I'm trying to harden the admin login on a Joomla 1.5+ site and though the client may go for an upgrade soon- it hasn't happened yet. I edited the administrator/index.php with this code:
/* Block access to administrator
--------------------------------------------- */
$user =& JFactory::getUser();
$secretkey = 'mytoken';
$redirectto = 'location: http://www.myurl.com';
$usertype = 'Registered';
//Check if the user is not logged in or if is not a super user:
if ($user->guest) { //|| (!$user->guest && $user->usertype == $usertype) ) {
//Check if the secret key is present on the url:
if (#$_GET['access'] != $secretkey) { header($redirectto); }
}
/* --------------------------------------------- */
This was based on someones code which I found on the web. Currently, typing www.myurl.com/administrator/ or www.myurl.com/administrator/index.php redirects to the homepage. www.myurl.com/administrator/index.php?access=mytoken displays the login. The number of login attempts has gone down but the RSFirewall! component still reports several a day.
Before I commented the 2nd half of the first if statement the code always redirected no mater what..
How are they still accessing the login page? And what could I do better?
Instead of hacking the core why not use one of the many plugins available that provide this functionality?
On the current Joomla Extensions Directory (JED) many of the products listed in "Login Protection" have Joomla 1.5 versions, or failing that try the Archived JED (for Joomla 1.5 extensions) you could try the Login Protection section.
If your code is after the onAfterInitialise event in /administrator/index.php then the firewall software will probably still log the access. The onAfterInitialise event is the first place an extension can "plug-in" to the Joomla! environment.
To avoid any extensions at all you probably need your code before this block:
// trigger the onAfterInitialise events
JDEBUG ? $_PROFILER->mark('afterInitialise') : null;
$mainframe->triggerEvent('onAfterInitialise');
The various security plugin usually attach themselves to this event and order themselves first with very low or even negative values which is why they work without the firewall getting to see the issue.
Related
I just upgrade from Magento 1.9.3.3 (form key disabled) to 1.9.3.7. Now I cannot login to the backend. The error message is 'You did not sign in correctly or your account is temporarily disabled.'
I tried to reset the cookie domain, clear the cache and session from both server and browser and still no luck.
There are many posts concerning magento 2, but far less talking about magento 1. Does someone with magento 1 had and solved this issue? Thanks for your help in advance!
Check your admin_role DB table data against a backup. The data in mine got erased due to a DB server crash.
This was the only way to resolve this issue for me.
Magento admin panel login message shows which are set in admin session. Magento 1.9.X Mage::throwException() not works for login message.
So if you want to check the exact error(Event if wrong username & password) change in file app/code/core/Mage/Admin/Model/Session.php
public function login($username, $password, $request = null)
{
.....
} catch (Mage_Core_Exception $e) {
$e->setMessage(
Mage::helper('adminhtml')->__('You did not sign in correctly or your account is temporarily disabled.')
);
.....
}
.....
}
Every times show below message so instead of that set error message as below.
public function login($username, $password, $request = null)
{
.....
} catch (Mage_Core_Exception $e) {
$e->setMessage($e->getMessage());
.....
}
.....
}
#himansu answer led me to discover that the ReCaptcha extension I had installed and enabled for the admin login was causing the error. Disabling the extension from MySQL cleared up the problem and allowed me to login.
In my case, I went to the core_config_data table and set 'aminvisiblecaptcha/backend/enabled' to a value of '0'. This is a setting for Amasty's Google ReCaptcha extension.
It occurrences when your username is blocked by many times of tries with wrong pass or other issues.
For me, I had a incredible cache, and I removed var/cache and var/full_page_cache, and tried to restart web server (nginx in my case).
So I had to debug, I found this class with authenticate method adminAuthenticate():
app/code/core/Enterprise/Pci/Model/Observer.php
PHP was bringing always wrong value with "first_failure" and "lock_expires" for correct register (my user).
So I just comment those lines, for clear the "trash":
// check whether user is locked
if ($lockExpires = $user->getLockExpires()) {
$lockExpires = new Zend_Date($lockExpires, Varien_Date::DATETIME_INTERNAL_FORMAT);
$lockExpires = $lockExpires->toValue();
if ($lockExpires > time()) {
throw new Mage_Core_Exception(
Mage::helper('enterprise_pci')->__('This account is locked.'),
self::ADMIN_USER_LOCKED
);
}
}
And post again login, so that's OK, and uncoment that lines. The problem did not occur anymore.
After a bit of googling around I found there are many people having various versions of issues which all have the common root to 'session keys'.
Solution:
go to 'System->configuration', in section (left menu) choose 'General->Web'. On the main content, go to 'Session cookie management'. All these parameters can be tweaked according to your needs. However, to solve the login problem, just change the cookie domain to '.example.com', replace the example with your domain name and the dot in the front of the string is important.
Explanation:
During login, magento will lay 2 cookies (among other sessions). one is 'domain.com'=>value1, the other one is '.domain.com'=>value2.
The value1 should equal to value2. If they don't, the cannot login will happen. By setting the '.example.com' as the domain instead of 'example.com', Magento will somehow force set these 2 values equally.
I have problem with only Chrome, all the other browsers will give equal answer to the values. Could this be a Chrome thing?
I need to catch the loginsession from a joomla webpage and call that from a website a wrote which lies on a different server.
This is what i tried:
if (!defined('_JEXEC'))
{
define( '_JEXEC', 1 );
define('JPATH_BASE', realpath(dirname(__FILE__)));
require_once ( JPATH_BASE .'/includes/defines.php' );
require_once ( JPATH_BASE .'/includes/framework.php' );
}
defined('DS') or define('DS', DIRECTORY_SEPARATOR);
$app = JFactory::getApplication('site');
$user = JFactory::getUser();
$groups = $user->groups;
if($user->id)
{
if (isset($groups[7]) or isset($groups[8]))
{
echo $user->username;
}
else
{
echo 'false';
}
}
else
{
echo 'false';
}
I uploaded this into the root folder of the joomla site. If I call it via browser it works perfectly. It returns the username when i'm logged in and returns false when i'm logged out.
If I call it from the php Page it returns false
$siteText= file_get_contents ("http://examplejoomlasite.org/miniphpscript.php");
Is there any other chance to catch the joomla loginsession on another page?
The problem is that your call is a server request. Means it looks like for the miniphpscript if you would open a browser on your server it doesn't know anything about browser session on your local computer.
You should use a better HTTP library like Guzzle http://guzzlephp.org, which comes with cookie support. You have then to log in trough Guzzle first and save the cookie as file. On all your subsequent requests to the miniphpscript you need to use that cookie then.
After going through your question again and again I concluded that you need user integration on both the servers. that means you can know the user data in another server.
Go for jfusion to have common user in both the websites; provided both are php based. Link to JFusion is http://www.jfusion.org/feature/what-is-jfusion . If your system is based on any of the listed frameworks like dokuwiki, phpbb3 forum, kayako support OR joomla itself, then you can easily integrate it. Also if you have any other framework with which you want user integration then you can create a jfusion plugin. Jfusion works seamlessly with the frameworks i stated above.
You can check their documentation to create your custom JFusion Plugin http://www.jfusion.org/docs/doku.php?id=dev;intro
An easy way to do this is to develop a small webservice on your server that will just update a table in your database with authentications on the Joomla website.
Then, you will need to develop a small Joomla plugin which is triggered on authentication that will call the webservice and update it the login information.
I am in the process of building a website (via MODx), and I don't want "non-logged in" users to be able to see the home page, but instead be redirected to an "under construction" page.
In my snippet, this is what I have so far:
<?php
if (! $modx->user->hasSessionContext($modx->context->get('key')) ) {
$modx->sendRedirect('https://google.com');
} else {
return '';
}
Sadly, this appears to not do anything, regardless of whether or not the user is logged in. (It apppears to be a problem with the second line, the actual redirect worked fine when I tested it)
I am unable to figure out what is wrong, and any help is greatly appreciated!
The snippet that is in the page is [[!notloggedin]]
These are right out of Bob's guides, but basically what you want to do is check to see if the user has an ID or username, if not, they are not logged in.
You probably want to do a bit of digging and see if you can implement your redirect in a plugin rather than a snippet possibly an onRequest event - so you are not rendering the page/resource before you discover that the user needs to be redirected.
There are various methods. One easy method is to use this code:
if ($modx->user->get('username') == '(anonymous)') {
/* user is not logged in */
}
Here is the official method for seeing if the user is logged in to the current context:
if ($modx->user->hasSessionContext($modx->context->get('key'))) {
/* user is logged in */
}
If you know the name of the current context (e.g., web), you can use this method. The name of the context is required:
if $modx->user->isAuthenticated('web') {
/* user is logged in to web context */
}
If your site is simply not yet ready to be publicly available, MODX already allows for this.
See the following System Settings:
site_status
site_unavailable_message
site_unavailable_page
Alternatively, just set all your resources to 'unpublished', except for your custom error page. Logged in users will still be able to view all resources.
I'm building a small web app to sit within an existing Wordpress membership site.
At the moment, all of the content is protected using Digital Access Pass, which handles user authentication and content protection.
I'm thinking of using Yii for this, and installing it into a subdirectory of the Wordpress site.
My plan is to have this layout:
www.site.com (wordpress blog)
www.site.com/members (content protected with the Digital Access Pass membership solution, set up in Wordpress)
www.site.com/members/app (yii folder - protected by DAP, but not set up in Wordpress)
I don't want to do a full integration, as I'm using a lot of Ajax and that doesn't look like it will work too well from the examples I've seen.
What I'd like is to use DAP to protect the pages and handle authentication, and also to pass the logged- in userid to Yii so I can use as a key to store user preferences, user data, etc.
The way DAP works is that you just insert the following code into any page you want to protect, and then you can access a User object that contains the info I need.
<?php
include_once "../dap/dap-config.php";
$user = null;
if( !Dap_Session::isLoggedIn() ) {
//send viewer to login page
header("Location:".SITE_URL_DAP.Dap_Config::get("LOGIN_URL"));
exit;
}
else if( Dap_Session::isLoggedIn() ) {
//get userid
$session = Dap_Session::getSession();
$user = $session->getUser();
$user = Dap_User::loadUserById($user->getId()); //reload User object
if(!isset($user)) {
//send viewer to login page
header("Location:".SITE_URL_DAP.Dap_Config::get("LOGIN_URL"));
exit;
} else {
$userProducts = Dap_UsersProducts::loadProducts($user->getId());
}
}
?>
How do I go about implementing this in Yii?
I'd start by taking a look at Yii Filters
You should be able to put your code in the filter and then have it run (much like the built-in Access Control Filter)
And then, if you're going to build your app truly Yii-like, you might want to work on wrapping the DapUser in a CUserIdentity class and making it work well with the CWebUser object. It would take a bit of work, but then you'd truly have easy access to the user info in all Yii objects.
Good luck!
I am working on a website which already has user access set up so that only members who are logged in can see certain pages. Now i need to go in and make the access for logged in users more specific. So, anyone who logs in can see the site, but there are 2 pages (called PDQ and Comm Plus) that should only be accessed by users that have PDQ or Comm Plus access. I use a filemaker 10 database to keep track of user information. If the user has PDQ access, then PDQ=1 in the database. the website is coded in Drupal,php, and html.
So right now I have a good idea of what to do but there are some pieces missing and im not very familiar with drupal or filemaker. I need for the page to get the user information and see what the value of PDQ is in the database. If 1 then grant access to the page, and if 0 go to the access denied page.
Here is what I have so far
<?php require_once('DatabaseName');
global $user;
//looks at the current user
$use = $user->uid;
//Not sure what goes here. I need code that looks at the filemaker database to see
//what the value of PDQ is and then stores it in a variable.
if (!session_id()) session_start();
if (!isset($variableGoesHere) || $variableGoesHere == '0'){
drupal_goto("access-denied");
exit();
}
?>
Any help would be greatly appreciated. Also, let me know if im on the right track or if I need to be looking somewhere else. Thanks!
First of all, using Drupal and not using the Drupal system to store info is a bad idea. If you use Drupal, you can use an external source to do the login, but your users should have a drupal user.
When your users are Drupal users things get a lot easier. You can use the Drupal access control system to check access etc.
If Drupal is serving the page, you should never write code like you have shown, hook_menu which is how you register paths has a access callback option, where you can handle your access, or you can just check if the user has a permission. This stuff only applies if you are doing the stuff in a custom module, which is what it seems like you are doing.
In any regard you should use the drupal_access_denied function if you want to return access denied yourself.
I figured this out a long time ago, but I never got around to answering the question. So heres what I did
$WebAuth_find = $FILMAKER->newFindCommand('WebAccess');
$Search_findCriterions = array('Access::cntdPhoneNumberDisplayCalc'=>"==".$find,'Access::phoneType'=>"E-mail",'Access::phoneMain'=>"==1",'LoginAccess'=>'1');
foreach($Search_findCriterions as $key=>$value) {
$WebAuth_find->AddFindCriterion($key,$value);
}
$WebAuth_Result = $WebAuth_find->execute();
if (FileMaker::isError($WebAuth_Result) && $WebAuth_Result->code == 401) {
echo "FM ERROR CODE: ".$WebAuth_Result->code."<br>"."ERROR: ".$WebAuth_Result->getMessage();
This identifies the current user in the Filemaker database under the WebAccess layout. It throws an error message if there is a problem. Now that I am looking at the current user I have it look to see what is in the Comm Plus and PDQ fields in the database, and create a session to hold the information.
else{
$FinalResult = current($WebAuth_Result->getRecords());
$_SESSION['district']= $district;
$PDQ = $FinalResult->getField('PDQ_subscription');
$_SESSION['PDQ'] = $PDQ;
$CommPlus = $FinalResult->getField('CommPlus_subscription');
$_SESSION['CommPlus'] = $CommPlus;
Then I just add the following code to the top of whatever page I want to restrict access to. It looks at the session to see if the current user has credentials if not they are directed to the access denied page.
$PDQ_check = $_SESSION['PDQ'];
if (!isset($PDQ_check) || $PDQ_check == '' || $PDQ_check == '0'){
drupal_goto("access-denied");
exit();
}