I'm having some trouble wrapping my head around whether or not things are working as intended.
I've got a simple implementation of cakephp3, cake-auth0 (https://github.com/jsoftb/auth0) and I am using an auth0 login form.
This flow works just fine.
example.com/users/login -> form -> my-domain.auth0.com -> example.com/users/login?code=secret
$auth_code = $this->request->query('code', null);
if(!is_null($auth_code)) {
$user = $this->Auth->identify();
if($user) {
$this->Auth->setUser($user);
return $this->redirect($this->Auth->redirectUrl()); // example.com/
}
}
Logging a user out is where I'm having issues.
example.com/users/logout -> auth0-domain (kill cookie) -> example.com
public function logout() {
return $this->redirect($this->Auth->logout());
// $this->redirect('http://auth0.domain?returnTo=http://example.com/');
}
public function beforeFilter(Event $event) {
parent::beforeFilter($event);
$this->Auth->allow('logout'); // Appears to do nothing
}
This successfully logs me in and out of auth0 just fine.
I stay logged into cake however and it is driving me a bit batty.
My login page with some session user output shows me as logged in and I can access the page example.com/users. I cannot view it while not yet logged in.
I haven't created any database stuff to go with users yet if that helps.
Short of going brutal and nuking all sessions/cookies using just php, anyone else have any ideas?
Update: Dug a lot through code. Cake's vanilla Authcomponent::logout doesn't do much of anything. I managed to get something that will work for me by manually killing a session of some sort.
I'll leave this up because I know some guru will come along at some point.
I was able to achieve logging out (of cake) like this:
public function logout() {
$url = $this->Auth->logout();
$this->request->session()->destroy();
return $this->redirect($url);
}
Call AuthComponent's logout function and save the response url string.
Destroy the request session because logout didn't do it.
Redirect.
Related
I'm currently adding Socialite to my website to allow users to log in from Facebook.
public function redirectToProviderFacebook() {
return Socialite::driver('facebook')->redirect();
}
public function handleProviderCallbackFacebook() {
$userSocial = Socialite::driver('facebook')->user();
$email = $userSocial->getEmail();
if (User::where('email', $email)->count() > 0) {
// log them in
Auth::login(User::where('email', $email)->first());
return redirect()->route('home')->with('info', "You are now signed in.");
} else {
// register an account and log them in
}
}
During normal user registration, I ask for three things: username, email and password. The username and email are things you cannot change on my site, ever, as their usernames are bound to many things.
The problem with logging in with Facebook is that I have to register new users in the callback function. Therefore, I can't ask them for what they want their usernames to be.
Is there a way I could perhaps prompt the user for their preferred username? Then do the redirect like this:
return Socialite::driver('facebook')->with('username', $request->username)->redirect();
Then retrieve that data to use it for auth registration in the callback function?
For some reason, Optional Parameters didn't work for me, so i ended up by using session to pass variables from redirect method to the callback method. it's not the best way to do it, but it does the trick.
public function redirectToFacebookProvider()
{
// save anything you will need later, for example an url to come back to
Session::put('url.intended', URL::previous());
return Socialite::driver('facebook')->redirect();
}
public function handleFacebookProviderCallback()
{
// handling....
$url = Session::get('url.intended', url('/'));
Session::forget('url.intended');
return redirect($url);
}
Obtained this answer from https://laracasts.com/discuss/channels/laravel/socialite-return-parameters-in-callback?page=0
And from Sending additional parameters to callback uri in socialite package for laravel
i am not sure about facebook, but for github its working fine. Try this:
public function socialLogin($loginFrom){
return Socialite::driver('github') >redirectUrl('http://your-domain.com/callback?data=123')->redirect();
}
on github app you need to put only: http://your-domain.com/callback
I am attempting to introduce "ghosting" into my application - wherein I can access our app from the POV of a user.
Currently using the loginUsingID function to achieve this, with a protected route only accessible by admins. However, I would also like to display to the admin that they are ghosting a user by displaying a bar across the top of our app.
I was thinking of adding a property to the user is_being_ghosted - setting it as false on logout, false on login, and true on ghostLogin.
But I realize there is a small chance an admin attempts to ghost a user, and it sets that property, and while they are investigating things within the account, the user themselves refreshes their page (they were already authenticated so do not need to login again). In that case they would see this "admin bar" across the top, which clearly I wouldn't want to happen.
Is there an efficient way to achieve what I'm trying to do here? Am I going about this the wrong way?
As jszobody has mentioned. You could rather manage the state inside the session. You secure the /ghost route and then if the original-user-id session is set you display your bar and an unghost link.
public function ghost(Request $request, $id)
{
$request->session()->put('original-user-id', Auth::user()->id);
Auth::loginUsingId($id);
return redirect('/');
}
public function unghost(Request $request)
{
if ($request->session()->has('original-user-id')) {
Auth::loginUsingId($request->session()->pull('original-user-id'));
}
return redirect('/');
}
Update:
The ghost endpoint basically accepts the id that you want to impersonate, typically found through an ajax search input or something similar. Whatever suites your use case.
I'm having this project where I need to implement login functionality in my webpage. Everything function, like I have the code and I understand its implementation. I have used a static global variable to keep track of the logging in status. I'm not very keen on session variables. Thing is, my program doesn't seem to validate my login status properly even though my "MySQL" statement is correct I think. Any one knows a solution to this or how to work with session variables.
I agree with all here that you should post your code and your exact problem.
Session in PHP:
Every page must be checked before opening through 'Your Controller'. This is an example to understanding how is works. controller.php:
class controller{
//login
public function login()
{
// start session
session_start();
$_SESSION['userLoggedin'] == true;
header('index.php');
}
//To check, if user logged in
public function ifLogged()
{
session_start();
if($_SESSION['userLoggedin'] != true)
{
controller::logout();
}
}
//logout
public function logout()
{
// delete session
session_destroy();
unset($_SESSION['userLoggedin']);
header('login.php');
}
}
In your index.php you have to include your controller, to check if user has logged in or not.
index.php
require_once('controller.php');
controller::ifLogged();
I'm working with Laravel for the first time.
My auth user logs out automatically after i go to another route or if i refresh the page, and i dont understand why, please help me.
This is my log in code:
public function ini_ses(Request $datos)
{
//Inicia sesion
Session::put('ses_correo', Input::get('email'));
$correo = $datos->input('email');
$password= $datos->input('password');
if(Auth::attempt(['correo_elec'=>$correo, 'password'=>$password]))
{
$_session['correo']=$correo;
$_session['contra']=$password;
if(Auth::user()->tipo==0)
{
return view('cliente');
}
elseif(Auth::user()->tipo==1)
{
return view('veterinario');
}
elseif(Auth::user()->tipo==2)
{
echo("Admin");
}
}
else
{
var_dump($correo, $password);
}
}
If you know how to fix it, i aprecciate your help.
UPDATE: Another possibility
Laravel 4 Auth works but does not stay logged in
Remove all, but the redirects. Apparently this may mess up the authentication process.
The Auth::attempt() should trigger the necessary things to keep the user logged in, a small yet simple possibility could be the remember me function. Although it shouldn't be that, it would be worth a try.
Add true as a second parameter to the function.
if(Auth::attempt(['correo_elec'=>$correo, 'password'=>$password], true))
Assuming your Users table has the default laravel structure (with a remember token column)
From my application view I need to programmatically logout current user and login another one right after that.
I want to login the second user into his own different CHttpSession (with another sessionID and so on). I need it for a security reasons.
How to implement this in Yii framework ?
Code below
$oSession->destroy();
$oSession->open();
doesn't work as expected..
looks like you are trying to impersonate users:
Create a function in your UserIdentity that would alow you to login as another known user:
protected function logInUser($user)
{
if($user)
{
$this->_user = $user;
$this->_id=$this->_user->id;
$this->setState('name', $this->_user->name);
$this->errorCode=self::ERROR_NONE;
}
}
In your controller, call this function to get the UserIdentity object and then use the Yii's CWebUser login
$ui = null;
$user = User::model()->findByPk($userId);
if($user)
{
$ui = new UserIdentity($user->email, "");
$ui->logInUser($user);
}
Yii::app()->user->login($ui, 0);
Remember to protect this controller's action from non authorized users.
A possible tricky way (tested):
session_unset();
Yii::app()->user->id = $the_new_id;
When the above code is executed, nothing visible happens on the page so you may want to redirect the browser:
$this->redirect('somewhere');
Upon the next page load, the user with the $the_new_id will be logged in