I'm using passport-facebook for logging into the site using facebook(the implementation is complete and working good) .Now , I want to redirect the user to a page containing a form which they are supposed to fill once they login from fb, and without doing it (that is without filling the form and submitting it) they shouldnt be able to access any other links on the site.
Here is the approach I thought of: Once the user logs in I would make a Database query inside the strategy to see whether they have previously submitted the data, if they have already submitted I would set the session.filledOrNot = true in the object which I'll be returning to the done callback and use this property to either allow them to proceed or redirect back the same page.
Is this a good approach?
This can be done in 2 ways.
1.You can either make the user the fill the form while sign up/registration(whatever you call it). If the user doesn't fill the form, don't let them sign up at all.
2.The second way is what you are suggesting. Let the user sign up with out filling the form and once the user logs in, check in your database where your condition "session.filledOrNot = true" is satisfied or not. The disadvantage is you need to make this query in every api request, not just the login request.
Related
How would one solve this?
An application has a form with a password and other input fields. The user must enter their password in order to submit a transaction along with other transaction info. The password is required as a security check at point of transaction submission.
The form input values are bound to a command object.
This was the way our application was handling this:
void submitAction(FooCommand command){
if(command.hasErrors()){
render(view: ‘show’, model: [command:command])
}
//else do save and redirect
}
We became aware that by using render instead of redirect, the user’s password was visible in the browser cache after user logs out. The URL used in the render is the same as the POST URL. After the user logs out, someone else could use the browser back button and resubmit the form while using a tool like firebug to inspect the POST parameters and gain access to the user's password.
There is also a requirement to persist the user’s input from the form back to the page that displays the validation errors. So a simple redirect with error message in the flash would fail this requirement.
The proposed solution is to use the chain method to put the
command object into the flash scope so a redirect is possible to display errors and user input. This prevents someone from accessing the POST URL, and thus the password, in browser tools.
void submitAction(FooCommand command){
if(command.hasErrors()){
chain(action: ‘show’, model: [command:command])//redirect instead of render
}
//else do save and redirect
}
One potential downside is storing command objects in the flash scope (ultimately the session) that might have eagerly fetched relationships in the command. Could storing command objects in the session affect performance?
Is there a better solution?
To prevent showing a page after logout when someone hits the back button, use the following response header:
Cache-Control: no-store, must-revalidate
Chain sounds like the way to go. You don't need to use Hibernate/JPA entities for your models, you could make a class specific to the form and copy to your entities. This might take less memory, though you're not likely to store it for too long using a flash map.
We're using JSF in a very simple way. All we're doing is implementing tags that contain a little Java code.
I have implemented a "security" tag that sends a 302 redirect back to the login page whenever the user isn't logged in:
// make them log in
ctx.getExternalContext().redirect("login.xhtml");
ctx.responseComplete();
The trouble is that the redirect() method doesn't stop the rest of the page being rendered. Tags that are further down the page are getting executed. This is a problem because non-logged-in users could see things they shouldn't if they had their browser ignore redirects.
How do I get responseComplete() to do what I thought it was supposed to do?
Its always better to implement the login related logic in a servlet filter, like below:
Implement a filter for the URL patterns that you want to secure
In the filter, check if the user is logged in (may be by just checking if Username/UserId is present in user session)
If the user is not logged in, redirect the user to a HTML based login page.
If the user is logged in, let the user access the resources.
There are a lot of ways (may be better than this) to implement this, but this is the most basic one.
Maybe you could use a flag to verify if the user is logged in.
Then, you can use the render=#{managedBean.logged} property in the tags you don't want to render.
This is just a workaround... can't really help too much with that amount of information you gave.
Try it!
ctx.getExternalContext().dispatch("login.xhtml");
ctx.responseComplete();
I have a full website with two contexts for two different languages. The only public page is the landing page of both languages. The rest should be private/protected. This I have achieved with resource groups and limits on the anonymous users.
