重定向到 laravel 中的外部 url 时如何保留 session 数据

Question

I am new on PHP. I have a laravel api and laravel webui in different servers. When i make a request for login in webui, sent it to api and if result is success return laravel/passport token to webui. I stored token in session(in webui auth controller).

AuthController;

Session::put('token', $value['token']);

My CustomAuth Middleware;

    class CustomAuth extends Middleware {
        public function handle($request, Closure $next, $guard = null){
            if (Session::has('token')) {
                return $next($request);
            } else {
                return response(view('pages.unauthorized'));
            }
        }
    }

Payment method;

return redirect()->away($redirectUrl);

And then, when payment is success/fail wirecard returning to my site(callbackUrl). In this section, session data is lost and user redirect to login page. I am not sure whether I am wrong in the auth part or use the session incorrectly. Can i store session data when i redirect? Or how can i change auth part?

Note: success and fail routes has to be in auth middleware. And my all routes in web middleware group. In app/Http/Kernel.php, this line added in 'web'

\Illuminate\Session\Middleware\StartSession::class,

Answer 1

Ideally when you are building an API, we are not using web middleware group but api middleware group. Thus if all your routes are in api.php (they should be here) then the session is not activated or it won't work because you are using api middleware group and api guard here.

Another thing is, you have already generated a token using passport so you don't need to store the token in session . That's the awesome thing about Json Web Token. It can be parsed when your WebUI pass the token back to backend. The backend/API can just look at it and see if the token is authenticated, no need to check session or anything like that when you are handling token. To do so you have to pass through auth:api middleware for your api routes.

Lastly, you have to make sure that the WebUI is sending back the token in correct form(eg Bearer header, basic auth etc.).

Good luck!

Answer 2

One possible solution: when working with payment callback you should always remember the session data for addreses including https, http, www and none-www are different. You should always always force (www or none-www) and (https or http). in this way you can always be sure that user will always come back to the address that user session data is stored.

according to web server you are using, the approach to do this will be different.

for example if you are using apache, you can use following config in htaccess:

<IfModule mod_rewrite.c>
    <IfModule mod_negotiation.c>
        Options -MultiViews -Indexes
    </IfModule>

    RewriteEngine On

    # remove wwww.
    RewriteCond %{HTTP_HOST} ^www\.(.*)$ [NC]
    RewriteRule ^(.*)$ https://%1%{REQUEST_URI} [R=301,QSA,NC,L]

    # redirect to https
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,QSA,L]

    # Handle Authorization Header
    RewriteCond %{HTTP:Authorization} .
    RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

    # Redirect Trailing Slashes If Not A Folder...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_URI} (.+)/$
    RewriteRule ^ %1 [L,R=301]

    # Handle Front Controller...
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteRule ^ index.php [L]
</IfModule>