I'm working with Laravel for the first time.
My auth user logs out automatically after i go to another route or if i refresh the page, and i dont understand why, please help me.
This is my log in code:
public function ini_ses(Request $datos)
{
//Inicia sesion
Session::put('ses_correo', Input::get('email'));
$correo = $datos->input('email');
$password= $datos->input('password');
if(Auth::attempt(['correo_elec'=>$correo, 'password'=>$password]))
{
$_session['correo']=$correo;
$_session['contra']=$password;
if(Auth::user()->tipo==0)
{
return view('cliente');
}
elseif(Auth::user()->tipo==1)
{
return view('veterinario');
}
elseif(Auth::user()->tipo==2)
{
echo("Admin");
}
}
else
{
var_dump($correo, $password);
}
}
If you know how to fix it, i aprecciate your help.
UPDATE: Another possibility
Laravel 4 Auth works but does not stay logged in
Remove all, but the redirects. Apparently this may mess up the authentication process.
The Auth::attempt() should trigger the necessary things to keep the user logged in, a small yet simple possibility could be the remember me function. Although it shouldn't be that, it would be worth a try.
Add true as a second parameter to the function.
if(Auth::attempt(['correo_elec'=>$correo, 'password'=>$password], true))
Assuming your Users table has the default laravel structure (with a remember token column)
Related
I am building a new Laravel application (v5.4) that will run alongside (installed in the same environment) an existing PHP application that has it's own authentication system. I want the users who have successfully logged in to the existing system to be automatically authenticated in the Laravel app so they can navigate seamlessly between the applications.
My Laravel app has read-only access (through a second db connection) to the existing system's database so it can safely check that the PHP Session matches the session cookie recorded in the database and I can even pull out the user object and hand it to Auth's login() method.
I want to know the best way to put Auth into an authorised state (not guest) and where is the best place to put such code?
Options I've thunked of so far:
Middleware: Check session and call the login() method on Auth from some application-wide middleware?
Extend Illuminate/Auth/SessionGuard.php and override the attempt() method? If so, how do I tell the other parts to use my extended SessionGuard? (I suspect this was not designed to be easily overridden)
Super hacky disgusting way of dynamically setting the user's password to a random hash and then calling Auth/LoginController#login() in the background with a faked request containing that hash as the password field. (I seriously hope this doesn't end up being the most popular answer)
Some other option (?)...
Thanks in advance for your help SO community!
The solution I ran with in the end was creating a middleware that contains this:
if (session_status() == PHP_SESSION_NONE) {
session_start();
}
if (isSet($_SESSION['intranet_user_id']) && $_SESSION['intranet_user_id']) {
// Log them in manually
$intranet_user_id = $_SESSION['intranet_user_id'];
if (!Auth::guest() && Auth::user()->getId() !== $intranet_user_id ) {
Auth::logout();
}
if (Auth::guest()) {
Auth::login( User::find($intranet_user_id), true);
}
} else {
Auth::logout();
}
I'm having some trouble wrapping my head around whether or not things are working as intended.
I've got a simple implementation of cakephp3, cake-auth0 (https://github.com/jsoftb/auth0) and I am using an auth0 login form.
This flow works just fine.
example.com/users/login -> form -> my-domain.auth0.com -> example.com/users/login?code=secret
$auth_code = $this->request->query('code', null);
if(!is_null($auth_code)) {
$user = $this->Auth->identify();
if($user) {
$this->Auth->setUser($user);
return $this->redirect($this->Auth->redirectUrl()); // example.com/
}
}
Logging a user out is where I'm having issues.
example.com/users/logout -> auth0-domain (kill cookie) -> example.com
public function logout() {
return $this->redirect($this->Auth->logout());
// $this->redirect('http://auth0.domain?returnTo=http://example.com/');
}
public function beforeFilter(Event $event) {
parent::beforeFilter($event);
$this->Auth->allow('logout'); // Appears to do nothing
}
This successfully logs me in and out of auth0 just fine.
I stay logged into cake however and it is driving me a bit batty.
My login page with some session user output shows me as logged in and I can access the page example.com/users. I cannot view it while not yet logged in.
I haven't created any database stuff to go with users yet if that helps.
Short of going brutal and nuking all sessions/cookies using just php, anyone else have any ideas?
Update: Dug a lot through code. Cake's vanilla Authcomponent::logout doesn't do much of anything. I managed to get something that will work for me by manually killing a session of some sort.
I'll leave this up because I know some guru will come along at some point.
I was able to achieve logging out (of cake) like this:
public function logout() {
$url = $this->Auth->logout();
$this->request->session()->destroy();
return $this->redirect($url);
}
Call AuthComponent's logout function and save the response url string.
Destroy the request session because logout didn't do it.
Redirect.
I am attempting to introduce "ghosting" into my application - wherein I can access our app from the POV of a user.
Currently using the loginUsingID function to achieve this, with a protected route only accessible by admins. However, I would also like to display to the admin that they are ghosting a user by displaying a bar across the top of our app.
