some sort of caching condition?

I'm hoping someone can see something obvious that I'm not doing quite right.

Any help would be GREATLY appreciated.

5 Posts

di5abled Reply #2, 11 years, 2 months ago

hy, i have a similar problem.
have you found a solution to this problem?

24,544 Posts

BobRay Reply #3, 11 years, 2 months ago

Have you tried logging the user in to both the secure and web (again) contexts on the secure page? It shouldn't matter, but I can't think of anything else.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

☆ A M B ☆
450 Posts

jrotering Reply #4, 11 years, 2 months ago

I ended up paying for some support on this problem. My code works great now, and looks like this:

if ($uid == 35) {
    if ($modx->checkSession('web')) {
    }
    else {
        $c = array(
            'login_context' => 'web',
            'add_contexts' => '',
            'username' => $user,
            'password' => $pass
        );
        $result = $modx->runProcessor('security/login',$c);
    }
}

I supposed it could also re-log the user into the secure context via the add_contexts option, but I have no need for that in my application.

At any rate, I've had no problems losing the web context session since running with the code above. Hope this helps.

24,544 Posts

BobRay Reply #5, 11 years, 2 months ago

That's interesting, because your original code looks pretty much like what's in that processor, unless this line is making the difference:

 $_SESSION['modx.' . $loginContext . '.session.cookie.lifetime']= 0;

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting