11-08-2018 12:31 PM
Quick question, we have been noticing that when we use the API to authenticate a session (mobile/login) and then we login to our actual UCRM System the session from the mobile/login is killed and we have to log in again.
Our envio is set up in the following format:
One server running UCRM on standard port using SSL
In the same server we have a seperate software that connects to UCRM using the API. its accessible via a a non public port and it requires the user to login using their UCRM login credentials, we authenticate those via the mobile/login api.
Whenever the user (admin/staff) logs in and then logs into the ucrm instance, they are kicked out of our other software.
Any ideas on how we can address this? or what's causing this to happen?
11-09-2018 12:50 AM
Hello @sergiov87, do you have expiration parameter on the mobile login set up correctly? Take a look in API documentation here https://ucrmbeta.docs.apiary.io/#reference/mobile/mobilelogin/post
If you don't set up the expiration parameter at all on the endpoint, it will basically expire instantly.
11-09-2018 05:52 AM
@UBNT-Ondra i have the expiration value set to 604800.
It just seems that any php session i have active on the same server on any applicaiton running in a different port gets killed as soon as i log in to UCRM or log out.
It works fine if i log in thorugh another browser, but if i'm on the same browswer any existing session i have is destroyed when i log in to UCRM.
11-09-2018 06:19 AM
@sergiov87 Just to clarify, you are using the API login endpoint in your own code somewhere (not via the UCRM mobile app)?
If so, does it run on the same domain (or IP) with only port being different?
11-09-2018 06:29 AM
Yes, that's correct, we have our own web application that we built and connects to UCRM via the API, that runs on the same server/domain just on a different port.
11-09-2018 06:32 AM
@sergiov87 Thank you, I think I now know where the problem is. I'll let you know if we need to know more information, but it should be fixed in next release (probably next week).
11-12-2018 02:59 AM
@sergiov87 So, I was not able to reproduce the issue with the idea I had. It's possible the fix I had in mind for next release will still help you, but now I can't be sure.
Would it be possible to send me (in PM) the actual code, that's causing problems to you? I might be able to find the problem then.
11-13-2018 07:58 AM
Thank you for the code. I was able to reproduce your issue now and it actually has nothing to do with the login endpoint. The problem is actually in 2 applications running on the same domain.
Since the cookies are based on domain name / IP address and not a port, you have the sessions shared between both UCRM and your application. And since UCRM destroys current session on login/logout, it gets destroyed in your application as well, because you're using default session name just like UCRM does (PHPSESSID).
I've got 2 possible solutions for you:
- You can rename session idenfier in your application using PHP's session_name (http://se.php.net/manual/en/function.session-name.php). This will prevent UCRM from destroying your session data.
- You can actually use the same session and use UCRMs "/current-user" endpoint out of the box, which would remove the need to call the mobile login. If your user logged in into UCRM, he would be automatically logged in in your application and if he would log out in UCRM, he would be automatically logged out as well.
This endpoint is available since UCRM 2.14.0-beta1 and you can read more about it here https://github.com/Ubiquiti-App/UCRM-plugins/blob/master/docs/security.md
Personally I would go with the second option as it's cleaner, but if you need just quick'n'dirty solution, the first one will work just fine.
11-13-2018 11:11 AM
@UBNT-Ondra Thanks for the suggestions, i too preffer option 2 and we'll probably implement that in place. If anything comes up i'll follow up.