3

I'm trying to use Laravels authentication with a number of simple HTML/Javascript applications.

The way I think it would ideally work is this:

  1. The user visits the simple HTML application
  2. The simple HTML application includes a PHP file which checks if a user is authenticated. If this is not the case the user is sent to the Laravel application to login, if the user is logged in he can simply use the application.
  3. The user logs in through Laravel and is redirected back to the HTML application where this process will start over again.

The problem I have is checking whether a user is logged in the PHP script. Laravels session is not available there (and sharing it through session_start() and $_SESSION["auth"] = true will only add the variable to Laravels version of the native PHP session).

These are the settings I have in app/config/session.php

return array(
    'driver' => 'native',
    'lifetime' => 120,
    'files' => storage_path().'/sessions',
    'connection' => null,
    'table' => 'sessions',
    'lottery' => array(2, 100),
    'cookie' => 'laravel_session',
    'path' => null,
    'domain' => null,

);

I've changed the path to null because I want to use the session on the entire domain.

My included PHP script is very simple and looks like this:

session_start();

if($_SESSION['authenticated']){
    echo "logged_in";
} else {
    header("Location: laravel/login/url");
}

You might wonder why I don't just include the application in Laravels framework, it's because there are about 100 different versions of this simple HTML application scattered over 10 domain names, at the moment every domain name has it's own (very old and insecure) login script (which is copied every time a new domain gets made). Therefor I want to centralize this with one database and one management system using Laravel.

Hopefully someone here knows how to fix this problem or work around it (maybe I should try to use Laravels session package in my PHP script?).

Improve this question

2 Answers 2

Reset to default
3

Laravel uses storage drivers for it's session management - meaning trying to access it's contents through the PHP $_SESSION variable will never work. Your config is setting the default session driver to "native" which (I think) the file session driver, meaning all session data is stored in app/storage/sessions (I believe that it stores the session data in some JSON like structure). You can read more about the session drivers here.

So to answer your question, there are a couple of ways that come to mind to solve this. What I would probably do is implement a simple custom session interface that will simply check if a user is logged in. You can set the user's session to logged in when you authenticate the user through your laravel form. For example:

if (Auth::attempt(array('email' => $email, 'password' => $password))) {
    // Set your user's session to logged in here. You will have to implement some 
    // system to do so, the below code is INSECURE/NOT USEABLE
    $_SESSION['user'] = $email;
}

And then you would do the reverse when the user logs out. As mentioned above, simply setting the user's session to logged in is very insecure for a multitude of reasons, the most glaring being session hijacking. (This is an excellent read on the subject) If you can implement a secure session management system (and really, it should not be difficult and will be lightweight) then I think that this strategy is your best bet.

The alternative is to try to use cookies as the session driver but doing so will add more layers of complexity and garbage as you will first have to get the Laravel session id from one cookie and use that to read another ... not an elegant solution.

So I would recommend using the first method I talked about and implementing a simple and secure session management system. Hope this helped!

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thank you for making this clear. I think I might use Sentry combined with Laravel for the user management system and make the application login with Sentry and PHP using the same database.
2

An other solution: using the following code you can boot into Laravel using the real Laravel session, so you can actually use Auth::check() for authorization and you don't even have to use the native $_SESSION.

See: https://gist.github.com/frzsombor/ddd0e11f93885060ef35

Improve this answer

1 Comment

Hi @frzsombor how can i use your script to authenticate from cakePHP 2.5 to laravel ? and vice-versa ? could you please provide more details ?

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.