I am working with a partner site to embed a form onto my site where users can login to a portal. The portal developer has granted me access to a web-login service in order for me to pass variables from my site to his.
This is the information given How can I make this work in PHP, I have a form with a checkbox, and username and password but don't quite know how to make it pass variables I am not seeing any connection on my end. And I don't know how to set it up where they are redirected to a page on my site when the reset their password any ideas?
I have done this before using a WordPress login and adding it to my main site so I know most of the basics to make it work but what I have applied so far has not worked for me. I guess I need a little nudge in the right direction to get the brain working again.
Thanks in advance.
From the Developer
I am working on a web login service that you could use and have enough done that I can
send you the requirements.
Form Post URL: http://portal.blank.com/services/formlogin.cfm
Form variables:
portallogin - can be any value if present the following form variables are required:
errorurl - URL to be redirected to if an error occured. There will be an "error" url variable present with a human readable error string.
portalurl - (optional) URL to be redirected to if successfully logged in. if not present will be redirected to http://portal.blank.com
username - username of user
password - password of user
agreeterms - can be any value just needs to be present to authenticate
fogotpassword - can be any value if present will lookup password based on email address and password will be emailed
email - email address associated with user
returnurl - URL to be redirected to after running password lookup
An easy method would be to use Snoopy, a PHP class. A harder method (but no less effective) would be to use PHP's cURL functions to post your data to the form. This is assuming you're trying to keep your link to your partner's site hidden from your users.
Alternatively, you could just make a simple HTML form and set the form action to "http://portal.blank.com/services/formlogin.cfm" if you don't care that your users know you're authenticating them against some other site. I'd use https if available.
Related
Im currently creating signup form in fuelphp how can I implement sending a user a verification link upon user signup? you can also suggest from other framework like laravel I only need the flow on implementing this. Thanks in advance ^_^
The general approach is that after registration you generate a confirmation token and you store it somewhere. It is also common that you set an is confirmed flag to false. In case of Simple Auth you might want to add some fields to the user table. Make sure to include them in the selected fields.
You will also need a controller action which accepts the token. I would also put the username/email into the URL so that simply hitting the confirmation URL with random characters won't work. Find it by username/email and token and validate it, activate the user. Make sure that after validation you clear the token. You don't need it and you want to prevent double verification with the same token (in case you set the user to an unconfirmed state for some reason).
A hook in the login action is needed as well: you need to check whether the account is validated or not. Do not authenticate at first, just validate the user. If it is valid, check if it is confirmed or not. If not, fail with error, if it is then continue with the login process.
When the registration is complete, you send an email to the given email address with a URL to the confirmation page (generated URL containing username/email and confirmation token). (Username/email can be obfuscated/encrypted if it is reversible)
I've a website in PHP. It uses MySQL database at back-end.
Let me make the scenario short and clear.
There is one user registration form present on a website. The form is submitted using AJAX. It has a field for entering user email id. The validation for this field is the domain name in an email must be '.edu', if email with other domain is entered it throws an error. For example, anilpatil#msstate.edu is a valid email id whereas anilpatil#yahoo.com is an invalid email id.
After checking the code I came to know that this validation is done in PHP and it's working fine, proper error message is displayed and the form doesn't get submit.
Even though my database is containing lot of users with email ids belonging to .com domain or some other domains. These users can login to the system as well.
Also I tried by disabling the javascript of my browser and entering invalid email id, then also it worked fine. The user couldn't register.
I'm not understanding how did these users got register? I'm not able to detect the root cause of this issue. Can someone please help me in this regard by telling me what could be the root cause of this issue?
Thanks.
P.S. :- It's not possible to put the whole lot of code here. As it's too big and comes from too many files. It's a part of a framework. But consider the validation code is working absolutely fine. My main intention is to detect the root cause for this security breach.
Without posting any code, my best guess is people are registering themselves using your ajax file directly, and your ajax file doesn't contain the validation.
If you want me to validate it, please post your website and I will try to register directly using your ajax file
I have a google apps domain that i'd like to create a custom login page for but am having problems.
