0

I'm working with Zend Framework 2, ZfcUser and BjyAuthorize. Logging in and access control works, but under certain circumstances users get logged out: When they try to navigate to a different page while an on the current page an AJAX call is still running.

In Chrome's Network window it shows the AJAX call as cancelled, followed by a call to the page you tried to navigate to, where the following code checks if you're logged in, finds that you're not ( $auth->hasIdentity() returns false ), and sends you to the login page.

$sm = $event->getApplication()->getServiceManager();
$auth = $sm->get('zfcuser_auth_service');
$routeParams = $event->getRouteMatch()->getParams();

// List of action non-authenticated users may access
$whitelist = array('login' => 1, 'register' => 1, 'forgotPassword' => 1, 'resetPassword' => 1);

$hasIdentity = $auth->hasIdentity();

if (!$hasIdentity && !array_key_exists($routeParams['action'], $whitelist) ) {
    $targetUrl = $event->getRouter()->assemble(array(), array('name' => 'zfcuser/login', 'absolute' => true));
    $response = $event->getResponse();
    $response->getHeaders()->addHeaderLine('Location', $targetUrl);
    $response->setStatusCode(302);
    $response->sendHeaders();
}

Apparently the session just disappeared? I'm having some trouble figuring out how/where it is saved. ZfcUser\Authentication\Storage\Db is used, but that uses Storage\Session as storage, and right now I'm not sure anymore what class THAT is.

Anybody encountered something like that before, or has a suggestion where to check?

Mayfly
  • 26
  • 3
  • Why are you not using the Guards of BjyAuthorize with the RedirectStrategy? `Storage\Session` if ZF2s Session-Wrapper, so nothing special there, does chrome say the session has vanished? Right now u're just making an assumption, dev-tools can tell u for sure ;) – Sam Sep 09 '13 at 10:48
  • Because I don't know what RedirectStrategy is. If it's part of BjyAurhorize, it's not documented anywhere that I can find. I spent some days trying to trace what it going on an didn't get farther but that the session seems to vanish. I'll see if Zend Developer Tools helps, thanks. – Mayfly Sep 09 '13 at 11:33
  • It's [documented right here](https://github.com/bjyoungblood/BjyAuthorize/blob/master/docs/unauthorized-strategies.md) – Sam Sep 09 '13 at 12:48
  • Thank you. After looking at it, I think checking if someone is logged in and afterwards if they have the right to view a given site makes more sense for our situation - in case a logged-in user tries to access a part of the site they don't have access to, redirecting them to the login site doesn't make much sense. – Mayfly Sep 09 '13 at 14:16
  • @Sam how can I keep track of if a user's session has expired in zf2 , I want to log him out in the database, if the session expires, so that he/she does not look online anymore. Currently I am not using zfcuser, is it going to help ? – Deepanshu Goyal Apr 12 '14 at 04:40
  • @Deepanshu usually you'd save the last_login_timestamp in the DB and then simply run a timed script every minute to delete rows of people being logged out for too long. – Sam Apr 12 '14 at 08:57

0 Answers0