On the landing page all the menu entries that are protected should be seen by the anonymous user and if clicked a popup with two login-forms should be displayed. These login-form are from other sites and will return if the users has permission or not when they've entered their credentials. And as long as this session exists the user should be able to view all pages if the user was approved of course.
My guess as a non modx- or php- pro is that I should check if a session exists when the landing page is loaded (and all sub-pages). If no user is logged in all links will point to the popup. The user then logs in, sends info to the external server and is redirected to the private/protected landing page if successful. And this is what I can't find any info about, probably because I'm not entirely sure what to look for.
I need one snippet that checks if a valid session exists for the protected pages, if not display the logins.
The other code I would need is something that creates the session for the user if the external login was successful. Should this be a snippet or just a php document on the server. And how can I start a session for the protected pages?
You could do this in two different ways:
Make a user-system that is not connected to Modx. I find this the easies and I've done this several times before. You'll need to make a table for users with usernames and password, and make an object out of it, so you can use xpdo to do the queries. With this system up and running, it would be no problem to include a snippet in every template to make sure the user is indeed logged in. If not, just redirect him to the correct frontpage/landingpage. This will require some coding, but as I said, it works like a charm.
Download the snippet http://modx.com/extras/package/login (by Spittingred, a true legend), and look at the code. I haven't used this Extra before, but I am pretty sure it uses the same user-system as Modx, and therefor you should be able to achieve what you want. I can't give you any more help than "look at the source and figure out how Spittingred did it".
MODX Revolution checks if the user is logged in when trying to access a protected page, but if you would like to check it manually this snippet would do:
if (!$modx->user->hasSessionContext($modx->context->get('key'))) {
$modx->sendUnauthorizedPage(); // redirect to the informative page for non-logged users
}
If you need to check for the user being logged in and display a login popup if not, then using the output modifier with simple user id check may work:
[[+modx.user.id:if=`[[+modx.user.id]]`:eq:=`0`:then=`Not logged in`:else=`logged in`]]
When it goes to the session creation for the users authenticated from outside of MODX site, I would suggest to write a snippet which checks the status from the eternal page and logs user in. This way the session checking will be ommited but still, the functionality goal should be achieved.
Before implementing j_security_check using MySQL realm authentication in my web app. I had the form info sent to a servlet (action controller) which would authenticate the user and then add some info regarding the user to the session object. Other servlets could then make use of this session object. After implementing j_security_check I dont know how to add the details of the login to the session object since j_security_check is being called instead of my controller and then it forwards to the requested page. Its like as soon as a user signs in - the data specified on the form is needed to create the session object , however i currently cant find any way of accessing the data submitted since its being passed to j_security_check. I tried using filters but i cant seem to read the submitted data directed towards j_security_check.Any suggestions on what i should do (I just want to set a session object as soon as a user signs in)
The only information you can get in j_security_check is username and password. I don't see a use case of storing password in the session.
But, anytime the username can be obtained using HttpServletRequest.getRemoteUser()
So how do you maintain the form security about posting data to different page problem? For instance you have a member and he/she tries to change the personal settings and you redirected member to
www.domain.com/member/change/member_id
member changed the values and post the data to another page by changing the action with firebug or something else. For instance
www.domain.com/member/change/member_id_2
How do you handle this problem without using sessions?
This problem arises when there are no server side validations!
So, the solution is to have server side validations.
Why not use Session state? It's designed for that.
Alternatively use cookies or URL's with unique session style ID embedded in it, which allows you to tie it back to a specific user.
How do you handle members without session?
Before modifying anything, check if the current user has the right to do so. For example, if you're user #1 and your details are at /members/change/1, you post to the same url, and with firebug you change the form to point to /members/change/2. When processing the form, you have to check if the userid in the form is the current user's id, and if not, display an error.
You could crypt the identity information (member_id) and add it as parameter or url path. When the request is posted to the member_id form, you can verify that the crypted member_id (which is part of the request) matches the member_id.