I have a project on "somepage.com" and when I join to my page, always I see again the login form, I want to check when I go back to "somepage.com" if previously I logged on the page I want to go to /admin or /sales and If I not logged go to /
Laravel 5.8
if you want to check manually, you can use Auth::check() this will return if the session is active.
In your controller before rendering the view code will look somewhat like this:
if (Auth::check()) {
// return redirect as you wish.
}
// return redirect to login page.
don't forget to use Illuminate\Support\Facades\Auth;
I've got a working login page for my Laravel program. Now, if the user logs in successfully he/she must be redirected to a different page (instead of the "home" page as they normally would have been). This will be the 2FA page.
My question is:
I know how to redirect the user after validating their credentials, but how can I set it so that once the user is redirected to the 2FA page that they cannot instantly access any other part of the website as they would after logging in normally? (Also, they should only be able to access the 2FA page if they've been authenticated successfully) And then only allow them access to the full content of the website only after they've passed the 2FA page?
My login function in my AuthController looks something like this:
if (Auth::attempt(['username' => $request->username, 'password' => $request->password])) {
return redirect()->route('home');
} else {
session()->flash('errormessage','Invalid password.');
return redirect()->back();
}
As far as I know, "Auth::attempt" immediately logs the user in when True is returned. One way I was thinking of doing it is I instantly log the user out as soon as they're logged in, save their UserID to their session, then redirect them to the 2FA page, the 2FA page checks their UserID in their session and loads, otherwise redirects them back to the login page. And once they've passed the 2FA page just log them in again using their UserID which is saved in their session.
Any better suggestions would be welcome.
Add this function to your login controller which overrides the redirectTo property
public function redirectPath()
{
if(some condition)
{
$this->redirectPath=route("some where");
}else{
$this->redirectPath=route("some other where");
}
return $this->redirectPath;
}
I have some troubles with killing the session when doing logout in Laravel. What I`m doing in my Logout method is
Auth::logout();
Session::flush();
return View::make(..);
So what is my problem. After I logout and click to "back" in the browser, it gets me back in the page I was, without asking for login. How can I kill the session, so that after logout and going back to ask me for login again ?
Following up to my previous comment, Laravel contains a default filter called 'auth' that checks if user is authenticated and redirects to the login view if he isn't.
You simply need to add the filter to the route
Route::get('your route here', array('before' => 'auth', function()
{
return 'normal route behavior here'
}));
You could change it to:
Auth::logout();
Session::flush();
Redirect::back();
or..
Redirect::route('login');
When you click to the previeus botton in the browser it just make a view to the previeus page but no request and response to or from the server.
But if you want to revok this action use javascript like :
window.onbeforeunload = function() { return "You must login"; };
I am using the Codeigniter redirect() to redirect the page after user logouts on my website http://www.theindianclassified.com.
When user goes to the url http://www.theindianclassified.com/logout he is redirected to the home page after he is logged out of the system. But if the user login and again click logout user is not logged out but he is redirected to the home page. I think the redirect using the Codeigniter redirect() method is cached by browser.
Please help me, how the implementation happen in the above scenario. I want the browser not to cache the redirect.
Log out function is below.
function logout() {
$this->session->sess_destroy();
redirect('');
}
You should check your login function to make sure the fault isn't there. If I were to guess it'll be there. If that doesn't work try 'unsetting' the session variables one-by-one.
I have a controller called Accounts, with the views signin and signout.
The corresponding functions look like this:
function signin()
{
if (!empty($this->data))
{
//handle login
...
//save login to session
$this->Session->write('Account', $data["Account"]);
//redirect to previous page
???
}
}
function signout()
{
//delete login
$this->Session->delete('Account');
//redirect to previous page
???
}
If the user goes to accounts/signin it first checks to see if the form is submited if(!empty($this->data)) if yes, it logs them in, if not it renders the signin form. If they do succesfully log in, I want to redirect them to the page they were at before the signin page.
Whats the best way to do that?
Edit:
I do not think I can user a regular http referrer because technically the referrer will always be the signin in page because they go to /signin, then submit the sign in form. So at the point where the form is submited the referrer is always /signin. I want to redirect to where they were before that. Does that make sense?
the best way is to use cakes Auth component and let it do what it does... http://book.cakephp.org/2.0/en/core-libraries/components/authentication.html#AuthComponent::$loginRedirect
Here's how I do it with referer
I have 2 login forms, one is a form at the top of all pages for easily sign in, the other is on login action. If the user comes in using the form at the top, the form submission then goes to login page and you can use $this->referer() to redirect the user back.
