After reading a lot of answers here on what is the best authentication out there for codeigniter, I decided to use tank_auth.
It seems to be the best authentication for codeigniter.
However, I have some few questions regarding on how I can integrate it successfully on my site. I am currently building a hotel reservation system. So some functionality of tank_auth needs to be modified to suit my needs.
So how can I, after registration, login the user automatically without requiring him/her to activate his/her account. Is there a configuration to disable the "activation process". If yes, where can I find it? If no, is it a big modification to the code if I remove the activation process?
On the auth.php code I tried to comment the following code to remove the activation process but seems it does not work:
} elseif ($this->tank_auth->is_logged_in(FALSE)) { // logged in, not activated
redirect('/auth/send_again/');
That code only works when the user account exists but is not activated. it then resends an activation email...
Look at the register part of the library and set the login session parameters to be true ie parameters that sets login to be true and then direct to the protected area!
Related
I was wondering what the best practices for allowing users to automatically login after registration.
In particular does anyone know any php applications auto login after registering.
Honestly, I think it is a horrible idea, but was wondering if anyone knew why the majority of websites don't automatically login newly registered users.
By default, Laravel's Auth scaffolding logs you in automatically after registration, unless (only in Laravel 5.7) requiring email verification is enabled.
In Laravel 5.7, if you do have email verification enabled, you can still log the user in but only allow certain pages to be accessed only if they have verified their email. So, while the user would still be technically logged in, they haven't verified their email yet thus disabling them from accessing certain content.
An example might be allowing them to log in to be presented with a "Must verify your email" prompt.
In general, I think it's a good idea to require user verification.
I need to change some default functionality of ion auth once a new user has been created by an admin.
The scenario is like so...
Admin creates the user account.
Activation email is sent to the user.
Clicking the link sends the user to the set password page.
Upon setting a password, the user is activated and can log in.
Currently I haven't found a way to define the activation link once ion auth calls the register function and the email is sent. It's set to auth/activate.
The options I see are as follows...
Redefine the behaviour of Auth/activate(). Is this recommended though? Should I be touching the methods in the Auth controller?
Turn off $config['email_activation'] and handle everything myself.
Somehow changing the default controller/method behaviour to handle the activation of the user.
What do people usually do in this situation? Which is best practice?
Ok, after much searching I was reading through https://github.com/benedmunds/CodeIgniter-Ion-Auth/blob/2/libraries/Ion_auth.php and noticed the email message being generated was being sent to an email_template (in the view), which I had forgot to check. The activate.tpl.php is where you can find the code that generates the path to the Auth controller.
<?php
echo sprintf(lang('email_activate_subheading'), anchor('auth/activate/'. $id .'/'. $activation, lang('email_activate_link')));
?>
Now I can just easily change the controller path, it makes sense to write my own controller.
I'm using Flexi-auth library for user authentication with codeigniter,
General login is working properly.
Does Flexi-auth support third-party(google/yahoo) login? if yes how to do?
I've looked through the documentation for a while and can't find an official way to actually accomplish this. However, from looking through the code I found that the user is actually logged in through a call to a function called set_login_sessions. The function is private to the Flexi_auth_model class, however.
If you're absolutely sure you wouldn't introduce any vulnerabilities you aren't already taking care of some other way, you can define your own method along the lines of:
public function login_3rd($identity = FALSE) {
// Check logins, activation, suspensions etc like `Flexi_auth_model::login`
// Confirm the login with the OAuth service
// Query the DB to get the user
set_login_sessions($user, FALSE);
}
Most of this is pretty much just like the login function but adjusted for 3rd party authentication.
It is important that you set the $logged_in_via_password argument to FALSE when calling set_login_sessions. There are some sensitive areas on a web application (like withdrawing money or something) that should require the user to have entered the password before going through. This prevents a friend who re-opens your browser (or someone who gets your session via malicious means) from having access to certain things. Flexi-auth provides a is_logged_in_via_password that allows you to check this. But it won't work if we don't tell it the truth.
The situation is quite complicated and why do I need it - do not ask - boss want!
So, immediately after the default authorization i need to run the custom module, which will have an additional test for authorization in another database and depending on its result i need to decide authorize user or not.
Are there any suggestions except for source corrections?
If you are using Joomla's built-in 'Login Menu', you can set 'Login Redirect' parameter to another page and if you are using Joomla's native login module, you can set redirect parameter to any page of your site that you want.
In your case I would recommend to create a simple component (not a module) that authorizes your user for second time, and redirects them again to any other page that you want (if second login was successful) or kick the user (if second login was unsuccessful). If you do that, you'll be able to create a menu for your component and redirect your login panel (either it's a menu or a simple login module) to your component's menu.
Creating components for Joomla is not a big deal if you have a little of knowledge in php programming and there are some tools that may speed up creating your component, like this one: http://www.notwebdesign.com/joomla-component-creator/
Why not make an authentication plugin and use that rather than the core joomla one?
This is for 1.5 but the principles are the same now.
http://docs.joomla.org/Creating_an_Authentication_Plugin_for_Joomla_1.5
Are the Joomla login credentials for a user the same as the other system that you are using? If so, then you can create a plugin that passes those credentials to your other system on a successful Joomla login event.
If not, then it gets a little tricky. Either your users will have to provide both sets of credentials, once for Joomla that then redirects to your other system for the second login, or you will have to extend your user accounts so you can associate the second set of credentials to a user. You can then use a plugin to pass the related credentials to your secondary system after a successful Joomla login event.
We've created a highly customized Joomla 1.5 based site and want our super administrator to be able to log into registered user accounts so we can provide better phone support and help them configure their accounts remotely.
This will obviously take some coding. Ideally we want a link from the admin side that will take us to the front end and automatically log us in as the registered user. We'll lock it down by IP address and also have some sort of password as well.
Where does the login get processed? It looks like /components/com_user/controller.php calls a function called $mainframe -> login(); Where does that function reside?
Our thought is to send a mock login form along with an additional super-user password field. Then we'll modify the login code to authorize the login if the password is present and the IP address is correct.
Any words of wisdom or caution with this approach?
There is actually a plugin that will do just this:
http://extensions.joomla.org/extensions/access-a-security/authentication/4806
You'll want to build an authentication plugin to handle this. You can enable as many authentication plugins as you like (the core plugin, OpenID, your own plugin, etc...). Joomla will run down the list of enabled plugins until one of them sets the status variable of the $response object to JAUTHENTICATE_STATUS_SUCCESS. The $response object gets passed in to your plugin's onAuthenticate method. Take a look at plugins/authentication/example.php for a clear example. You will probably end up cloning plugins/authentication/joomla.php and repurposing it for your needs.
I would publish your custom plugin after the core Joomla authentication plugin so that normal users will be able to log in faster.
Also, if you do want to go with a form as well, you will need to build a small component so that you can get the username and super-user password into the request.