I'm stuck with a problem right now. I have 4 websites each of which has a log-in screen.
Now here are the coditions before a user can log-in the these websites:
Website #1: Username must start with AB
Website #2: Username must start with BB
Website #3: Username must start with CB
Website #4: Username must start with DB
In each website, after the user supplies the correct username format and the corresponding password, he will be redirected to Account Information page.
What I want to do now is to handle this scenario:
If user is in Website #1, but he entered a user name beginning with CB, I want him to be redirected to Website #3's Account information page, and bypass the log-in page of website #3.
My current implementation redirects correctly, but to the log-in page of the website.
Even just a logical explanation on how to do it would be greatly appreciated.
Related
Does anyone know of a login checklist online that goes through the overall requirements? Currently, we have the following overview of steps:
Login Page
Registration Page
Thank you for creating account page (needs to be page instead of pop-up so that we can track this in Act-on)
Registration email to user
Registration email to client
Login confirmation page for client to approve user in one click
Login approved email to user
Login declined email to user
Forgot password page
Forgot password emailed to user
New password page (from email)
If you know of anything more thorough, or can see anything that may be missing (or is overkill), please let me know. Should I be posting this on Stack Exchange?
I am using DotNetOpenAuth to log in users with FB and Google.
When a user visits the website, is there a way to detect that he/she has already logged in to FB or Google and log them automatically?
Thank you
Yes, if your user has already explicitly logged into your web site using Google or Facebook before. For privacy reasons neither provider will allow you to implicitly log their users in without each user explicitly signing into your web site at least once (and clicking "remember me" at their login page while doing so).
Once the user has approved that, it becomes possible but still isn't very simple. The approach involves creating a hidden iframe on your page (perhaps when the user session is first created, you add the iframe to whatever page the user is viewing, or just your popular landing page). This iframe is pointed at a URL on your site that does nothing but initiate the no-user-interaction login flow. For Google, this means your server makes an OpenIdRelyingParty.CreateRequest call with the Google OP Identifier, and you set IAuthenticationRequest.Mode = AuthenticationRequestMode.Immediate on the returned object before calling IAuthenticationRequest.RedirectToProvider. The Immediate bit tells the Provider to not expect to interact with the user (since your iframe is invisible) and to either give an immediate yes or no response. Then in the redirect back to your site (still in the hidden iframe) you'll see the user is logged into Google (or not) and get their Claimed Identifier and log them into your site.
For Facebook which uses an old draft of OAuth 2, the process may be similar, but use the OAuth 2 classes. I haven't done this one though, so I can't really give an overview.
I've got a test MVC site set up, and configured to log users in to it using Facebook's authentication systems. Once users log out of my system, how do I ensure that the right thing happens wrt to the users being logged in to Facebook (ie, they revert to whatever state od logged in they were before visiting my site)?
I'm relying on the FB api wrappers that are available to download through NuGet.
Several of the examples I see include a facebook logout method that can be called through the API, to let FB know that user(s) have logged out of my site, which, I assume, is supposed to "do the right thing". However, the method seems to have been removed from the library (and from the API?).
Is there some other method I should be calling, in order for the "right thing" to happen? Or, alternatively, some sort of workaround that people use?
It sees a bit disingenuous to ask people to access my site with their FB logins, only to have them surreptitiously remain logged in to FB after they've logged out of my site.
Used workaround below (hand crafting a logout URL). Be careful of your url encoding
According to Facebook's developer TOS (item #6), you are required to log the user out of Facebook when the user logs out of your site (and used Facebook to login).
Consider the following use case:
A user accesses your site via a public computer (library) and opt to login (using facebook login) to access restricted features not available to users who are not logged in. The user conducts their business, then logs out. If you do not log them out of Facebook, their account is now available on the public computer, so if a new user uses the public computer after the initial user leaves, the new user could access the initial user's Facebook information.
Not sure about NuGet, but using Facebooks PHP SDK, you simply need to call Facebook's logout function which should generate a url with a next param, and access_token. So when the user clicks the logout link, they will be redirected to Facebook, logged out, then redirected back to your site to complete the logout process.
