I was wondering what the best practices for allowing users to automatically login after registration.
In particular does anyone know any php applications auto login after registering.
Honestly, I think it is a horrible idea, but was wondering if anyone knew why the majority of websites don't automatically login newly registered users.
By default, Laravel's Auth scaffolding logs you in automatically after registration, unless (only in Laravel 5.7) requiring email verification is enabled.
In Laravel 5.7, if you do have email verification enabled, you can still log the user in but only allow certain pages to be accessed only if they have verified their email. So, while the user would still be technically logged in, they haven't verified their email yet thus disabling them from accessing certain content.
An example might be allowing them to log in to be presented with a "Must verify your email" prompt.
In general, I think it's a good idea to require user verification.
Related
I have a problem with my Camping app for which I've setup an authentication system based on this (http://nycda.com/blog/basic-user-authentication-model-in-rails-4/) tutorial.
I wanted to learn how to setup such a system from scratch to better understand the underlying logic. With this system in place users can create their accounts and login and logout without problems and authentications pass.
It took me a while to determine that the problem with authentication occurs after the user role has been updated in the database. Every user has a default role upon registration, which managers can change after registration. And after that the user authentication fails.
Prior to that there are no errors and users can navigate the application. If I inspect the database I see the user role being updated.
Is the problem related to the database update?
I'm using camping with bcrypt and activerecord 4.0.4. Please see this gist: camping auth
Thank you for your help.
Regards,
seba
Having only briefly looked through the code, I'd guess that updating the role is causing the password hash to be recreated because the logic in the encrypt_password message doesn't appear to prevent that from happening.
You could verify this by seeing if the hash in the DB changes between creation and role update. To prevent this, you could try wrapping that code in an "unless password.nil?" condition in that method.
Hope this helps.
I made a members-only site that uses Google oauth2 to authorise users. The site is built with the Laravel framework and Artdarek's oath library.
When the authorization callback comes from Google, I lookup the user record in the DB by email and proceed to the protected page if the record exists, otherwise to a register page.
The problem is some of our members use two Google accounts. One user registered via his primary account (e.ge. a#gmail.com). The next day he returned and mistakenly tried to login with b#gmail.com. Naturally the system showed him the registration page. From that time on each time he visits the site the authentication mechanism sees him using his second (unwanted) set of credentials.
To resolve this one case I instructed him to logout of all accounts (on both sides), clear cookies and start from scratch but this is not a practical solution for all users. In same cases even this measure does not seem to correct the problem.
How can I solve this case? What is the right way to request oauth authentication and get them back from the right account? Can I force Google to ask the user with which account to proceed?
Google will automatically ask the user which account they want on an oauth request if they enable the account chooser.
I have logged into my Google Apps and my Google account, so for me on an oauth request, I get the following prompt:
In order to do the same for your user, they have to click "Stay signed in", but of course this is not advisable for public computers.
Beyond the above, I'm afraid not much can be done. - if they logged in with a#gmail.com at that time, these are the credentials you will receive.
They way I solve this problem is to have a field where the customer can add additional emails, and select one that is primary. I will then inspect against these emails when a request comes in to avoid duplicate user accounts.
I use two different applications in my CI installation. The first is called "admin"... obviously an admin panel. The second is "frontend" where everything else is. I use the same database for each of the apps and the same member tables, both for admin authentication and member auth. The problem is, since the CI session class doesn't use native PHP sessions, the session only works in the application that it is set in(which makes sense)... for example, if a user that is indeed an admin logs into the system through the frontend app and then clicks the link to the admin app, they are required to login again. If they have the "Remember Me" option selected across when they login to both apps, this obviously isn't a problem.
How would I fix this? Or do you guys think it's better to have them login to the admin app again, just to validate their admin status again?
Thanks for your time.
You could use the native php session instead. There's a class which you can just copy paste, and you'll not have to change any of the rest of your code.
After reading a lot of answers here on what is the best authentication out there for codeigniter, I decided to use tank_auth.
It seems to be the best authentication for codeigniter.
However, I have some few questions regarding on how I can integrate it successfully on my site. I am currently building a hotel reservation system. So some functionality of tank_auth needs to be modified to suit my needs.
So how can I, after registration, login the user automatically without requiring him/her to activate his/her account. Is there a configuration to disable the "activation process". If yes, where can I find it? If no, is it a big modification to the code if I remove the activation process?
On the auth.php code I tried to comment the following code to remove the activation process but seems it does not work:
} elseif ($this->tank_auth->is_logged_in(FALSE)) { // logged in, not activated
redirect('/auth/send_again/');
That code only works when the user account exists but is not activated. it then resends an activation email...
Look at the register part of the library and set the login session parameters to be true ie parameters that sets login to be true and then direct to the protected area!
I have a website already running made with CakePHP, which has its own login system using the Auth component.
Now I'm going to create another website using moodle, hosted in the same server. Is there any way to share the user session between those 2 websites?
For example, if a user logs into the moodle website and clicks a link to a page of the other website, he is not asked to log in again, since the system recognises that he is already logged in.
I guess that one thing to do would be to tell moodle (somehow) to use same table of users in the database that the CakePHP website is already using. And then tell the CakePHP website to accept the sessions created in that other website. Something like this right?
But I don't know how to do those things or if they even possible, any advice on how to approach this would be very helpful.
Single sign-on (SSO) is not currently a trivial thing to do in Moodle.
Some other approaches you may consider are:
Use external authentication in Moodle and configure it to use Cake's database. Does not provide SSO but tells Moodle to use Cake's user accounts.
Configure both Moodle and Cake to use a common authentication system like LDAP, POP3 or CAS. Depending of your choice it is possible that you may achieve SSO.
More information about Moodle authentication plug-ins in this page:
http://docs.moodle.org/dev/Authentication_plugins