I have created a custom login form for an app created in Magento some time ago. Everything worked fine until now. Some of the customers are redirected back to the login form after the login process - on their browsers (if I try to login with their credentials, it's working fine).
So, my guess was sessions and I logged them. Session got it in the correct way.
Login is simple, based on Magento login form:
if ($this->_getSession()->isLoggedIn()) {
$this->_redirect('*/*/');
return;
}
$login = $this->getRequest()->getPost('login');
$session = $this->_getSession();
/* do some password stuff */
// here here
$session->login($login['username'], $client_password);
$this->_loginPostRedirect();
I tested their login and logged the session: Mage_Customer_Model_Session Object - everything OK, looks the same as any other customer sessions.
The last url var for this kind of users is /customer/account/loginPost/.
I repeat: For some customers everything works OK. Also, for the users with problems, I can login myself into the app. What could happen? I saved the sessions in files and then I saved them in db - same results.
Ok, so after days of hard check on Magento, I found the solution.
For Magento 1.7 (and older versions too) the problem comes from user sessions.
Copy the file app\code\core\Mage\Customer\Model\Session.php to your local folder app\code\local\Mage\Customer\Model\Session.php.
Search for public function login($username, $password) and comment the line $this->renewSession();.
Magento can create a SESSION ID for the unsecure domain and another cookie for the secured domain. After that it can mess up when you click browser's Back button - redirecting you to the login page because it cannot find the correct SESSION ID created at login.
Related
How can I ensure that as soon as the user is logged-in in Laravel-9 he can no longer go to the login page via browser back button?
I searched the internet for solutions. I have read in several places that it is not possible or that I have to use Javascript.
Just to be sure, I have decided to post my question here and I hope you can help me.
Is there any way to do this? If the solution is with javascript, how can I solve that with javascript?
Thanks
if you open guest Middleware /app/Http/Middleware/RedirectIfAuthenticated.php in your project, you can see the handle function with this condition:
...
if (Auth::guard($guard)->check()) {
return redirect(RouteServiceProvider::HOME);
}
...
It means that after login to the site if users try to go to the login page, the browser redirects the page to the HOME address. So users cannot access the login page after logging into your site.
finally, in your \routes\web.php file, you must apply guest Middleware on your register route in this way:
Route::get('register',[RegisterController::class,'create'])->middleware('guest');
Note: you can edit HOME address from the /app/Providers/RouteServiceProvider.php file.
This page lists several ways you could try to disable the back button via javascript, but none are guaranteed.
By default Laravel 9 has the RedirectIfAuthenticated middleware under App\Http\Middleware which checks if the user is logged in Auth::guard($guard)->check() and if they are they are taken to the /dashboard url otherwise they are not. The Middleware is registered as 'guest' in the $routeMiddleware array inside Kernel.php, this means that you can apply guest middleware to all routes that you do not need be accessed by logged in users.
One of my website is developed in Laravel, it was working fine before. What does is I want to move website from beta.example.com to example.com so I have pointed to beta with original domain name(example.com).
The Website is working fine but all remember me functionality is not working. Now Users have to enter the password and also if they check the check box (remember me) still it does not store the password in cookies or session.
Please help me.
Thank you
You have two options:
1) Add remember_token column in your users table - this is where the token will be stored.
2) Pass true as a second parameter of Auth::attempt() to enable remember me behaviour.
If you do this, Laravel will generate a token that will be saved in users table and in a cookie.
On subsequent requests, even if session cookie is not available, user will be authenticated automatically as long as remember-me cookie is there.
I have a Laravel-5.5 application in development with a live test application exposed on Google App Engine. My registration process includes the standard Auth registration from Laravel. The RegisterController then redirects to a profile page if there isn't one for the user already.
public function redirectTo()
{
if (!Auth::user()->profile)
{
return '/profile';
}
else
{
return $this->redirectTo;
}
}
The profile controller creates a new userprofile record for the user automatically as the page loads.
$(document).ready(function ()
{
...
getProfileData(profileId);
...
});
getProfileData() posts to the controller. If ProfileId is empty, the controller creates a new record and sends a verification email to the registered address.
How can a user be created without then being redirected and a profile being created?
Users are being created on the live site without profiles or sent verification emails. The user_agent in the session records for these users appear to be real.
Any ideas about how these users are being created and how to stop it would be most helpful.
I believe that Laravel is actively being attacked by actors that are seeking sites with poor security practices. It starts with visiting the site and getting an active session, Then harvesting the sessions csrf-token and using the token in a non site generated post (crawler?) to the standard Laravel registration route.
Since my site has a two part registration that generates a profile and the profile needs to be verified by a human before access is granted, registering and then ignoring the response's redirect to the profile page gets the partially completed registration.
To stop the resulting database clutter in the users table I changed both the standard authentication routes and the expected fields that are returned from the registration form.
Since these changes I have had no half registered users show up in the database. I'll update this answer if I ever see more of this activity.
I am using Laravel 5.7. For security reasons, I set my laravel application to automatically logout after one hour inactivity. But I want the user log back in the same page before they got kicked out by the system. I try to use Session, but it only store previous url which is the login page url. How can I retrieve that URL before user got automatically logout?
All you need to do is put this in your logout function.
session(['returnUrl' => url()->previous()]);
And then on login function, redirect user to session('returnUrl') and delete session data with session()->forget('returnUrl')
Use this in your login controller
url()->previous()
Auth controller keeps redirecting me back to home page. A Session is setting fine. I am using cookies as the driver.
A Session Cookie is being set, but Session Storage, viewed with Chrome Developer Tools, is empty.
It redirects fine, if I comment out the redirect()->guest('/'); in middleware. It means that it keeps authenticating as guest and if I var_dump(Auth::user()); I get NULL.
Maybe you need this. I answered it in another question here:
Laravel 5.2 - Every route redirects to the homepage