I would like to know which is the best aproach to do the following. I have a codeignitor aplication and I need to display different views depending on the user permissions.
User authentication: the company I work uses CAS. No worries here. I just have the CAS library and the first thing the user does in order to access my application is to login through CAS. The CAS returns the username like this: "name.surname"
User authorization: We have a MySQL table with something like this:
Permissions table:
username | permission code
tim.cook | 1
adam.hook | 2
1 is admin
2 is normal user
I cannot change any of these (CAS for authentication nor table for roles) and I do not want to use a auth library for that. What would be the best approach for building my website? How about this:
User logs in and then I store his/her username to codeigniter session
Immediately look for the username in the permissions tables and store his/her role code (1 or 2) in the codeigniter session
Everytime there is a need to execute a function in a controller, check first if the session role can do that action or not.
Is there any tutorial, example or snipped of code so that I can see this in action?
Thank you!
You can definitely do it like that. In case a user permission can be changes you should also update the session permission value for critical functions.
You should also only store the hash of the password in the database. Maybe you can use the username as salt for the hashing.
Related
I'm very new to ion-auth so apologies in advance if this is a dumb question.
I have a feature request from a user (an admin) where they would like to be able to switch into another user's account to see the app from their point of view. The use-case here is that the admin would find the user in question's account in our user admin page in the app, then click a button to effectively 'become' that user.
Any ideas how this would be achieved?
Many thanks
Pete
#Pete,
What you're asking for is what is sometimes called "hijacking" the account.
There isn't currently a feature for that, but essentially what you need to do is:
1) destroy the current session
2) rebuild the session as the user you want to highjack
3) make sure the logged_in session variable is also set.
Passwords are all hashed, but I think it would be pretty straightforward to write a login function for yourself that doesn't go through the password hashing as part of the login steps.
In other words,
1) log out
2) look up the user id's username & password
3) login directly with that password, not a hashed version
Of course, you'll want to be very careful about your security
You need to alter the users_groups table adding a "status" field, in order to set true/false the current user_group.
Then, upgrade the model with a function that makes the following:
Get the current group and sets his status to false.
Get the new group and set his state to true.
Redirect to home page of selected group.
With this change, you can regenerate all the user`s data session and navigate as the selected user.
Assume a user uses the domain name and password to login his personal computer, and then i want to get the current user information(such as a session) from the ldap server. Because i would like to use this session to login another web site without password.
I am not sure if i describe this question clearly, i summarize it again as below:
1. User login PC with his password and username
2. The script get this user's session from ldap server and stored
3. When this user want to login another webpage, this website use the session to login (without password)
Is there any ideas about this? i still don't know how to implement with this.
As far as I'm aware LDAP does not have a concept of a session on the level of authenticating the people in the directory (as opposed to authenticating access to the LDAP server). So the answer is that you don't. LDAP is typically only used to store the user information.
What you need is some sort of single sign-on (SSO) solution. It can use LDAP to store the user data of course.
I agree with Lennart. From LDAP, there is no mechanism to determine if the user is already bound.
There maybe some extensions or controls or SASL mechanisms that could provide that information from some LDAP server vendor implementations.
-jim
having multiple and same username but differ in their passwords is this possible in joomla?
if yes, how can I do that.
e.g
username | password
one 123
one 456
one 789
thanks
..
I think it's not possible to use same username with different password in Joomla.
Joomla!'s user model requires a unique identity (i.e. unique username per user).
This is a fundamental aspect of access control: 1 unique user identity for each user.
You could conceivably create an extension for Joomla! that would simulate what you're trying to achieve by making a unique identity from the combination of username and password. Of course, that would either have to prevent users from changing their password or provide a complex mechanism that made sure the hash of their new password didn't conflict with another user of the same username.
Of course rejecting such a password attempt would reveal the details of another users account access...
I'm using the MVC forms log in which works ok, but I need to call a data service which requires the same Username and Password combination from within a controller.
Using HttpContext.User.Identity.Name I can get the name, but what about the password? Is there any way to retrieve this after the user has already logged in?
First of all, you shouldn't be storing passwords in your application. Membership provider doesn't store the password in clear-text anywhere. All you have in database is salted hash. There is no way to obtain user's password after they logged in.
You would need to get the password from the Login action or create a custom MembershipProvider.
But consider changing the design if possible so you don't have to keep clear-text passwords. Once the user has been authenticated you know who it is, and lower layers in your application can trust upper layers with passing the authenticated principal to them. Otherwise why would they trust with passing correct username/password pair?
I currently have three websites all running from the same DB
example websites:
www.mysite.com
admin.mysite.com
members.mysite.com
now because this all runs from a single DB they all use the same .net Membership tables.
All members are in a role: Member
All Admins are in a role: Admin
So the admins can log into the admin site and access all their admin functions etc, but the members if they tried to log into the admin area are bounced back to the login screen without any message, what I want to happen is to redirect them to the site: members.mysite.com and have them logged in.
As I could send them to a page in the admin site that does a response.redirect('http://members.mysite.com'); but then they have to login again.
So is there any good way to do this, or am I left doing something unsecure and hacky with querystring?
Querystring is fine as long as you use a unique 'one time token' that gets deleted after it's used to perform the login (this is how Google does it).
EDIT - Basic procedure is
Generate a cryptographically secure token
Store token/username combo in database
Redirect to new site with ?token=XXXXXXXXXXXXXXXX
New site sees token, looks up matching username in database and deletes token
Perform login procedure as that user