Google provides documentation for SSO/OpenID/userApi that will do this. The implementation on these docs that I can understand states once a user hits your site they will be sent to the regular gmail login and then sent back to your site once logged in. I'm trying to have them login in a custom page and not be sent over to googles default gmail login. There is other documentation that seems to require SSO and a lot of integration that I am too incompetent to understand which would let you do that, but as I said it's way over my head.
Then I thought I could just copy the form element and create custom css seeing as the action value on the form would authenticate via google. This worked sporadically until I figured out that when you go to https://accounts.google.com/ServiceLoginAuth (the default gmail login) it creates a value (name="GALX" value=Randomletters) in the html form that must match a cookies name and value to be able to submit and authenticate to google.
From here I thought no problem I'll create a hidden iframe to the google login so the cookie populates (it does get the cookie) and then read and insert the value in the html form. That is until I discovered you cannot alter or read another domains cookies for security reasons which makes perfect sense.
Then I thought I could just use php's file_get_contents on the gmail login url to get cookie and the right html and just insert the html into my custom page. I received the html but no cookie this time.
Is there anyway to send a request that would return the html/cookie pair with something like php's file_get_contents('url') or curl? This way I could traverse the file_get_contents object and insert the html into the page via the DOM. Or am I barking up a tree that will never work because security reasons specifically prevent this?
If the above isn't possible could someone explain how I could login my users via a custom login screen?
the google docs for such a project are:
https://developers.google.com/appengine/docs/python/gettingstartedpython27/usingusers
https://developers.google.com/appengine/docs/python/users/#Python_Signing_in_and_out
https://developers.google.com/google-apps/sso/saml_reference_implementation
I believe this is what you're looking for...
http://curl.haxx.se/docs/http-cookies.html
I'm developing a website by Zend.
Some people create a html file imitate my login view. Action in form point to my controller to submit.
I don't other login outsite from my websites. So how can I prevent other domains submit form to my controller?
I tried to get request host name of "requester pages" to compare theirs domain with mine, then return error if user login from other sites.
Check the ZF manual for CSRF protection, which is the standard, built-in way to solve this problem.
you could check the refferer if it is in your domain (or empty)
add a hidden input field an generate a token on every display. if the token is wrong, don't continue and redirect them to your login page.
Be sure that every token can only used once, by one user (same session/ip) and only for e.g. 1 hour
EDIT: see https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet
there would be easiest way to prevent out side users to login into your site
user zend captcha to generate every time new code to login session
you can use below link as reference to use in login page
http://mnshankar.wordpress.com/2010/06/01/zend-form-element-captcha/
I have a login form set up on my domain (eg: www.example.com/login).
When the user enters their login information, I need those details to be passed through a login form on an external website and the user directed to the application that they are logging into.
So to add the user steps to this:
1. User enters login information on www.example.com/login
2. User is directed to and has access to application on www.external.com/application without having to re-enter login details at www.external.com/login
The problem is, I'm not sure how to go about doing this. I found some references to cURL which from what I could gather is the best approach to take.
Any help with this would be appreciated .. I'm a PHP novice! Also ... the application on the external website is ASP.NET (I'm not sure if this has any factor on getting this to work).
Thanks for your help, Mark.
Depending on how your application works, what could work is have your login form on example.com/login point to external.com/application
so your form tag would look like this:
<form action="external.com/application" method="post">
Now your external.com/application will have to be setup to accept the data from the login form. When the form is submitted the browser should direct itself to external.com/application.
This is a possible approach :
On www.example.com/login, do a classic login form which is submitted on itself
On www.example.com/login, when a $_POST is detected :
check that the credentials are good
if yes, store within a table in you db server an hash dedicated to this user (by hashing his id/user/etc... whatever you wish)
redirect to www.external.com/login?hash=the_generated_hash
On www.example.com/verifyHash.php:
create a simple php file that take a hash in $_GET and echo "true" if this hash exists in your db
on www.external.com/login
check that a hash is passed in $_GET
if yes, do a simple $result = file_get_contents("www.example.com/verifyHash.php?hash=$_GET["hash"]");
if the result is true then you can assume that the user has valid credentials.
Of course, you can optimize this whole thing by passing a user id along your hash, by implementing some security when your asking remotly verifyHash, etc...