Session is not starting after Login

[watsefack]

I am totally lost in a simple signup / login / logout with session guard.

Signup Works without any problems. Also the login does, but then directly redirects me to the login again, because i am not logged in.
It looks like session is never starting correctly. I studied documentation now for hours but don't get it working.

auth()->useSession();`
auth()->config([
  'GUARD_HOME' => 'secret/',
  'GUARD_LOGIN' => 'secret/login'
]);


app()->get('/', function () {
auth()->guard('auth');
    echo 'This is the secret page!';
});

app()->get('/login', function () {
	auth()->guard('guest');
	echo '<form>
<input id="username" name="username" type="text" placeholder="Username">
<input id="password" name="password" type="password" placeholder="Password">
<button type="submit">Login</button>
</form>';

$user = auth()->login([
  'username' => request()->get('username'),
  'password' => request()->get('password')
]);
});

Have i forgotten anything?
Thank you in advance!

[watsefack]

Oh no, i just tried another webhost, now it is working....

[ibnsultan]

TLDR; It's an SSL issue.

A quick Fix (Not Recommended)

If you happen to encounter the issue next time, add @session_start(); at the beginning of your public/index.php.

Recommended Fix

When you call auth()->useSession() , the below static method from the Leaf\Auth::class gets called

public static function useSession()
 {
      static::config('USE_SESSION', true);
      static::$session = Auth\Session::init(static::config('SESSION_COOKIE_PARAMS'));
 }

In the above function two other methods gets called config and $session, at this point I'd assume you know about config and it's not very relevant in this case, let's put our focus on $session which refers to Auth\Session::init() passing the config 'SESSION_COOKIE_PARAMS' as the argument (we will get back to that config in a jiff)

Lets shift our focus a lil bit to , Auth\Session::init() or Leaf\Auth\Session::init() (they are samesies)

public static function init(array $sessionCookieParams = [])
 {
     static::$session = new \Leaf\Http\Session(false);

     if (!isset($_SESSION)) {
         session_set_cookie_params($sessionCookieParams);   #YOUR EYES HERE
         session_start();
     };

     if (!static::$session->get("SESSION_STARTED_AT")) {
         static::$session->set("SESSION_STARTED_AT", time());
     }

     static::$session->set("SESSION_LAST_ACTIVITY", time());

     return static::$session;
 }

See where your eyes need to be session_set_cookie_params() is a php build in function that determins the properties and behaviour of the session cookie and only generates and stores if those parameters are met Read More ...

If we look carefully the session_set_cookie_params() is what takes the method argument which in our case it's the content of SESSION_COOKIE_PARAMS (an index of Auth\Core::$settings or Leaf\Auth\Session::$settings) which is

protected static $settings = [
   ...
   'SESSION_COOKIE_PARAMS' => ['secure' => true, 'httponly' => true, 'samesite' => 'lax']
]

Now that you see it I bet you're wondering am just gonna change the 'secure' to false, now that will work, untill you install a new or update composer packages and that will reset it back again.

so what do you do in that case, there's two options you can overide that

Option 1

 # Use `auth()->config()` to overwrite that setting

 auth()->config('SESSION_COOKIE_PARAMS', [
    'secure' => false,
    'httponly' => true,
    'samesite' => 'lax'
 ]);

Option 2 (Recommended)

Leaf comes with it's very own configuration engine, a set of files you can, update and or even overide the framework settings, add the following definition in your config/auth.php

[
    ...

    'SESSION_COOKIE_PARAMS' => ['secure' => false, 'httponly' => true, 'samesite' => 'lax']
]

NOTE: Make sure you have the cookies and caches cleared for your application before running your app.

Addition

Please use the configuration constants in config/auth or similar to update your settings rather than defining them by the methods

# instead of
auth()->useSession();
auth()->config([
  'GUARD_HOME' => 'secret/',
  'GUARD_LOGIN' => 'secret/login'
]);

# update 'USE_SESSION', 'GUARD_HOME', 'GUARD_LOGIN' in the auth config file