Session checks for loggedin user on pages / links? - session

When a user visits a page, does the system check if the user is loggedin on every page, with every link click or is this a one time thing? The issue I am having is: The user logsin which works fine. But if i enter the URL to my signup page the system directs me to the signup page and changes my header back to as if i am a non user. And this is happening randomly on many pages. Some places without signing in it is showing me the registered user's header. So i assume the session is not working but I am not sure how the system knows or checks this or if it is auto or do we need to write code for each page, each link on each page? Platform is codelignitor php.
Thanks.

I would think this depends on what language you are using for your pages. Some more details would be helpful here. The system may be using a cookie to check if you are still valid and this cookie is expiring.

I guess you are missing the session check codes. Please check the session set in every controller class so that if logged in session is not enable just redirect to general user page else to logged in user page.

Probably there are some controllers that are protected and some public. If you are using an Auth library probably there is a method like $this->auth->logged_in() or similar. Check it in the contrsuctor of each protected controller, or, better yet, make a protected_controller class that extends CI' base controller, that does the job. Then make protected controllers to use this as base.

Related

Laravel 8 Redirect Authenticated User Until Data is Changed

Seems like there are a lot of posts related to authentication and redirects, but I can't seem to find exactly what I need. I feel like it should be simple.
So, we have a system whereby we want users to enable 2FA and change their passwords every 60 days. We are using Laravel 8 with Jetstream. I am doing a check on login (via modifying config/fortify.php), which works fine, if the password needs to be changed or if they don't have 2FA they get directed on login to their profile page and they see a message saying they need to update their details.
The problem is they can then navigate to any other page without updating anything. Ideally I want them to be redirected back to the profile page until they update their info.
We have the routes inside a middleware group:
Route::middleware(['auth:sanctum', 'verified'])->group(function() {
routes here
});
I thought I could just add a check before any routes load using Auth::user(), but the array is empty and therefore any vars accessed are null.
Auth::users()->role;
I was hoping for something like:
Route::middleware(['auth:sanctum', 'verified'])->group(function() {
if (pass needs resetting and current route isn't profile) {
redirect('/profile');
}
});
I'm assuming that Laravel doesn't authenticate the user until after the middleware has run? Not sure, but that would explain the null values.
So, how would you guys accomplish this? Do I need to modify a controller instead? I just need the user to stay on their profile page until they have updated their data, then they can proceed as normal.
Many thanks for your help.

How to redirect the user to another page after they have logged in with Ion Auth CodeIgniter

I have been working on admin panel of my project. I use Ion_Auth. I have a problem about redirecting after I have logged in on the system.
If I change default_controller as "auth", everything is okey and after I logged in, I have been redirecting to the user lists. But I have already a default_controller as "Home" and I don't want to change it as "Auth". If I change it as "Auth", login screen is shown first. If I use home as default_controller, when I have logged in on the system, Home page is shown instead of the page of user lists.
So I guess I need two default controllers one of them for my home page and also the other one for ion auth.
Any idea about the solution?
In auth.php change the redirection route if user log in. That would be line 67 I guess. You need to play with ion_auth to set it fits your (application) needs.
I like to make parent controller in application/core that has checking function in constructor. All controllers that requires login part should extend that sort of controller. Google for phil sturgeon extending of MY_Controller.php to see what am I talking about.

Can I change name of tankauth admin controller to be harder to find for baddies?

I think I should change the name of my TankAuth admin controller. The login page for my admin area is www.mysite.com/admin which is the first thing any mal-intented person or bot crawling the web for loop holes would guess. Before I make a mess of the code I'd like to know if there is a routine practice perform this change? Thanks!
There are no admin url configs for Tank Auth - you'll have to simply change it all manually

display both register and login pages custom component in joomla

I'm building up a custom component, which should only be accessible to logged in users. I'm thinking about checking JFactory::getUser()->guest and if is set, redirect them to a custom page.
Now i prefer this page to contain both register and login options, but joomla itself does not seem to have this feature. Do i have to make this functionality to my custom component, or there is an another solution?
You should really use the built in ACL to control user access instead of trying to code it in yourself. That's kind of the whole point of having the ACL to begin with. Here's the tutorial for how the ACL works in the admin and front end of a site -
http://docs.joomla.org/ACL_Tutorial_for_Joomla_1.6
Here is the tutorial for adding ACL to a component -
http://docs.joomla.org/Developing_a_Model-View-Controller_(MVC)_Component_for_Joomla!1.7_-_Part_14
I think you will be much better served using the ACL system as it allows you a lot more flexibility - like adding additional user groups and permissions later without having to touch the code.
Once you have this set up, making a custom register or login page is as easy as a template override of the default com_user login view. You would need to combine these files -
For the login part of the page:
JOOMLA/components/com_users/views/login/tmpl/default.php
For the registration part of the page:
JOOMLA/components/com_users/views/registration/tmpl.default.php
Then put the new and improved file here:
JOOMLA/templates/YOUR TEMPLATE/html/com_users/login/default.php
That would give you ACL controlled access to your component as well as a custom login/registration page without having to muck around with any unnecessary extensions.
Joomla!'s default login module/page only provide a link to a registration page.
A quick search of the JED shows about 200 login extensions, it's possible one of them does what you want.
However, if you want it integrated with the access to your component you will have to code it yourself. The normal process is that if a user tries to access an asset view the view.html.php (or similar) will check their permissions and depending on the component post an JError message and possibly redirect them to the system login.
eg. com_content
// Check the view access to the article (the model has already computed the values).
if ($item->params->get('access-view') != true && (($item->params->get('show_noauth') != true && $user->get('guest') ))) {
JError::raiseWarning(403, JText::_('JERROR_ALERTNOAUTHOR'));
return;
}

Codeigniter: using a custom MY_Controller effectively for user authentication - passing vars to models etc

I am utilizing a custom MY_Controller to authenticate users on my Codeigniter website.
I utilize $this->load->vars($data); such that I can access the users information in views.
My first question is, does $this->load->vars($data); allow access in models, and if so how - i couldn't find any information. If not, how can I get my logged in users username to my models without having to pass it through a controller every time?
Secondly... if the user is not logged in, I redirect them redirect(base_url() . 'account/login');
This works great, except because my account controller also extends MY_Controller, it gets stuck in an infinite redirect loop. I can just not extend the custom controller for this page, but I see no reason why a logged in user should not still be able to look at the login page.. any ideas?
Finally.. if a user is logged in, $user['username'] is defined in my views.
If a user is not logged in, it is not defined.
As such if i have if($user['username']!=''){ within my code, when a user IS logged in, all is fine and the code executes, however when no user is logged in errors pop up as regards an undefined variable being used in an if statement...
Codeigniter being difficult..
What is the work around here?
Many Thanks !!
I agree with Chris about storing user details in the session.
To check if a user is logged in you could write a gatekeeper function and place it in the controllers construct to protect controllers (and therefore the views).
Something like;
function gatekeeper()
{
if (!isset($this->session->item('username')) || !$this->session->item('username'))
{
redirect('/account/login);
}
}
I would consider storing the userdata for the currently logged in user in the session so that you don't need to query it and pass it to the view every time. You can access session data in the controllers, views and models with $this->session->userdata('your_userdata_var_name');.
The reason $user['username'] displays an error is probably because it's being completely removed, not set to an empty string (''), in which case you are trying to access an undefined array key.

Resources