In my application I have a login page and I need to prevent multiple logins from the same user (same username and password). I have used different methods like having a boolean value and updating it from true to false. But it has the drawback that whenever a user closes her browser (without logging of) the flag is not updated.
Are there any ways to achieve that by using session_id or something along those lines?
I will use Devise and enable trackable which will save last_sign_in_at, last_sign_in_ip, current_sign_in_at, current_sign_in_ip into database. Then simply inherit Devise::SessionsController and override the action create to check if current IP is the same as last_sign_in_ip and last_sign_in_at is not before half an hour ago.
Related
I want to add a number of test user accounts and it's a lot faster to do it directly from the Database.
There are a couple of fields that I cannot figure out:
secret_token: How do I generate this on the fly? Is it necessary? Can I copy it from other accounts?
password: Even though I have created some accounts the normal way (register page), with the same password, the password fields are different for each user. Therefore I assume it's not a simple copy/paste case (question also applies to changing a user's password from the DB).
Any insight appreciated, thank you.
secret_token is an md5 hash, and is created by the User::generateActivationToken() method. It is used for special account activities like email verification, password reset, and password creation for new accounts.
password is a 60-character salted hash generated by password_hash using the bcrypt function. Since the salt is randomly generated each time a password is created, it will be different from user to user, even if their plaintext passwords are exactly the same. Indeed, this is the purpose of using a salt.
If you are just setting up test accounts for development purposes, you can leave secret_token empty and use password_hash to generate passwords (perhaps by running a custom PHP script from the command line).
If you need to generate accounts in bulk for real users, you may want to set a secret_token but leave the password empty, generate a "password reset" event for each user, and then send them a password creation email so they can choose their own passwords. This is in fact what is done in the createUser controller method:
$data['password'] = "";
...
$user = new User($data);
...
$user->newEventPasswordReset();
You can see the code for newEventPasswordReset here.
I am trying to create a suitable authentication check for a CakePHP service. Currently it appears that the user session is created initially during login, but never checked beyond this during a single session.
eg. Renamed the username, changing the password or ID in the user's database entry has no effect on the session.
Is there a preferred method for this type of, constantly checked, authentication? Essentially the user should be confirmed access at every request.
My current solution would involve extending the AuthComponent and storing a hash of the user data (including the encrypted password) and checking this at every request. I also considered storing the session ID in this same token, but noticed that CakePHP does not even use the session_start() function.
This functionality appears necessary for me, and I would have thought others would also require such a solution. I have yet to find Cake documentation or community solutions similar to what I need.
Well, you can use isAuthorized() function from AuthComponent. It's being called with every request.
public function isAuthorized($user){
return true; //allow the user to see the page
}
You can debug($user) to see the actual data and if you want "new" information from your database, you can always get them like this:
public function isAuthorized($user){
$current_user_from_database = $this->User->findById($user['id']);
if($current_user_from_database['User']['username'] != $user['username']){
$this->Session->setFlash('You\'ve changed the username. Please, login again.');
$this->redirect($this->Auth->logout);
return false;
}
return true;
}
Look at the API for more info and from the PDF book. You can look at this video about AuthComponent too. It's great.
If you need any more information or help, feel free to ask.
Btw. you have to configure AuthComponent in your Controller if you want isAuthorized() function to get called with every request.
If Session.timeout will work correctly with a setting of zero minutes, you're set. http://book.cakephp.org/2.0/en/development/sessions.html
I have two tables, users and tokens.
Each user have a activated field and each token have the {id, token, user_id, created} fields.
The way the app should work is:
On the creation, the app will -
make sure that the activated field is empty (to avoid manipulations to the submitted data).
a token will be created in the tokens table.
On update, the app will -
NOT create a new token.
NOT allow an update of any kind to the activated field.
check if a new email has been submitted, and if so: will create a new token and set the activated field to false.
I know how to activate the account through the controller and how to setup the router for that.
What I need is mainly the model configuration.
For example:
I think that the token creation should be done in the afterSave method, so - how do I determine if the method is called by an update or by a create operation?
Thanks for any help
yossi you can also specify the fields that should be saved from the form though - a whitelist of fields it is ok to save in you $this->save() call. That way you can stop a hacker passing an ID in the request, and you should just set it in the controller yourself then with $this->Token->id = whatever you have, I would personally use saveField ('activated) in conjunction with this (just saves a single field!). Fat models is best if you can but get it working first then refactor it if you have got stuck. Better than wasting lots of time writing perfect first time.
You question is unclear. If you have a default value for a field, then why not set it in the database rather than doing something in aftersave? If you need to do something that should be done only in certain circumstances, then write a custom method in your model to perform the tasks you want either on creation or update.
Edit
So, if your record has an id, then you know it exists in the database. So, the simple thing to do is (in any method) check to see if the model has an id field and that it is not empty. If it's empty, then you know that you are creating a record and you can do x task. If it isn't, then do y task.
if(isset($modelData['ModelName']['id']) && !empty($modelData['ModelName']['id'])){
//This is an update
} else {
//This is a new record
}
Using CakePHP2.0 Beta I managed to write a custom login handler for my existing database schema. All's well, except that upon logging in I printed out the session variables stored and what Cake's Auth component did is store the entire record from the "Member" table (where my usernames+hashes come from) in session. It is storing an array with data fields that are totally irrelevant to the session. For instance it stores the date the member was created, their address, etc. All pretty useless information for me as I basically only need their ID and maybe username, name, email address.
The offending lines for me are found in: /lib/Cake/Controller/Component/AuthComponent.php line 512. It states,
$this->Session->write(self::$sessionKey, $user);
So my custom authenticate component returns $user and it throws this whole thing into the session. Now, I don't want to go about editing in the core libraries because this project is definitely going to be upgraded when 2.0 comes out. Is there any way to store less information in sessions? I want to keep this whole thing more lightweight.
Possible solution: Change my custom authentication component to only return the fields I need into the $user variable. Are there any concerns about what data I should/shouldn't be returning?
I've solved the problem using my "possible solution". In /app/Controller/Component/auth/MyController.php, I changed the "ClassRegistry::init($userModel)->find" method to have a parameter for 'fields' where I specify only the fields I need. Works like a charm.
I am working on a friend reference function, so I pass the user id through the url like this:
www.example.com?fid=22
I need to set this as a session or cookie with access to all modules in Drupal 6.
If i set the session it returns for the particular module. Setting the cookie is not working at all.
$user->new_property works only on the particular page where it is set, if I move to another page there is no new_property in $user variable object list.
If you want to save a variable in a users session, you can in Drupal (PHP) use the super global varaible $_SESSION.
$_SESSION['fid'] = $_GET['fid'];
The above code is an example of how this could be done.
Since you are getting the info from the URL the user can change it as his whim. So be careful what you use such data for and never trust it blindly. It could become anything, as the user always freely can alter the url any way he want.