Example logout link:
https://www.facebook.com/logout.php?next=http%3a%2f%2fextapi.yourhost.com%2flogout&rd=http%3a%2f%2fyourhost.com%2flogout&access_token=AAACRZBIZAGE18BAEyQ8AcmRKGGtmeYlw4MFYjuDHfTlZBSZA3pZAJ5xnKABELBmkOroaxlDsoPgFVHPvvkfZAFRQarCRL0Fhy7UrZCAZAfRFtvwBo4lY4s4X
Explained:
next: This is the link the user will be redirected to after they are logged out of Facebook (this will be the domain you have registered with Facebook)
rd: This is an arbitrary url param so when the user is redirected back to my site, I can redirect them back to another landing page (other than logout page).
access_token: Is the access_token generated by Facebook when you logged the user in
I need to implement facebook-connect to a website where users already might have their internal accounts. If internal account doesn't exist, it should be created from facebook credentials. Also it should be possible to link an existing account to facebook account. The technical implementation is clear to me, but I am more interested about a practical, optimal, and understandable user activity workflow.
1) My initial idea was to have a login form with user and password fields and two buttons: "connect with facebook" and "login". If "login" is pressed, the internal account is normally logged in. If "connect with facebook" is pressed, the user is connected to facebook and then depending on the state of user and password, I could retrieve the internal user and bind it with facebook user, or create a new internal user and bind it to facebook user, or retrieve the internal user that is binded to the facebook user. However, there I see some gotchas in the workflow. What if the user and password entered are of a different internal user than the one that is binded to the facebook account?
I will try to illustrate the problem in pseudocode:
if "login" is pressed:
internal_user = authenticate(username, password)
if "connect to facebook" is pressed:
facebook_user = get_facebook_user()
if username and password are filled in:
internal_user = authenticate(username, password)
if facebook_user has no internal_user:
facebook_user.bind_internal_user(internal_user)
else:
# conflict! what to do with it?
# facebook_user.get_internal_user() != internal_user
else:
if facebook_user has internal_user:
internal_user = facebook_user.get_internal_user()
else:
internal_user = facebook_user.create_internal_user()
internal_user.login()
Also users might get confused asking themselves if they need to enter facebook username and password or the username and password of the website.
2) Another option could be to have a login form, connect to facebook, and registration form as three different options, where connect to facebook would either get or create an internal account; and then a separate optional form for logged-in users to bind their facebook accounts. But then again there would be possibilites left to create a duplicate internal account.
What are the best practices to deal with that? What are the other websites using mostly?
Login form:
[username] |
[password] | or [fbconnect button] with facebook
[ok] |
(two mutually exclusive sections "either or", you don't need to fill out the login form if you use facebook)
Once a user is connected with FB and you don't have associated user account for this uid then you popup another form:
Welcome,
Please choose username for this site:
[username] [ok]
(you can prompt to select a password as well if you want)
----------------------------------------------------
If you already have an account on our site please enter your credentials:
[username]
[password]
[ok]
After this step you should be covered - no matter which way they chose the result should be the same.
Usually you don't prompt for password for facebook connected users during login, they just use facebook connect button, so randomly generated password would do. If you want to create full scale account that could be used without facebook then you prompt for a password (but still don't use it for facebook login).
FBConnect should ignore your username/pass, in your database you need to store the fb tokens which will be returned from a fb connect login. If the user successfully logs in you will be redirected to a page of your choosing where you can take that fb token and compare it to the database and ignore the username/password. The username/password they filled in on the form will be ignored when fb pops up its own login window.
I hope that answers your question.
I currently have three websites all running from the same DB
example websites:
www.mysite.com
admin.mysite.com
members.mysite.com
now because this all runs from a single DB they all use the same .net Membership tables.
All members are in a role: Member
All Admins are in a role: Admin
So the admins can log into the admin site and access all their admin functions etc, but the members if they tried to log into the admin area are bounced back to the login screen without any message, what I want to happen is to redirect them to the site: members.mysite.com and have them logged in.
As I could send them to a page in the admin site that does a response.redirect('http://members.mysite.com'); but then they have to login again.
So is there any good way to do this, or am I left doing something unsecure and hacky with querystring?
Querystring is fine as long as you use a unique 'one time token' that gets deleted after it's used to perform the login (this is how Google does it).
EDIT - Basic procedure is
Generate a cryptographically secure token
Store token/username combo in database
Redirect to new site with ?token=XXXXXXXXXXXXXXXX
New site sees token, looks up matching username in database and deletes token
Perform login procedure as that user