php - Session is lost after an OAuth redirect

Question

I use CakePHP 2.4. I have an OAuth signin in my website. %99.5 of signins are successfull but %0.5 fails. I have this error for months. I tried many things to debug and log but still I didn't solve the problem. Although most of the requests are good I need to solve the small part.

Scenario is like this:

• User clicks Sign in button
• I get request token from server (for example yahoo, twitter)
• I save oauth_token in user's session
  for example session ID is aaa1234

• CakePHP creates PHPSESSID cookie and save session id in this cookie.

• I redirect user to Twitter server and user confirms my application

• User comes to my website with oauth verifier
  a) I use user's oauth_token and oauth_verifier and get access_tokens. session ID is aaa1234. everything good.
  b) Failure. Because I can't find user's oauth_token in current session. When I check session ID, I see that ID changed, ID is now bbb2345

For the scenario b:
It seems like user has new session ID now. oauth_token can't be found in new session. But note that old session data exists in /tmp/sessions/ folder.

Session ID cookie doesn't exists for session aaa1234. But another tracking cookie that I set 2 days ago exists in cookies.

I check user agents.
It is same when user first comes and user comes back from Yahoo server.

This failure scenario happens in Chrome, Firefox, mobile browsers or other browsers, so I can't accuse browser type.
What should I check more to diagnose?

My CakePHP core.php settings:

Configure::write('Session', array(  'defaults' => 'cake'  ));
Configure::write('Session.cookie', 'MYPHPSESSID');
Configure::write('Session.timeout', 120);
Configure::write('Security.level', 'medium');

Other settings are default as mentioned in file: https://github.com/cakephp/cakephp/blob/2.5/app/Config/core.php#L182

Edit: By using this answer I checked for cookies. 20% of the erroneous users disabled cookies. I asked personally and user confirmed cookie option. But it seems like other users didn't disabled cookies. Also some of users reach my website by using Android WebViews. In WebView clients I'm sure that I don't disable cookies. Also 99% of the WebView users can successfully use website.

Answer 1

Your session id might be lost because of a redirect between schemes. In case your user received a session id on HTTP and then came back on HTTPS (or vice-versa) his session would be lost/replaced by an old session he had previously on that scheme.

This is not 100% certain, but if I were you, I'd try to give it a look (it happened to me also in a past project).

EDIT
Explanation:

The clients obtain their session on HTTP, they are redirected for oauth purposes, and when they come back, they come via HTTPS.

PHP Normal sessions ($_SESSION) are lost when moving between HTTP and HTTPS. The session itself is kept on server side, but the client loses the session_id, thus the server doesn't recognize him and the session is lost, so I you were using pure PHP, 100% of your clients were to lose session on their way back.

CakePHP handles this common problem via cookies that save the sesion id, and then when the client comes back without session_id on the request headers, its session is restored because of the cookie. The 0.05% of your clients that fails, are clients with one (or more) of the following:

1. Cookies disabled (more common)
2. Browsers that don't retain cookies from the same website when switching between HTTP/HTTPS (much more rare)

Possible solutions:

1. initialize the cookie on HTTPS to begin with (i.e first check if the user is on HTTP, then redirect him to HTTPS, then init the session, then redirect him to oauth endpoint) - I personally recommend it.

2. some oauth providers take parameters for the url to redirect the user when he finishes his authentication. You can use this and send its session id as a parameter. - I don't recommend this, because then you might expose your client's session id to attackers.

Good luck!