But the problem is that, if the user types the password wrong or enter invalid credential, he will then end up on the login page. If he then enters the right username+password, and redirection occurs using $this->referer(), which in this case is itself. The user then could then either 1. get redirected back to login page again or 2. even worse can get stuck in an infinite loop b/c login will keep redirecting to itself.
So, I add some logic to check to make sure that referer is not login page. Also, I add another logic to store $this->referer() the first time the user lands on login page, we we know where exactly the page before login page.
To store the page before login page, put this code at the end of the action (login view rendering is about to begin)
//get the current url of the login page (or current controller+action)
$currentLoginUrl = strtolower( "/" .$this->name ."/" .$this->action );
if( $this->referer() != $currentLoginUrl )
{
//store this value to use once user is succussfully logged in
$this->Session->write('beforeLogin_referer', $this->referer($this->Auth->redirect(), true)) ) ; //if referer can't be read, or if its not from local server, use $this->Auth->rediret() instead
}
Now put the code to redirect in the part of the code where authentication is succesful (or in if( $this->Auth->user() ){ } ):
//get the login page url again (by gettting its controller, or plural of Model, and this current page action and make the url)
$currentLoginUrl = strtolower( "/" .$this->name ."/" .$this->action );
//if the referer page is not from login page,
if( $this->referer() != $currentLoginUrl )
{
//use $this->referer() right away
$this->redirect($this->referer($this->Auth->redirect(), true)); //if referer can't be read, or if its not from local server, use $this->Auth->rediret() instead
}
else
{
//if the user lands on login page first, rely on our session
$this->redirect( $this->Session->read('beforeLogin_referer') );
}
Hope this works for you.
http://book.cakephp.org/view/430/referer
Use a hidden <input> field that holds the initial referrer and gets submitted with the login data.
I don't know about the best way, but I store the attempted destination in a session variable before redirecting them to the sign in page.
Once they have signed in, I redirect them to the stored destination.
Use the AppController and UsersController to set it up
In AppController beforeFilter action
$referer = Router::url($this->url, true);
$this->Auth->loginAction = array('controller'=>'users','action'=>'login','?'=>['referer'=>$referer]);
In UsersController login action
if($this->Auth->login())
{
$this->Session->setFlash(__('Logged in successfully !'));
$redirect = $this->request->query('referer');
if(!empty($redirect))
{
return $this->redirect($this->Auth->redirectUrl($redirect));
}else{
return $this->redirect($this->Auth->redirectUrl());
}
}
CakePHP 2.x here
1. Edit AppController.php
public function beforeFilter() {
// redirect url
if($this->request->here!= '/users/login') {
$user_id = AuthComponent::user('id');
if(empty($user_id)) { $this->Session->write('redirect_url_after_login', Router::url($this->request->here, true)); }
}
This will store the url the user wanted to go before request, only if the url is not /users/login (replace with your url of login) AND if no user is logged.
2. Edit your login form. Mine was Users/login.ctp. Add an hidden field only if there is a session variable set.
$redirect_url_after_login = $this->Session->read('redirect_url_after_login');
if(!empty($redirect_url_after_login))
echo $this->Form->input('redirect_url_after_login', ['value'=>$redirect_url_after_login, 'type'=>'hidden']);
3. In your login action, add an action to overwrite the loginRedirect variable you may have set before.
public function login() {
if ($this->request->is('post')) {
if ($this->Auth->login()) {
$redirect_url_after_login = $this->request->data['User']['redirect_url_after_login'];
if(!empty($redirect_url_after_login)
&&filter_var($redirect_url_after_login, FILTER_VALIDATE_URL)
&&parse_url($redirect_url_after_login, PHP_URL_HOST)==$_SERVER['HTTP_HOST'])
return $this->redirect($redirect_url_after_login);
$this->Session->delete('redirect_url_after_login');
return $this->redirect($this->Auth->redirect());
}
I added a couple of security checks, like "is the redirect url a valid url?" and "is it redirecting towards my domain or an external domain?".
Note: I know checking $_SERVER['HTTP_HOST'] is not bulletproof, but here we're talking about preventing open redirect vulnerability, so it's enough.