Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Sharing Session with Codeigniter app on same domain. #1035

Open
vozax opened this issue Jun 8, 2024 · 5 comments
Open

Sharing Session with Codeigniter app on same domain. #1035

vozax opened this issue Jun 8, 2024 · 5 comments
Assignees

Comments

@vozax
Copy link

vozax commented Jun 8, 2024

Is there a way to access the session variables of php-crud-api which is installed on https://domain.com/folder/ from Codeigniter app on https://domain.com

I tried setting their session name similar but It seems to override the session values and destroy the session.

Also, I can't seem to find any info in the documentation about updating user info in the database.
i tried PUT on /me/ endpoint and /records/users/ endpoint.
It says table not found, however, table is there with name,email and passwords stored in it.

Any help will be appreciated.

@apps-caraga
Copy link
Contributor

apps-caraga commented Jun 8, 2024

The /me endpoint just returns the info of current user based from the session data. It does not point to a table. As to the users table that is 'not found', it may be hidden or protected by the authorization.tableHandler.

@apps-caraga
Copy link
Contributor

apps-caraga commented Jun 8, 2024

This particular config hides the users table and prevents any operation on it. It's the recommended simplest way to prevent unauthorized access to users data, but it also prevents the current users from accessing their own data.

'middlewares' => 'dbAuth,authorization', 'authorization.tableHandler' => function ($operation, $tableName) { return $tableName != 'users'; },

Instead of this, you may try the following to just hide the password column (as well as any other column that you want to hide). Couple it with multiTenancy handler to limit access only to current users' own data. You can also check on the type of $operation to further customize your actions.

'authorization.columnHandler' => function ($operation, $tableName, $columnName) { return !($tableName == 'users' && $columnName == 'password'); },

@mevdschee mevdschee self-assigned this Jun 9, 2024
@apps-caraga
Copy link
Contributor

apps-caraga commented Jun 11, 2024

It seems to override the session values and destroy the session.

I think it doesn't override the session value, rather, the problem maybe due to different session drivers or path @mevdschee ? Like Codeigniter has its own file or even database table to save its session data while php-crud-api also has a different save path for its session.

@vozax
Copy link
Author

vozax commented Jun 11, 2024

It seems to override the session values and destroy the session.

I think it doesn't override the session value, rather, the problem maybe due to different session drivers or path @mevdschee ? Like Codeigniter has its own file or even database table to save its session data while php-crud-api also has a different save path for its session.

I made them both to use the PHPSESSID generated by the native session.
The issue is when app is opened CODIGNITER regenerate the session id but when login is called, the API regenerate the SESSION ID and when SESSION Is changed for either of them they again try to re-generate the ID (due to security reasons).

@apps-caraga
Copy link
Contributor

apps-caraga commented Jun 12, 2024

Can you share your use case for this? Maybe, if you are just accessing the php-crud-api endpoints from the codeigniter app, you don't need to maintain user session in the php-crud-api and just use the codeigniter session. It is possible to use apiKeyDbAuth middleware to validate the requests from CI. You just have to retrieve the apiKeyDbAuth.apiKeyColumn when you login to the CI app.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants