I have a question. How to check user authentication in MVC app, which is loaded in iFrame ? The main app, wchich presentig iframe was written in PHP. Users are logged in PHP app.
What can I do, to check is the user was authenticated, and check about his name, id or something what I'll map in my app.
I'm an author of MVC app, but not a PHP app. Of course I have a contact with the PHP teamt, so I can ask them to set something (object, marker, variable) when tehy call my MVC.
Thanks for your help
You can have a common cookie between both the application or use a cookie created by php to know the user details and create one for your own asp.net mvc app. I have few similar link which may help
Stackoverflow ASPNET-PHP
Related
I have an old login system in PHP.
But on new sub domain we made an application with angular and I want to share login with each other, I want user to login on our subdomain and then will be redirected to my angular application.
So I need to share variables like username ,id ,full_name etc.. between both apps.
Basically I don't want to use GET request and I'm looking for something secure like may be post request or session variables or localstorage, Please guide us how we can achieve that?
Please help.. Any suggestions will be helpful
I'm currently working on a project, where the developer before me implemented the login into an intern tool via google Oauth 2.0
He does that, by just grabbing the user domain, after authenticating with google and checks if it is "ourCompany.com".
If yes, he renders the page, if not, he redirects the user to the login.
(So basically he does one oauth request per page view.)
I'm pretty new to Oauth 2.0 but as far as I understand it, this is not, how it should be used?
He wants to use Oauth, because his idea is to organize all our employees over google groups/organizations and thus have a central place to give and take permissions. (Which I have to implement now.)
He said I should "just also get the groups on each request" and that's it.
(Which I tried btw. as a "quick win" but couldn't manage to get them from google yet, not sure If it is even intended)
My understanding of how this should work is the following:
The user is redirected to the google Oauth 2.0 service with a scope to get his groups/organizations.
We get back an access Token, which I then would use to ask the google API for the users groups/organizations.
Based on these informations I would then set the users rights in our application itself. (For example The user is in a google group "author", then I would give him the author role in our application)
The user then gets logged in via a "normal" PHP session, which takes over for the rest of the application, instead of always asking the Oauth service.
Does this approach make sense or is my colleague right with his implementation? The only benefits I see in his solution is, that we get "real time" information, if the user still is in a group or not.
But from what I've read about Oauth 2.0 so far, his implementation does not feel right for me, on the other hand I don't feel secure enough at this topic to say it's wrong.
So any explanations/opinions would be very welcome.
Additional informations about the project:
We use Laravel 5.4
I thought about using the "socialite" plugin (https://github.com/laravel/socialite) and for permissions (https://github.com/spatie/laravel-permission)
If the intended user groups in your application are the same as the Google groups configured for your domain, then I think it's OK to use the Google domain groups. If not, you could use new groups (possibly with some prefix like myApp-group1), but you could end up with many groups if multiple applications does it.
There is also a question who can modify the Google domain groups. Is it the same person/role who would have the right to modify permissions in your application?
I would consider creating a separate access management for the application if:
There is a chance of people outside of your company using the application.
You needed to modify existing Google groups (if there are some) just to make them fit your application.
It looks like you can read user's groups by Google Directory API with an access token containing scope https://www.googleapis.com/auth/admin.directory.group.member.readonly. But I have no experience with it.
I think it's common to use LDAP (or MS Active Directory) as an access management for in-company applications, so the idea of using Google groups is not strange.
The auth sequence you described looks correct.
I'm fairly new to facebook development, but have experience with PHP and JavaScript.
I've been reading through the SDK documentation and various articles regarding facebook integration but have found that a couple of fundamental questions are still open in my head!
I am trying to achieve the following:
Create a website that uses facebook only for registration and login
Use PHP to store facebook user id of registered users in a database on my app server, along with some limited app specific info for those users. All 'generic' info (email address, etc.) should be retreived from facebook.
when a user logs in, get a combination of database records for that user, and facebook stuff.
What I've achieved so far:
I have used the registration plugin to display a register button to unregistered users, and a login button for users who are logged out when they land on the page. I hide the login button using javascript and jquery if the user is already logged in.
I also have a page which receives a registered user and interprets the signed_request, adding the user's id to the users table in my database.
Where my confusion arises:
I want to use the Javascript SDK for user authentication (as it's really easy) - this is obviously done asynchronously on the client side.
Having said that, once a user has logged in using the JS SDK, I need to get some data from my database. I am happy to do this via an AJAX request, BUT that would require passing the facebook user id as part of that request. Surely this could be easily spoofed/changed by a savvy user & they could hence login to my application as someone else?
Question:
How do I securely pass information about a user who has logged in using the JS API to my server?
If the answer is "you can't" then why bother authenticating with the JS API? Is that just for apps that are really light touch?
Thanks in advance for any help!
The simple answer is, you use cookies. This Facebook blog post has a clear example of how to implement a client-side login and expose that data to the server.
Take a look at signed requests: https://developers.facebook.com/docs/authentication/signed_request/
It gives you a nice little primer on how signed requests work and how you can/should use them. If I understand your question correctly, this should answer your question as to why/how you can provide an extra layer of security. Send a signed request that only your application with its own app_secret can decode.
I am writing an application in CodeIgniter and I have concluded that it's best to write two applications. One for back office and one for client use.
I would like to have just one login screen. It will be in the back office application but if a client user logs in then I want to redirect to the client app and create a session there. The database user table stores the user type i.e. client or admin.
I have come up with the following solution. As I want to this the correct way I said i'd run it by you guys to see what ye think.
User logs into admin CI app.
Admin CI app verifies user and determines type. If admin then go ahead and create session etc.
If the user is a client then MD5(user_ip+timestamp OR make a secure token some other way) and store in a token field (user_table) in DB.
redirect the user to the client admin via a login page. The paramters would be the token and username. The login function would then go to that user in the database and verify the token.
On successful authorization of token the CI client app would start a session and let the user in.
This seems like a very long winded method. Ideally there would be a way to start a session for one CI app from another?
Any ideas?
Thanks.
Once you've verified admin or client, I would use the CodeIgniter session class with the ci_sessions table in your database.
http://codeigniter.com/user_guide/libraries/sessions.html
Then to distinguish users from client or employee add a variable to the session.
$this->session->set_userdata('user_type', 'client');
Then just use that if ever you need it.
I would go about making 2 applications under HMVC (Hierarchical-Model-View-Controller) framework.
HMVC CodeIgniter Tutorial
Then you can go about using same sessions under multiple applications, as well as use the same models for user management, etc..
HMVC helps you modularize your applications, thus if you want to add more applications in the future, you can easily do that, passing over same sessions and such.
I answered your question in a bigger scope, one central login with 2 apps, best should be done with HMVC.
:)
Might wanna check out BackEndPro for CodeIgniter, could save you a lot of time.
Includes:
User Authentication with registration & account activation
User Permissions by using ACL (Access Control Lists)
Admin GUI backend for editing Site-wide Preferences
Built on Matchbox (for Modular development)
Asset Library (optimize, cache, and load JS & CSS)
ReCAPTCHA
Status messages (info/success/warning/error messages for the user)
i am wanting to create an open id login, i am wondering if i use one of the classes from Creating an OpenID Login widget, like openid selector library or openid real selector. btw, is realselector newer/better, since its a rewrite of openid selector library
is there a getting started tutorial? i see that in both i can easily login using open id. but how will my application handle the login? like i guess my app needs to handle the postback from google or something? eg. in stackoverflow, i will go and create my profile? how will i check also that the user has logged in and which user. eg. in PHP, i may store a session variable $_SESSION["userid"] and check for it.
in Staying logged in between pages it tells me to check for cookie, but what cookie isit? what if i want to check in PHP/ASP.NET?
Zend made a rather good article about this subject on their site.
http://devzone.zend.com/article/3581
There they explain how it works and shows a lot of example code. I have not been working with
the classes you are mentioning, but the zend-article might give you some clues of how to solve some of your questions :)