logo
Ask your Symfony questions! Pay money and get answers fast! (more info)

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.

$30
'Remember Me' code not working after JanRain login

This is a follow-up question to "How can I manually call Remember Me".

I am working on a site right now that allows login via 2 methods:

1.) The standard sfGuardUser plugin signinSuccess.php form.

2.) Login via JanRain RPX, which then redirects to some code that logs the user in, using standard sfGuardUser code.

The normal sfGuardUser login works great, and if I click the "Remember Me" button then I stay logged in forever, which is what I want.

However, I can not get the "Remember Me" to work with JanRain. For instance, if I:

1.) start FireFox.

2.) go to the site.

3.) login via JanRain.

4.) click through a few pages

5.) quit out of FireFox

6.) wait an hour

7.) re-start FireFox

8.) go back to the site

then I am logged out of the site.

I've taken the sample code that JanRain gives and I've modified it to work with Symfony/sfGuardUserPlugin. This works - users are able to log in via JanRain RPX login. Our beta testers have been able to login using their Yahoo accounts, their Twitter accounts, their Facebook accounts, their Google accounts, and their LinkedIn accounts. But the "Remember Me" does not work - no one stays logged in for more than 20 minutes (or rather, 1440 seconds, the PHP session default length, which we are still using on our server).

In app.yml I have:

sf_guard_plugin:
remember_key_expiration_age: 25920000 # 300 days in seconds
remember_cookie_name: myAppRememberMe


This is the code I'm using right now, a modified version of the sample PHP code that JanRain provides:

    public function executeRpxLogin() {
$rpxApiKey = 'xxx'; // 'REPLACE_WITH_YOUR_RPX_API_KEY';

if(isset($_POST['token'])) {

/* STEP 1: Extract token POST parameter */
$token = $_POST['token'];

/* STEP 2: Use the token to make the auth_info API call */
$post_data = array('token' => $_POST['token'],
'apiKey' => $rpxApiKey,
'format' => 'json');

$curl = curl_init();
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_URL, 'https://rpxnow.com/api/v2/auth_info');
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
$raw_json = curl_exec($curl);
curl_close($curl);

/* STEP 3: Parse the JSON auth_info response */
$auth_info = json_decode($raw_json, true);

if ($auth_info['stat'] == 'ok') {

/* STEP 3 Continued: Extract the 'identifier' from the response */
$profile = $auth_info['profile'];
$identifier = $profile['identifier'];
if (isset($profile['photo'])) {
$photo_url = $profile['photo'];
}

if (isset($profile['displayName'])) {
$name = $profile['displayName'];
}

if (isset($profile['email'])) {
$email = $profile['email'];
// facebook uses 'verifiedEmail'
if (!$email) $email = $profile['verifiedEmail'];
}

if (isset($profile['preferredUsername'])) {
$preferredUsername = $profile['preferredUsername'];
}


/* STEP 4: Use the identifier as the unique key to sign the user into your system.
This will depend on your website implementation, and you should add your own
code here.
*/

// does a user with this email exist in our system already?
$user = sfGuardUserPeer::retrieveByUsername($email);
if ( $user instanceof sfGuardUser ) {
$this->getUser()->signin( $user, true ); // TRUE means "remember me"
$this->setFlash('notice', 'You are logged in');
$arrayOfUrlsThisUserHasBeenToOnThisSite = sfRequestHistory::getHistory();
$theIndexInTheArrayOfTheUrlWeProbablyWantToRedirectTo = count($arrayOfUrlsThisUserHasBeenToOnThisSite) - 1;
$theUrlWeProbablyWantToRedirectTo = $arrayOfUrlsThisUserHasBeenToOnThisSite[$theIndexInTheArrayOfTheUrlWeProbablyWantToRedirectTo];
$this->redirect($theUrlWeProbablyWantToRedirectTo);
return sfView::SUCCESS;
}

// we can not match this email address to an existing user, so lets see if we
// can find an account that matches their identifier
$user = sfGuardUserPeer::retrieveByUsername($identifier);
if (get_class($user) == 'sfGuardUser') {
$this->getUser()->signin( $user, true ); // TRUE means "remember me"
$this->setFlash('You are logged in');
$arrayOfUrlsThisUserHasBeenToOnThisSite = sfRequestHistory::getHistory();
$theIndexInTheArrayOfTheUrlWeProbablyWantToRedirectTo = count($arrayOfUrlsThisUserHasBeenToOnThisSite) - 2;
$theUrlWeProbablyWantToRedirectTo = $arrayOfUrlsThisUserHasBeenToOnThisSite[$theIndexInTheArrayOfTheUrlWeProbablyWantToRedirectTo];
$this->redirect($theUrlWeProbablyWantToRedirectTo);
return sfView::SUCCESS;
}

// if neither the email nor the identifier match an existing account, we need to
// create a new account. The identifier is the only thing that is guaranteed to
// both be in an RPX response and which is also guaranteed to be unique, so we have to
// use it, though it will be a very ugly username.
$this->createUserAccountBasedOnRpxResponse($identifier, $email);

/* an error occurred */
} else {
// gracefully handle the error. Hook this into your native error handling system.
$this->setFlash('notice', 'We could not log you in. An error occured: ' . $auth_info['err']['msg']);
}
}
}



Like I said, this works, in the sense that people are able to login in via JanRain. But "Remember Me" does not work. Any thoughts about how to get this working?

UPDATE:

I see these cookies being set:

s_sq
s_cc
s_nr
msc_cookie
_csuid



I do not see the myAppRememberMe cookie getting set.