I was thinking of adding a property to the user is_being_ghosted - setting it as false on logout, false on login, and true on ghostLogin.
But I realize there is a small chance an admin attempts to ghost a user, and it sets that property, and while they are investigating things within the account, the user themselves refreshes their page (they were already authenticated so do not need to login again). In that case they would see this "admin bar" across the top, which clearly I wouldn't want to happen.
Is there an efficient way to achieve what I'm trying to do here? Am I going about this the wrong way?
As jszobody has mentioned. You could rather manage the state inside the session. You secure the /ghost route and then if the original-user-id session is set you display your bar and an unghost link.
public function ghost(Request $request, $id)
{
$request->session()->put('original-user-id', Auth::user()->id);
Auth::loginUsingId($id);
return redirect('/');
}
public function unghost(Request $request)
{
if ($request->session()->has('original-user-id')) {
Auth::loginUsingId($request->session()->pull('original-user-id'));
}
return redirect('/');
}
Update:
The ghost endpoint basically accepts the id that you want to impersonate, typically found through an ajax search input or something similar. Whatever suites your use case.
I'm using Cashier on my laravel application. It has a simple way of verifying if the user is subscribed:
$user->subscribed();
Cashier stores on the users table a field "stripe_active" to check if the user has an active subscription. Now, I'm trying to do something kinda simple, but didn't find in the documentation.
When the user subscription expires, I want to run a function that will disable some stuff on the user account and save it to the database. I don't want to check and run it at every login , I want it to fire only once, when the account expires.
So I looked into Cashier's StripeGateway file, which has this function :
public function cancel($atPeriodEnd = true)
{
$customer = $this->getStripeCustomer();
if ($customer->subscription) {
if ($atPeriodEnd) {
$this->billable->setSubscriptionEndDate(
Carbon::createFromTimestamp($this->getSubscriptionEndTimestamp($customer))
);
}
$customer->cancelSubscription(['at_period_end' => $atPeriodEnd]);
}
if ($atPeriodEnd) {
$this->billable->setStripeIsActive(false)->saveBillableInstance();
} else {
$this->billable->setSubscriptionEndDate(Carbon::now());
$this->billable->deactivateStripe()->saveBillableInstance();
}
}
Now it appears that when the account is canceled, two functions run - cancelSubscription and deactivateStripe. I didn't find a documented way to run something on account expire, so I figured I might have to extend these methods and run it myself, but I'm a bit lost on how to do it. Can someone help out?
I have a CakePHP 1.3 application that has a login system, which works well. It uses a DB with a users table, which existed before creating this app.
I'm using Auth in my AppController. The login function looks like
function login() {}
and it's located in the users_controller.
Everything works fine, as I said, but I have problems trying to add a new functionality. I would like to, during the login process, detect if a user has introduced a specific combination of login/password (let's say admin/adminpwd). If so, the login should be succesful AND he would be taken to an admin area (/admin/index). Otherwise, the login process should work as usual.
Once in this admin area (controlled by an admin_controller), this user should be able to perform some actions exclusive to him, no to the rest of users (even if they type on the browser /admin/action).
I've read about ACL, and probably it would help with this, but it seems too complicated for what I really need. Is there any simple way to do this? I guess I should modify the login function, but I don't really know how exactly, and if there's anything else I should change... any ideas?
Yeah, ACL is pretty complicated (and powerful). But in your case, I'd suggest create a 'group' field in users table to distinguish the role of the user. So you can have more admins later if you want. It's more flexible than hard-code a certain login credential in your users_controller.
There are several things you need to do to:
Tell the Auth component to transfer control to you after the user logins, so you can determine their group and redirect them accordingly.
Check if a user in a group is accessing some other group's action: If you don't, a regular user just need to be logged in, and they can type in admin url (if they know about it) and they can do everything an admin can. This check will probably be done in before_something_() in app_controller or tap into Auth somewhere.
I don't remember all the details, but you can get everything you need in the Cake Cookbook. Good luck!
Let's just see some code...
class UsersController extends AppController {
// we're moving the variable to AppController!
public function login() {
$usrInfo = $this->Auth->user();
if (isset($usrInfo) {
// this index name might not be right. I'm going off memory please check this!
if (in_array($usrInfo['username'], $this->adminUsers)) {
// do your code here for admin users.
// could be a redirect or just changing the layout used
} else {
// is a user that is logged in but not in our admin list
}
}
}
To test if the user is logged in you would need to do something like the following:
class AppController extends Controller {
protected $adminUsers = array('joe_blow_uname', 'jane_blow_uname');
public function beforeFilter() {
$routing = Configure::read('Routing.admin');
$usrInfo = $this->Auth->user();
if (isset($this->params[$routing]) && isset($usrInfo)) {
if (!in_array($usrInfo['username'], $this->adminUsers)) {
// do code here for non-admin users using /admin prefix
}
}
}
}
Let me know if this doesn't help.
Or worse breaks something...
Edit:
This is really not the best way to do this obviously. ACL or setting up some kind of group in your database would probably be better. BUT, it is a relatively quick-n-dirty way that, for a small site, should work fine.