sfDoctrineGuardPlugin forgets credentials after verifying them

1
votes

I am searching for a solution to an authentication problem. I've only found one person (in the symfony-users Google group) with the same problem (#2 at bottom) way back in May of last year. As far as I can tell, no solution was posted to list.

In my development environment on Mac OS X, sfDoctrineGuardPlugin is working properly. When I attempt to access a secure page, I get redirected to login. When I enter valid credentials, I get redirected back to the initially requested page.

In my test environment at DreamHost, it is not working properly. When I attempt to access a secure page, I get redirected to login. When I enter valid credentials, I get redirected back to the initially requested page, but symfony loses my authentication status and (re-)redirects me back to login once again with the form emptied. (In contrast, if I enter invalid credentials, then I receive an error message on the login page and the username remains filled in.)

In each environment, symfony does verify my credentials are valid and that I have 'admin' privileges, but test forgets those credentials as soon as it redirects me back to my requested page.

Nothing interesting shows up in the apache error log.

Dev log snippets:

Feb 09 10:05:51 symfony [info] {sfPatternRouting} Match route "report" (/report.:sf_format) for /report with parameters array (  'module' => 'report',  'action' => 'index',  'sf_format' => 'html',)
Feb 09 10:05:52 symfony [info] {sfFilterChain} Executing filter "sfRenderingFilter"
Feb 09 10:05:52 symfony [info] {sfFilterChain} Executing filter "sfGuardRememberMeFilter"
Feb 09 10:05:52 symfony [info] {sfFilterChain} Executing filter "sfBasicSecurityFilter"
Feb 09 10:05:52 symfony [info] {sfBasicSecurityFilter} Action "report/index" requires authentication, forwarding to "sfGuardAuth/signin"
Feb 09 10:05:52 symfony [info] {sfFilterChain} Executing filter "sfRenderingFilter"
Feb 09 10:05:52 symfony [info] {sfFilterChain} Executing filter "sfGuardRememberMeFilter"
Feb 09 10:05:52 symfony [info] {sfFilterChain} Executing filter "sfExecutionFilter"
Feb 09 10:05:52 symfony [info] {sfGuardAuthActions} Call "sfGuardAuthActions->executeSignin()"
Feb 09 10:05:52 symfony [info] {sfPHPView} Render "/Library/WebServer/WebSites/Documents/plugins/sfDoctrineGuardPlugin/modules/sfGuardAuth/templates/signinSuccess.php"
Feb 09 10:05:52 symfony [info] {sfPartialView} Render "/Library/WebServer/WebSites/Documents/plugins/sfDoctrineGuardPlugin/modules/sfGuardAuth/templates/_signin_form.php"
Feb 09 10:05:52 symfony [info] {sfPHPView} Decorate content with "/Library/WebServer/WebSites/Documents/apps/backend/templates/layout.php"
Feb 09 10:05:52 symfony [info] {sfPHPView} Render "/Library/WebServer/WebSites/Documents/apps/backend/templates/layout.php"
Feb 09 10:05:52 symfony [info] {sfWebResponse} Send status "HTTP/1.1 401 Unauthorized"
Feb 09 10:05:52 symfony [info] {sfWebResponse} Send header "Content-Type: text/html; charset=utf-8"
Feb 09 10:05:52 symfony [info] {sfWebDebugLogger} Configuration 12.62 ms (12)
Feb 09 10:05:52 symfony [info] {sfWebDebugLogger} Factories 58.15 ms (1)
