Magento Password Reset Link - magento

We run a multi-store/view magento site. Let's say our site is called www.domain.com (running the "retail" store) and another url trade.domain.com running the "trade" store
When a customer requests a password reset from trade.domain.com, they get a password reset link like this: http://trade.domain.com/customer/account/resetpassword/?id=12&token=84fb6f65548995191e526b815982bf23
Clicking this link re-directs to login page with the error Your password reset link has expired..
However, if you replace the "trade" from the domain with "www" like this: http://www.domain.com/customer/account/resetpassword/?id=12&token=84fb6f65548995191e526b815982bf23
The password reset appears to be working correctly.
Any idea why this is happening? Have I configured the magento incorrectly? Is this a known bug?

Customers are shared either per website, either across all websites, so at least, a customer account is usable on all of the store views that a website contains. Consequently, it is normal that the password reset link works for your store views.
In fact, if you would like to separate the customer accounts between your store views, you would have to create separate websites that would not share customers.

Is that subdomain password protected? That could be a problem or if subdomain is set up with a password protected extension, they won't be able to access example.com/customer/account/changeforgotten/ without already being logged in. So you'll have to allow them access to that url first otherwise it'll keep redirecting. I had the same problem.

Check the cookie domain for the website trade.domain.com. In Magento 1 it's in System->Configuration->Web->Session Cookie Management. (Making sure that you change the scope in the top left to the Website you want to update it for.
I have a store that has multiple websites, each with their own view and does not share accounts across websites, and had the same problem. Changing the cookie path fixed it for me.

Related

Apply access control to sub page with custom domain

I have a main website example.com, develop using Laravel. This website also provide a personal page for subscribed users at example.com/user1, example.com/user2, etc.
Currently, I control the access by URL, by verifying the username in the URL if the user is active or not.
However, I'm planning to give the URL its own domain. I have read about using DNS & htaccess, but it has to be done manually for every single user. I'm planning something that can be control programmatically.

Magento. Can't login Admin, after domain move

Just had Magento moved from one domain to another, but can't log in the admin, even though I could earlier in the day.
I have full access to the DB via PHPmyAdmin.
Fixed. Changed the password to MD5 within the database and it seems to let me in.

umbraco 7 - users added via back end can't login

I'm working on a reasonably fresh install of umbraco (7.1.8). I've only installed three plugins at the moment, so I don't believe they are the issue.
If I login using the id created during the install process, I can login fine. But now I want to start adding other users to allow them to add content, and I can't seem to get the users created so they can get access to the back end.
I've double and triple checked the passwords (even using the reset password and copy/pasting from one browser to the next). I've tried using both the email address and the login, but no joy in either scenario. I've tried to just make this first account an admin - no joy.
I opened the console and found this error on the console:
POST /umbraco/backoffice/UmbracoApi/Authentication/PostLogin 400 Bad Request 114ms
I'm hoping it's something glaringly obvious, but I can't see it for the life of me.
Had a similar issue a while back in version 6 where members created programmatically would not be able to login once they updated their email address. Had to ensure that the login was the same as the email address in order for them to login the next time. It is rather confusing I must admit.
Ensure login field value of user = email address field value of user

Is it possible for an iframe to have a different session?

I am wanting to build an admin tool where I can "impersonate" users of my site, without having to lose my session as an admin.
I would like to be able to open an iframe that will view the website "as the user", without changing the state of the page that opened the iframe.
Is that possible? Is there a better way to do this?
It's possible, but there's a bit "but" :)
Just a couple options to start with:
Use URL-based session tokens (as Java Servlets do when you have cookies disabled)
Use different domains for "normal" site and admin interface
iframe itself won't help you much: it will always share its cookies with the browser. So in order to avoid that, you can use either of the above options—but that does not depend on the iframe.
What language? My answer is based on the assumption that PHP is your chosen language.
Firstly, I would say you have planned your application wrong if session impersonation is the only way you can view your site as another user while still keeping your admin login intact.
One way you could do it, and again this is assuming that you are using PHP as well as the default session management functions within and you do not have a custom session handler would be to load the iframe url with the ?PHPSESSID=sessionidhere parameter.
A better way to do this is to create your site and authenticate users via a user object of sorts and then add some sort of url parameter such as ?userbrowseid=123
Then when you load the page, your code will only check if the parameter exists if you are already logged in as an admin. The page would then overwrite your current user object with the user object of the user with the id 123. Steps should be taken to make sure your session cookies are not overwridden with the impersonated user object. As this would be in an iframe, your site will work as an admin and the iframe will be loaded as the user object.

Magento customers associated to website "Admin"

What is the purpose of having a customer Associated to Website "admin" in magento instead of the normal default website, etc? I cant seem to find the logic of why that exists.
I think it is only based on where the customer was created. The weird thing is I know if you do something like a forgot password attempt on one website but your account was associated to another it will redirect you to the other one. I assume if the store id is 0 it will just redirect you the the current one.

Resources