I'm making web app that will be fully based on Ajax requests.
As I understand the only way to achieve that goal is to send identity and password with every Ajax request or am I wrong?
I'd like to use ZfcUser to perform actions connected with register, login and logout but if I'm calling that on server side: $this->getServiceLocator()->get('controllerPluginManager')->get('zfcUserAuthentication')->getAuthService()->getIdentity(); I always receive last logged user.
Is it possible to handle multiple users at once using ZfcUser plugin (or maybe simply Zend 2)?
Can Zfcuser remember in any data structure all users that are actually logged in?
If you are in a controller you can use $this->ZfcUserAuthentication()->getIdentity() to get the identity. If you are anywhere else, use the servicemanager/locator to get 'zfcuser_auth_service' which you then can use to call getIdentity().
The Auth Service will give you the user based on session, so you should never users from another session. Doesn't matter if you use ajax or not.
Related
The documentation doesn't talk much about logging in and out and handling security in general.In Symfony, you can secure pages of your site via a YML file. Does F3 have anything like that?
What is the recommended way to secure pages and handle a logged in user? I liked basic Auth, but it isn't very flexible, and it seems logging out is trickier. So I decided to set up a form for login/logout.
I would have assumed that Auth automatically creates a session, but from what I can tell it doesn't. So does that mean I need to manually do it?
Also, how do I block non authenticated visitors from the site? Do I need to add a SESSION check in each route?
The freedom when using F3 is that you can/must implement this on your own.
You got multiple options here or can create some other creative solutions too, if your project requires it. The included Auth plugin doesn't create a SESSION of course, because it cannot know if you want to use a SESSION to track your users or maybe use other solutions (cookie, JWT, etc).
So in most cases you need to create an Auth controller where you check if a user is logged in or not - here you would probably use the Auth plugin and create the SESSION if you want that. From there on you got serveral other options.. just to name a few:
use a base controller, that your other controllers will extend (or a Trait) and add a beforeroute there, where you'll check if the user is logged in and allowed to access that ressource.
check the user rights in the front controller (index.php) and don't even register the routes that the user has no access to.
use a 3rd party plugin to add access checks to routes, i.e. f3-access
use another middleware router to pre-flight the current request and add auth checks to multiple routes at once
I am developing a web application in Laravel. Now I'm in the process of creating an android app. I need to create a web service (back end) in Laravel, but I don't know how to manage the sessions (auth) in the request.
My idea is to create a unique token for every session, and store it in a database. So, every request need the token be included, and my backend will check if the token is valid or not.
How can I modify the login functionality that comes with Laravel 5.0 to create an return the token?
I read the documentation and some articles in the internet, but it is still not clear to me.
You can create a token during registration of the app which should correspond with the user id. This token will be used together with the user id anytime you call any of your api's to authenticate the user.
You can create a filter named custom_authentication and check for the token validity inside that filter. Now just apply this filter before every routes, which you want to be authenticated.
Using only simple authentication token is not very secure, you need to go with HTTPS always.
If you want to make the API secure with HTTP, you might have to implement OAuth with the help of packages like this.
I'm building my first Cakephp application, but I'm pulling my hairs over this problem: I need my application (mydomain.com/cake-app) to co-operate with another non-cake php application (mydomain.com/custom-class) on the same server.
Both applications should share authentications and sessions, and I would like Cakephp to handle these.
However, custom-class will need to see who's logged in, and also add/edit users to my cake-app db, either by accessing my User Model, or by calling an setUser action in my UsersController. custom-class does not have access to the cake-app database.
How can I access Cakephp's AuthComponent and my User Model / UsersController from outside the Cakephp framework? What cake files do I need to include in my custom-class in order to accomplish this?
custom-class does not have access to the cake-app database.
The only way is an API then that doesn't require direct DB access. Implement a RESTful API for example that your none-cake app can call.
http://book.cakephp.org/3.0/en/development/rest.html
http://book.cakephp.org/3.0/en/views/json-and-xml-views.html
However, custom-class will need to see who's logged in, and also
add/edit users to my cake-app db, either by accessing my User Model,
or by calling an setUser action in my UsersController.
You'll have to read the cookie then and the cookie needs to require something you can send along with your API request so that the API knows who is asking for what.
You won't be able to simply require() or include() a few files from Cake and it will work, this isn't going to happen because the Auth system is a complete stack, you would have to initialize a request, controller, component collection, auth component and the auth adpater(s). Instead check how Cake writes and reads the Cookie and implement the same way in your custom class. But pay attention, Cake saves the cookie encrypted.
I am new to symfony2, and i have read most of the book, it all makes perfect sense i really like the framework.
But, i am trying to achive the following:
I have a login system, this system authenticates on another site via CURL, so the users will not be in my database, a successful login depends on the response i get from an external site.
System flow is:
User enters credentials.
I CURL the external site.
If the external site accepts the credentials, i store their credentials in the database.
I log them in
So, id like to have everything symfony2 offers in therms of automatic redirection, etc etc, i would just like to set the logged in session manually.
How would i go about configuring my security.yml and how do i set the "Logged in" sessions that they set to achieve this?
I have a users entity, with all the methods they recommend in their tutorial.
First you should understand the difference between Authentication and Authorization in symfony
Then what you want is to create a custom authentication provider that will take care of finding who the user is and it's where you should do your curl requests to the other service.
After that you have to deal with Authorization, which is the part that takes care of finding if a user has the privilege of doing/access something, this is where you setup the ACL's.
If you're not storing the users in your database or in-memory but getting them for the service you should also implement a custom user provider that will grab the users from the service.
I am writing an application in CodeIgniter and I have concluded that it's best to write two applications. One for back office and one for client use.
I would like to have just one login screen. It will be in the back office application but if a client user logs in then I want to redirect to the client app and create a session there. The database user table stores the user type i.e. client or admin.
I have come up with the following solution. As I want to this the correct way I said i'd run it by you guys to see what ye think.
User logs into admin CI app.
Admin CI app verifies user and determines type. If admin then go ahead and create session etc.
If the user is a client then MD5(user_ip+timestamp OR make a secure token some other way) and store in a token field (user_table) in DB.
redirect the user to the client admin via a login page. The paramters would be the token and username. The login function would then go to that user in the database and verify the token.
On successful authorization of token the CI client app would start a session and let the user in.
This seems like a very long winded method. Ideally there would be a way to start a session for one CI app from another?
Any ideas?
Thanks.
Once you've verified admin or client, I would use the CodeIgniter session class with the ci_sessions table in your database.
http://codeigniter.com/user_guide/libraries/sessions.html
Then to distinguish users from client or employee add a variable to the session.
$this->session->set_userdata('user_type', 'client');
Then just use that if ever you need it.
I would go about making 2 applications under HMVC (Hierarchical-Model-View-Controller) framework.
HMVC CodeIgniter Tutorial
Then you can go about using same sessions under multiple applications, as well as use the same models for user management, etc..
HMVC helps you modularize your applications, thus if you want to add more applications in the future, you can easily do that, passing over same sessions and such.
I answered your question in a bigger scope, one central login with 2 apps, best should be done with HMVC.
:)
Might wanna check out BackEndPro for CodeIgniter, could save you a lot of time.
Includes:
User Authentication with registration & account activation
User Permissions by using ACL (Access Control Lists)
Admin GUI backend for editing Site-wide Preferences
Built on Matchbox (for Modular development)
Asset Library (optimize, cache, and load JS & CSS)
ReCAPTCHA
Status messages (info/success/warning/error messages for the user)