Feb 09 10:05:52 symfony [info] {sfWebDebugLogger} Action "sfGuardAuth/signin" 6.18 ms (1)
Feb 09 10:05:52 symfony [info] {sfWebDebugLogger} View "Success" for "sfGuardAuth/signin" 13.92 ms (1)
Feb 09 10:05:52 symfony [info] {sfWebDebugLogger} Partial "sfGuardAuth/_signin_form" 4.84 ms (1)
Feb 09 10:05:52 symfony [info] {sfWebResponse} Send content (53797 o)
Feb 09 10:06:04 symfony [info] {sfPatternRouting} Match route "sf_guard_signin" (/login) for /login with parameters array (  'module' => 'sfGuardAuth',  'action' => 'signin',)
Feb 09 10:06:04 symfony [info] {sfGuardSecurityUser} User is authenticated
Feb 09 10:06:04 symfony [info] {sfGuardSecurityUser} Add credential(s) "admin"
Feb 09 10:06:04 symfony [info] {sfFrontWebController} Redirect to "http://localhost/backend_dev.php/"
Feb 09 10:06:04 symfony [info] {sfWebResponse} Send status "HTTP/1.1 302 Found"
Feb 09 10:06:04 symfony [info] {sfWebResponse} Send header "Location: http:/localhost/backend_dev.php/"
Feb 09 10:06:04 symfony [info] {sfWebResponse} Send header "Content-Type: text/html; charset=utf-8"
Feb 09 10:06:04 symfony [info] {sfWebDebugLogger} Configuration 1.30 ms (8)
Feb 09 10:06:04 symfony [info] {sfWebDebugLogger} Factories 58.35 ms (1)
Feb 09 10:06:04 symfony [info] {sfWebDebugLogger} Action "sfGuardAuth/signin" 217.06 ms (1)
Feb 09 10:06:04 symfony [info] {sfWebDebugLogger} Database (Doctrine) 0.03 ms (5)
Feb 09 10:06:04 symfony [info] {sfWebResponse} Send content (123 o)
Feb 09 10:06:04 symfony [info] {sfPatternRouting} Match route "homepage" (/) for / with parameters array (  'module' => 'report',  'action' => 'index',)
Feb 09 10:06:04 symfony [info] {sfFilterChain} Executing filter "sfRenderingFilter"
Feb 09 10:06:04 symfony [info] {sfFilterChain} Executing filter "sfGuardRememberMeFilter"
Feb 09 10:06:04 symfony [info] {sfFilterChain} Executing filter "sfBasicSecurityFilter"
Feb 09 10:06:04 symfony [info] {sfFilterChain} Executing filter "sfExecutionFilter"
Feb 09 10:06:04 symfony [info] {reportActions} Call "reportActions->executeIndex()"
Feb 09 10:06:04 symfony [info] {sfPHPView} Render "/Library/WebServer/WebSites/Documents/apps/backend/modules/report/templates/indexSuccess.php"
Feb 09 10:06:05 symfony [info] {main} Call "navigation->executeNavMenu()"
Feb 09 10:06:05 symfony [info] {sfWebResponse} Send status "HTTP/1.1 200 OK"
Feb 09 10:06:05 symfony [info] {sfWebResponse} Send header "Content-Type: text/html; charset=utf-8"
Feb 09 10:06:05 symfony [info] {sfWebDebugLogger} Configuration 1.93 ms (10)
Feb 09 10:06:05 symfony [info] {sfWebDebugLogger} Factories 60.49 ms (1)
Feb 09 10:06:05 symfony [info] {sfWebDebugLogger} Action "report/index" 66.68 ms (1)
Feb 09 10:06:05 symfony [info] {sfWebDebugLogger} Database (Doctrine) 0.02 ms (3)
Feb 09 10:06:05 symfony [info] {sfWebDebugLogger} View "Success" for "report/index" 454.39 ms (1)
Feb 09 10:06:05 symfony [info] {sfWebDebugLogger} Component "navigation/navMenu" 0.17 ms (1)
Feb 09 10:06:05 symfony [info] {sfWebDebugLogger} Partial "navigation/_navMenu" 19.78 ms (1)
Feb 09 10:06:05 symfony [info] {sfWebResponse} Send content (164075 o)

Test log snippets:

Feb 09 06:21:36 symfony [info] {sfPatternRouting} Match route "report" (/report.:sf_format) for /report with parameters array (  'module' => 'report',  'action' => 'index',  'sf_format' => 'html',)
Feb 09 06:21:36 symfony [info] {sfFilterChain} Executing filter "sfRenderingFilter"
Feb 09 06:21:36 symfony [info] {sfFilterChain} Executing filter "sfGuardRememberMeFilter"
Feb 09 06:21:36 symfony [info] {sfFilterChain} Executing filter "sfBasicSecurityFilter"
Feb 09 06:21:36 symfony [info] {sfBasicSecurityFilter} Action "report/index" requires authentication, forwarding to "sfGuardAuth/signin"
Feb 09 06:21:36 symfony [info] {sfFilterChain} Executing filter "sfRenderingFilter"
Feb 09 06:21:36 symfony [info] {sfFilterChain} Executing filter "sfGuardRememberMeFilter"
Feb 09 06:21:36 symfony [info] {sfFilterChain} Executing filter "sfExecutionFilter"
Feb 09 06:21:36 symfony [info] {sfGuardAuthActions} Call "sfGuardAuthActions->executeSignin()"
Feb 09 06:21:36 symfony [info] {sfPHPView} Render "/home/username/test.example.com/project/plugins/sfDoctrineGuardPlugin/modules/sfGuardAuth/templates/signinSuccess.php"
Feb 09 06:21:36 symfony [info] {sfPartialView} Render "/home/username/test.example.com/project/plugins/sfDoctrineGuardPlugin/modules/sfGuardAuth/templates/_signin_form.php"
Feb 09 06:21:36 symfony [info] {sfPHPView} Decorate content with "/home/username/test.example.com/project/apps/backend/templates/layout.php"
Feb 09 06:21:36 symfony [info] {sfPHPView} Render "/home/username/test.example.com/project/apps/backend/templates/layout.php"
Feb 09 06:21:36 symfony [info] {sfWebDebugLogger} Configuration 822.85 ms (12)
Feb 09 06:21:36 symfony [info] {sfWebDebugLogger} Factories 343.18 ms (1)
Feb 09 06:21:36 symfony [info] {sfWebDebugLogger} Action "sfGuardAuth/signin" 7.63 ms (1)
Feb 09 06:21:36 symfony [info] {sfWebDebugLogger} View "Success" for "sfGuardAuth/signin" 19.09 ms (1)
Feb 09 06:21:36 symfony [info] {sfWebDebugLogger} Partial "sfGuardAuth/_signin_form" 4.44 ms (1)
Feb 09 06:21:36 symfony [info] {sfWebResponse} Send content (52356 o)
Feb 09 06:21:45 symfony [info] {sfPatternRouting} Match route "sf_guard_signin" (/login) for /login with parameters array (  'module' => 'sfGuardAuth',  'action' => 'signin',)
Feb 09 06:21:45 symfony [info] {sfGuardSecurityUser} User is authenticated
Feb 09 06:21:45 symfony [info] {sfGuardSecurityUser} Add credential(s) "admin"
Feb 09 06:21:45 symfony [info] {sfFrontWebController} Redirect to "http://test.rippil.com/backend_dev.php/"
Feb 09 06:21:45 symfony [info] {sfWebDebugLogger} Configuration 21.18 ms (8)
Feb 09 06:21:45 symfony [info] {sfWebDebugLogger} Factories 162.69 ms (1)
Feb 09 06:21:45 symfony [info] {sfWebDebugLogger} Action "sfGuardAuth/signin" 233.96 ms (1)
Feb 09 06:21:45 symfony [info] {sfWebDebugLogger} Database (Doctrine) 0.03 ms (7)
Feb 09 06:21:45 symfony [info] {sfWebResponse} Send content (118 o)
Feb 09 06:21:46 symfony [info] {sfPatternRouting} Match route "homepage" (/) for / with parameters array (  'module' => 'reporttt',  'action' => 'index',)
Feb 09 06:21:46 symfony [info] {sfFilterChain} Executing filter "sfRenderingFilter"
Feb 09 06:21:46 symfony [info] {sfFilterChain} Executing filter "sfGuardRememberMeFilter"
Feb 09 06:21:46 symfony [info] {sfFilterChain} Executing filter "sfBasicSecurityFilter"
Feb 09 06:21:46 symfony [info] {sfBasicSecurityFilter} Action "report/index" requires authentication, forwarding to "sfGuardAuth/signin"
Feb 09 06:21:46 symfony [info] {sfFilterChain} Executing filter "sfRenderingFilter"
Feb 09 06:21:46 symfony [info] {sfFilterChain} Executing filter "sfGuardRememberMeFilter"
Feb 09 06:21:46 symfony [info] {sfFilterChain} Executing filter "sfExecutionFilter"
Feb 09 06:21:46 symfony [info] {sfGuardAuthActions} Call "sfGuardAuthActions->executeSignin()"
Feb 09 06:21:46 symfony [info] {sfPHPView} Render "/home/username/test.example.com/project/plugins/sfDoctrineGuardPlugin/modules/sfGuardAuth/templates/signinSuccess.php"
Feb 09 06:21:46 symfony [info] {sfPartialView} Render "/home/username/test.example.com/project/plugins/sfDoctrineGuardPlugin/modules/sfGuardAuth/templates/_signin_form.php"
Feb 09 06:21:46 symfony [info] {sfPHPView} Decorate content with "/home/username/test.example.com/project/apps/backend/templates/layout.php"
Feb 09 06:21:46 symfony [info] {sfPHPView} Render "/home/username/test.example.com/project/apps/backend/templates/layout.php"
Feb 09 06:21:46 symfony [info] {sfWebDebugLogger} Configuration 13.92 ms (12)
Feb 09 06:21:46 symfony [info] {sfWebDebugLogger} Factories 251.75 ms (1)
Feb 09 06:21:46 symfony [info] {sfWebDebugLogger} Action "sfGuardAuth/signin" 31.00 ms (1)
Feb 09 06:21:46 symfony [info] {sfWebDebugLogger} View "Success" for "sfGuardAuth/signin" 57.79 ms (1)
Feb 09 06:21:46 symfony [info] {sfWebDebugLogger} Partial "sfGuardAuth/_signin_form" 8.09 ms (1)
Feb 09 06:21:46 symfony [info] {sfWebResponse} Send content (52428 o)

It's probably worth mentioning this snippet from backend/templates/layout.php which accounts for the navigation/_navMenu lines in Dev but not in test:
<?php if ($sf_user->isAuthenticated()): ?>
    <?php include_component('navigation', 'navMenu'); ?>
    ...
 <?php endif ?>

Related post in symfony-users group:

You should check the logs for both symfony and apache.

gabriel

On May 28, 2:33 pm, sdwdd wrote:

Hi, All.

Having a couple of problems with Symfony 1.4 installation:
1. [unrelated]
2. A problem with sfGuard plugin.
It works okay in the development environment, however in test environment after the user is logged in it looses the session. User gets logged in, but after a page reload the authentication session is lost.

The installation is core Symfony 1.4 with sfGuardPlugin and some custom templating.

Any ideas on those? I'm feeling like there's a problem with server config, however don't know what could be wrong(raised the memory_limit to 512Mb).

Thanks,
Serg

1
phpsymfony1sfdoctrineguard
What do your URLs look like for the page you're trying to get to, and the login page? Any strangeness going on with subdomains, or anything like that?Matt Gibson
Thanks for the questions. No, the URLs match what's in the logs. No subdomain crossing issues. I tracked down the source of the problem to a hardened PHP extension installed in the hosted environment which led me to a solution. I posted it as an answer below.Ryan

1 Answers

0
votes

I found an answer after tips from the symfony-users Google group.

First tip:

This seems to be an issue with the session on your server. If the session variable are not stored, the authentication status cannot be saved. You should ask the Dreamhost support to know why session variables does not work.

Christophe | Stof

Second tip:

This is not a symfony related suggestion.
I found often Session issues were caused by the suhosin module, which comes with many Ubuntu based hosts. Try to turn session encryption off and see if it helps. I found for example that sometimes the Document Root is part of the encryption and it may not always work as expected.
HTH
Kind Regards,
Jochen Daum

It turns out that my hosting environment uses suhosin hardened PHP which is likely the cause of the problem. Adding suhosin into my solution search, I found this in oldforums.symfony-project.org:

Re: User sessions do not persist on Ubuntu Server [message #100928 is a reply to message #100918 ]
Mon, 14 June 2010 19:33 dklanac
Here is my final post. I figured out that the issue was only on my test environment. sfSessionTestStorage was not setting the cookie that I needed. I changed it over to sfSessionStorage and renamed my cookie with a "test" suffix to prevent production cookie conflicts, and things behaved appropriately. This would also explain why I was able to see the correct behavior on my dev instance, since it also uses the regular sfSessionStorage class.

We use separate subdomains for dev, test, stage, and production, so my solution was even simpler. I just changed sfSessionTestStorage to sfSessionStorage in apps/appname/config/factories.yml. I don't expect to need to alter the cookie name.