In theory, this line should trigger the Remember Me code:

$this->getUser()->signin( $user, true );  // TRUE means "remember me"


That 2nd parameter is 'true', which I thought would set the myAppRememberMe, but apparently not.

Perhaps I should set the myAppRememberMe cookie manually?

UPDATE:

myAppRememberMe has a value like this:

ffb25a195b02911111815c6a5c853e75

What code generates this? I'm thinking of imitating this code to force the login.

The firewall at this place seems to be serving requests out over different IP addresses. Does sfGuardUser check the IP? I suppose the different IP addresses might throw it off? But then, that would also be true of normal sfGuardUser logins, which work just fine.


UPDATE:


Interesting. I re-did my experiment:

1.) start FireFox

2.) go to website

3.) login via LinkedIn

4.) get redirected to site

5.) click around, now logged in

6.) quit FireFox

7.) What 15 minutes

8.) start FireFox

9.) go back to site

10.) I am still logged in and, surprisingly, when I look at the cookies, I do see the myAppRememberMe cookie. See the attached screenshot to see what I see.

And yet, when I quit and stay away for 30 minutes, I come back and I'm logged out and the myAppRememberMe cookie is gone.

Could something be erasing it?


UPDATE:

One of the beta-testers just sent me this, after logging in via JanRain:

I am afraid it does not look like it is setting the 'myAppRememberMe' cookie for me, both on Firefox and IE


This question has been answered.

attachment image asker uploaded image

Lawrence Krubner | 07/28/10 at 5:25pm Edit


(9) Responses

See a threaded view of answers?

Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

  • avatar
    Last edited:
    10/07/10
    7:58pm
    Loban Rahman says:

    Questions:

    (1) Do you get logged out without closing the browser? As in, you leave the browser running for an hour but not clicking anything, and then doing a refresh results in a login page?

    (2) If you close the browser and go back on within 5 minutes (ie within the 20min window), do you stay logged in, or is it lost the moment u close the browser?

  • avatar
    Last edited:
    07/29/10
    11:55am
    Lawrence Krubner says:

    Good questions!

    I just did this:

    1.) start FireFox

    2.) go to site

    3.) login in via JanRain (via Twitter)

    4.) click through 3 or 4 pages - I am logged in for all this

    5.) quit out of FireFox

    6.) do other stuff for 3 minutes

    7.) start FireFox

    8.) go to site

    9.) click around site - I am still logged in

  • avatar
    Last edited:
    07/29/10
    12:54pm
    Lawrence Krubner says:

    I just did the same as above, but waited 30 minutes before restarting FireFox. When I restarted FireFox and went back to the site, I was logged out. Curiously, Twitter still recognized me as logged in, but the site itself did not. I'm pretty sure I'm running into the 1440 second limit, which is what Remember Me is designed to get around.

  • avatar
    Last edited:
    07/30/10
    1:14am
    Loban Rahman says:

    You didn't answer the first question, as in does the site log you out after 30 mins of inactivity if you leave the browser window open. I'll assume that this does not happen.

    Clearly what's happening is the remember me time is not being honored. I had a "remember me" issue like this once before - I'm gonna dig up some old svn logs in an attempt to find how I fixed it.

    Meanwhile, here's a random shot in the dark: Suppose 300 days in seconds is too big a number? Put it to something like 15 days and see if that works. Remember, as always when dealing with sessions, to completely wipe browser history and server session data (even restart apache2 to be sure).

  • avatar
    Last edited:
    07/30/10
    1:42am
    Loban Rahman says:

    I just read your update, didn't notice it before. So the cookie IS being set, but expires (and hence deleted by the browser) in 20 mins rather than 300 days. Which might mean the cookie expiry date is not being set correctly. My shot in the dark might actually be correct! Please check that.

  • avatar
    Last edited:
    07/30/10
    1:46am
    Loban Rahman says:

    Please use firebug with firecookie extension to see your cookies. It shows a nice list of the name, value, domain, and expiry date. What expiry date is it setting? Also, is your site accessible using different domains, cause each will get a separate cookie (i.e. if you login at scooby.com, close the browser, and then return with www.scooby.com, it will not use the previous cookie and so will not be logged in).

  • avatar
    Last edited:
    07/30/10
    10:41am
    Lawrence Krubner says:

    Also, is your site accessible using different domains, cause each will get a separate cookie


    Right now, the dev team is set up so each programmer is working in a sandbox at their sub-domain:

    lawrence.domain.com

    bill.domain.com

    ellen.domain.com

    However, to eliminate one possibility of error, I asked everyone to test the login specifically on my sub-domain.

  • avatar
    Last edited:
    07/30/10
    10:43am
    Lawrence Krubner says:

    It is morning. I just got back to work. I left FireFox on all night, open to the page in question. I hit refresh - I am still logged in, after 12 hours away. However, this is not working for anyone else. I asked my co-workers to return to the page and see if they were still logged in from yesterday - none of them were.

  • avatar
    Last edited:
    07/30/10
    10:43am
    Lawrence Krubner says:

    I've used 300 days as a value on other Symfony projects and I've never had that problem. But for now, I'm shortening the value to 30 days. We will see if that helps. I have my doubts.

This question has expired.





Current status of this question: Completed



Warning: Please do not give out any FTP or ssh credentials to anyone, unless you trust them completely. Giving out login details is dangerous.

If the asker does not get an answer then they have 10 days to request a refund.