I have a main website example.com, develop using Laravel. This website also provide a personal page for subscribed users at example.com/user1, example.com/user2, etc.
Currently, I control the access by URL, by verifying the username in the URL if the user is active or not.
However, I'm planning to give the URL its own domain. I have read about using DNS & htaccess, but it has to be done manually for every single user. I'm planning something that can be control programmatically.
Related
I want to user Dropbox chooser API for my Ruby on rails application(This is not web app, This will be installed as standalone).
Issue is in specifying "Drop-ins domains", which currently i gave as "localhost. But for the machines on which it will be installed "machine name" will be used instead of localhost. And i cannot keep track of all installations and manually adding those domains
Please suggest, Is there some way to solve this problem? Can i use chooser API without drop-in domain?
The Dropbox Drop-ins API doesn't have any way of automatically adding domains, or registering any sort of wildcard, but we're tracking this as a feature request.
For reference, one thing that does work, though it sounds like it may not apply to your scenario, is registering just, for example, example.com, which would enable use on any subdomain of example.com, e.g., sub1.example.com, sub2.example.com, webmail.example.com, etc.
Alternatively, you can embed an iframe containing the button, which would be hosted on your own domain. This would let you just set that one domain in the app options page. It would be very important that you then restrict the set of domains that you allow to iframe your button though, but this list would now be under your control so you can set it programmatically. For example:
How to limit display of iframe from an external site to specific domains only
I'm currently implementing this library ember-simple-auth to manage authentication in the emberjs application (shopping cart) that I am currently building.
The difficulty that I encounter is that the library manages authentication rules after logging in very well but not before logging in.
So here is the scenario:
The application must talk to the backend server to retrieve a session token for every user. This is necessary so that the user can save their items temporarily in the server side using session data. Something that you would expect for a shopping cart.
Then when the user is ready to move forward the application will then display the login screen and the user can authenticate themselves to checkout their items.
However, I can't seems to figure out yet how to do this using simple-auth. If I create a custom authenticator that just fetches token id from the server, it will mark the session as authenticated and will not ask for login on the authenticatedRoute.
In general what I'm trying to do are:
Customer visit the website
The application fetches session token from the server
Customer clicks around and saves item into the shopping cart. The data is synced with the server using the session token
Customer ready to checkout and navigates to checkout page
The application intercepts the route and redirect the customer to login route, where the customer can login and resume checkout.
I hope the above information is clear enough. Any hints and help will be much appreciated. Thanks.
I would probably only use Ember Simple Auth from the point on where the user actually logs in. Before that instead of using a session token to identify the basket, I'd probably explicitly create a basket on the server side (POST /basket) and then add to that via a REST interface (PUT /baskets/:id/items or so). That way you're not sharing state between the client and the server and have a clear interface. You also don't need to "abuse" Ember Simple Auth which probably only leads to other problems later on. When the user logs in then, you simply assign the previously created basket to that user and go on.
I am using MSCRM authenticated through ADFS.I have two active directories A and B.I setup a one-way forest trust between A and B so that users in B can access my resources in A.I currently use ADFS for login.my problem is it is not friendly for a user to key in A\username or B\username to login to my webpage.Therefore I wish to build a custom login screen and maybe provide a radio button for the user to choose whether they belong to domain A or domain B.Because i use MSCRM,am I sort of forced to us ADFS?
MSDN provides a series of entries about ADFS 2.0 Sign-In Pages Customization.
From the linked overview page:
The Sign-In Pages expose extensibility points that allow a developer
to perform the following customizations: Change the accepted and
default authentication types.
Customize the theme of the Sign-In Pages and add a company logo image.
Customize the behavior and layout of Sign-In Pages that are seen by
the end user, such as the Forms Authentication and Home Realm
Discovery pages.
These customizations can be done by modifying the Web.config file of
the Sign-In Pages Web application or by modifying specific pages.
On a side note, as far as I've seen on our customers with IFD environments, you don't need to specify the domain when you sign-in, plain username and password seem to work (I'm not very expert in ADFS, but I understand that it "knows" which domain to authenticate against).
We run a multi-store/view magento site. Let's say our site is called www.domain.com (running the "retail" store) and another url trade.domain.com running the "trade" store
When a customer requests a password reset from trade.domain.com, they get a password reset link like this: http://trade.domain.com/customer/account/resetpassword/?id=12&token=84fb6f65548995191e526b815982bf23
Clicking this link re-directs to login page with the error Your password reset link has expired..
However, if you replace the "trade" from the domain with "www" like this: http://www.domain.com/customer/account/resetpassword/?id=12&token=84fb6f65548995191e526b815982bf23
The password reset appears to be working correctly.
Any idea why this is happening? Have I configured the magento incorrectly? Is this a known bug?
Customers are shared either per website, either across all websites, so at least, a customer account is usable on all of the store views that a website contains. Consequently, it is normal that the password reset link works for your store views.
In fact, if you would like to separate the customer accounts between your store views, you would have to create separate websites that would not share customers.
Is that subdomain password protected? That could be a problem or if subdomain is set up with a password protected extension, they won't be able to access example.com/customer/account/changeforgotten/ without already being logged in. So you'll have to allow them access to that url first otherwise it'll keep redirecting. I had the same problem.
Check the cookie domain for the website trade.domain.com. In Magento 1 it's in System->Configuration->Web->Session Cookie Management. (Making sure that you change the scope in the top left to the Website you want to update it for.
I have a store that has multiple websites, each with their own view and does not share accounts across websites, and had the same problem. Changing the cookie path fixed it for me.
I have a site which is built in ASP.net and C#. Let's call it webapp. it uses a Form system to log on into it, and cannot be changed easliy.
I got a request to change the log in to some kind of windows authentication. I'll explain.
Our windows login uses active directory for users to log into their windows account. their login name is sXXXXXXX. X are numbers.
in my webapp, I want to take the users numbers from their active directory login, and check if those exist in the webapp database. if it exists, they will automatically log in. If it doesn't, they will be referred to the regular login page for the webapp system which is currently in use.
I tried changing my IIS to disable anonymous login and enabling windows authentication, therefore making the user browser to send it's current logged in user name to my webapp. I changed the web config as well from "Forms" to "Windows", which made my whole webapp obsolete as the whole forms system did not work.
My question is this - is there a different way for the browser only to send the username to my webapp? I thought maybe javascript, I just don't know how to implement that, if it's even possible. I know it's not very secure, but all this platform and system is built outside the internet, it's on a private network.
<script language="javascript">
var username = '<%HttpContext.Current.User.Identity.Name %>';
</script>
The only way you could get at the user's domain credentials via javascript would be by deploying some type of ActiveX component to expose that data to the browser. I wouldn't recommend that.
I would look at implementing a Login page for forms authentication that authenticates the user on the page load using HttpContext.Current.User.
The way forms works is that if an unauthenticated user attempts to access an access-controlled page and have not logged in (no cookie), they will be redirected to a login page that gives the facility to log in (this sets a cookie on the client-side). The user is then directed to the page they initially requested. You would simply be automating the login part.
If you have a mixture of pass-through and user who need to manually login you could check their client IP address to see if it matches one on your domain or not.
The solution I found for getting the username sent to the server was:
string winlogon = Request.ServerVariables["LOGON_USER"];
After enabled Windows Authentication Mode in IIS.