I am running a Wordpress site but i feel that the solution to this question is possibly more generic so am asking for help here.
I have set up LDAP authentication. My website is running on http://a.com (for example), the authentication must happen over an SSL connection and the SSL address is https://b.com (points to the same server). The LDAP authentication works fine, i can be certain of that. The problem is when i log in, it all goes well, authenticates, and then redirects back to a.com where all of a sudden i am not logged in. I am guessing this is to do with the cookies but don't know how to check or how to solve it.
Is this sort of setup possible? Any idea how to get it working properly?
Thanks in advance!
Cookies set on one domain cannot be read by another. You don't want my site to read your banking site usernames.
Here's a possible setup for you: Instead of redirecting back to http://a.com after logging in on https://b.com, redirect to http://a.com?authtoken=abcde. Your code on a.com grabs that token from the URL, and uses it to check a database to see what user just logged in on b.com and was assigned that token. Expire the tokens after they're used.
Related
I have one WordPress site and an app in codeignitor, App uses its own database to store user and plan details.
Now I want to simplify it like My user can log in to my WordPress website and after successful login I want the login information to forward to the app so that the user can go to the app.
Directory structure:
For Worpress => root->wordpress
For App => root->app
On the same domain hosting.
I want the user's to use WordPress login to access App and manage their profile.
No idea how to proceed. Any suggestions
The most logical way to do this may be to use the cURL. Still, it is impossible to do so because such solutions cannot launch cookies or sessions in your browser and eject your client (essentially a security mechanism). You can try to resolve this by redirecting a user, or the most logical way is to use wordpress api support or capture the data using XML-RPC.
As an update. If both sides are on the same domain, you can try to eject the cookie or the session to the side you want to log in to. If it is under different domains, unfortunately, this suggestion will not work.
I have created an extension for my website. It should log in user to forum after he has logged in to the website.
User session was created successfully (checked in database), but user still not logged in.
If I try to log in with external login form, it works great (the session is created and user is logged in).
I think the problem is not in my authentication extension.
I think I did something wrong with curl post and cookie.
What curl options should I set to login? Or maybe you can give me some useful links?
Take some of those phpbb3_* cookies and then send them through
[setcookie()](php.net/setcookie) to pass along to the user. It
might work, depending on your level of cookie security in phpBB (it
can't be tied to IP because curl and the user IP will be different
drew010
You won't be able to use curl and pass the cookies to the client if you >have Session IP validation turned on. I'd suggest turning that off, or, >instead of using curl, look for a plugin/module that can do 3rd party >logins, or look at the authentication handling code and replicate it. It >wouldn't take much to log a user in without requiring their phpBB password
drew010
In Symfony, If i login with HTTPS mode, I redirected to HTTPS routes always. If i change it to HTTP from address bar, It asks me my password again.
I want to login via HTTPS but stay at HTTP mode on other pages (unless i go for sensitive datas) How can i achieve this?
Should i make another cookie for HTTP inside of a controller after user login via HTTPS? And check if cookie is valid on http?
I want to do this:
David sign in to website with username and password at
https://a.login
David redirected to https://a.admin/ (as it is https because of admin page)
David now press a button and admin panel redirects unimportant page. Called http://a.somepage (not https)
But my website (symfony) should know that this is David. But instead asks password and username again. Because it came from HTTPS to HTTTP
I am using Symfony's standard SecurityBundle. What is the correct way of auth with two mode (http/s) at the same time?
Real World Example:
StackOverflow do the same thing. I hit log in and redirects to https and after successful login i get back here with HTTP only. Is there something that i missed?
Nelmio
I found this bundle on GitHub. It does what i want and more. I suggest and pick this as an answer.
Flexible HTTPS/SSL Handling: If you don't want to force all users to
use HTTPS, you should at least use secure session cookies and force
SSL for logged-in users. But then logged-in users appear logged-out
when they access a non-HTTPS resource. This is not really a good
solution. This will make the application detect logged-in users and
redirect them to a secure URL, without making the session cookie
insecure.
Refer: https://github.com/nelmio/NelmioSecurityBundle#flexible-httpsssl-handling
I've create a web site that authenticates users via LDAPS to a Windows domain - works fine, users are able to log in when they enter credentials a session variable ($_SESSION['LDAPSExampleUsername'] is established and maintained until they log out. So, I want to make sure that if a user is logged in, they can see https://host/main.php. If they're not logged in, they can't get to main.php, it'll just take them to https://host so that they can to log in. I have this working fine with syntax like;
if (!isset($_SESSION['LDAPSExampleUsername']))
{
header("Location: /");die();
}
I've been doing some reading and find that many say that this isn't really such a great idea because web browsers can disable forwarding to other web pages (defeating the purpose and causing a major issue). What is the appropriate way of handling this situation?
we've recently done some installation but I'm facing issues with one pc in particular and its baffling. We have a webapplication installed on our local server which is accessed by all our workstations. FOr some reason we can't log into our webapplication using one workstation. The application is a PHP MYSQL collaboration system. I double checked and for some really odd reason whenever we login it creates a session ID but upon logging in and redirecting to another page the session is broken and a new session id is generated thus the individual is automatically logged out again.
What could be the issue here - is its a firewall thing - its not the web application as we can access it fine via the other workstations. We even disabled the firewall but in all cases that single dumb workstation seems to have an issue with maintaining the session.
Help please - I'm sure its an issue confined to that one PC - what could it be.
Update
The authentication sequence is as follows:
Login
Authenticate user
Build session
Store session variables with session ID in db
Redirect
SESSION variables are empty - a new session ID is generated
Since new session ID is not of an authenticated user - return to login
More details
SSL is not enabled
Cookies are enabled are on the problem machine
UPDATE
I don't understand how can redirection be the problem here. My redirection code is as follows I'm using the following function to redirect to the index page upon successful login.
function _redirect($url)
{
#To redirect to a specified page
if(headers_sent())
echo "<meta http-equiv=\"refresh\" content=\"0;URL=$url\">";
else
header("Location:$url");
exit;
}
Plus even if it is an issue why is it a problem on just one PC and not on the others? I don't wish to change my code just to accommodate one system as opposed to fixing whats wrong with that one system which is preventing it from behaving in the first place.
MORE UPDATE
I just double checked and found something odd. My login is ajax based i.e. a request is made via ajax if it is a success the session variables are generated and a boolean 1 is sent back upon receiving the user is redirected via a javascript call which is:
function _redirect(url)
{
window.location = url;
}
I commented out this call and instead when the user is logged in I manually go to the index page and it works fine!! What is the javascript redirect messing up in this one pc thats not messing up in the other workstations is beyond me :( How do I fix this?
It sounds like the cookie is not being set and sent back to the server properly on this machine. Verify that you have cookies enabled and that you don't have some 3rd party browser extension or other software blocking cookies.
what browser are you using on this workstation? IE? Firefox? Have you tried different web browsers? Tried checking the browser settings yet? What is the time out set to? Is the time on the server and workstartion syncing properly with ntp?
In IE you can disable accepting of sessions cookies if the security is set to high I believe.
If you're losing the session, it's likely because the session cookie is not being transmitted. Does the browser on that machine have cookies enabled? Are you using SSL for your login page? Does your login code do anything besides validate a username/password (e.g. validate an IP address or machine name)?
Edit
Can you verify with Fiddler/Wireshark that the session cookie is transmitted when you redirect? Can we see some example login code?
I misunderstood the question to begin with (hence my edit history)
What is the domain the login is on and the main site is on? If it's between domains (could be anything like sending between example.com and www.example.com)