Manage flarum_session

alinrj

Hello,
I have a problem when logging out an user. When he log out from my platform he remains connected on flarum because of the flarum_session cookie because it has a different path . It is a way that I can manage how the flarum_session cookie is created and how it is deleted?

luceos

alinrj in case an application outside of Flarum needs to share the log in state with Flarum, you will need to let Flarum know it needs to log that user out. The only way you're able to do that is by hitting Flarum somehow. A solution could be to create a protected API endpoint on Flarum for that purpose so that your app can hit that with the user info.

alinrj

Thanks for your info!
But it is a way that I could change the path of flarum_session when it is created?
For example, now it is created on domain/forum, and I want it to be created on domain/, so the path must be from /forum to /

clarkwinkelmann

You can customize Flarum cookies through the cookie key in config.php. That key doesn't exist by default but can be added. It's a two-levels array with another set of keys inside. I don't think there's public documentation of the available values but you can see them in the code here:

https://github.com/flarum/core/blob/v1.2.0/src/Http/CookieFactory.php#L62

Most interesting are probably cookie.path and cookie.domain. Untested example on how the config.php could be modified:

<?php return array (
  'debug' => false,
  'database' => 
  array (
   // [...]
  ),
  'url' => 'https://forum.flarum.tld',
  'paths' => 
  array (
    // [...]
  ),
  'headers' => 
  array (
    // [...]
  ),
  'cookie' => 
  array (
    'path' => '/',
    'domain' => 'flarum.tld',
  ),
);

Please note that deleting the session or remember cookie doesn't invalidate the tokens however. Hitting the Flarum logout endpoint is necessary to ensure any stolen token can't be re-used.

In my Wordpress integration extension I have implemented a logout loop where Wordpress redirects through Flarum during logout to ensure proper token revocation. I implemented this with a custom logout controller that uses the same code as Flarum but accepts signed URLs instead of CSRF token, allowing for a completely interaction-free logout.

If you don't care about logout being interaction-free, you can redirect the user to flarum.domain/logout and they will be prompted to click a button to finish logout.

HasanMerkit

Another problem, i using two instance in my host. ROOT directory and "support" folder. If an user logging to ROOT, cannot login to support folder.

clarkwinkelmann

HasanMerkit you can use cookie.name setting to customize the prefix if you want to give each website a unique cookie name.

HasanMerkit

clarkwinkelmann after your comment, i Google'd this and i found your another reply: https://discuss.flarum.org/d/7629-cookies-name/3

CookieFactory.php file localed at vendor/flarum/core/... , so i wonder my modification can deleting by updating flarum with composer ?

clarkwinkelmann

HasanMerkit CookieFactory reads the values from config.php, so you just need to edit config.php.

In my example above I only included path and domain. You can add name key under the same level.

Changes in vendor will be lost during Flarum or extension update.

HasanMerkit

clarkwinkelmann i understood better what you wanted to say and i added this lines to config.php:

  'cookie' => 
  array (
    'name' => 'blabla',
  ),

And works fine:

Thanks 🙂