Vineet Sawant

Hello, I've created an enterprise management system with ProcessWire where employees login to system and perform various tasks, such as creating invoices, adding client information, creating/answering support tickets etc. Client is very much concerned about the data security and data alteration by unauthorized person. So I've been asked to make sure the system is very secure and there's no way to alter or leak the company information anyway. While I'm already doing the required validation & making sure the user is authorized by making them login into system, whatelse should I be consider to make the system more safer? Just wanted to have better understanding of ProcessWire's security mechanism & how to make it better. Thanks everyone.

Hey OrganizedFellow, Thanks for bring this to attention I had completely forgotten about it. I'll keep updating with what I've learnt so far! Thanks.

Okay so I was being silly, I was passing the wrong page id Problemo solved, thank you guys, you people are awesome!

Thank you guys for quick reply, will try defining $pages so I have following code now. And it prints nothing function printPage($page_id){ $pages = wire('pages'); echo "Page Title: ".$pages->get("id=$page_id")->title; }

Hello all, So me being a noob can't figure out how can I use $pages->get or find in my custom function. function printTitle($page_id){ echo "Title of the page is ".$pages->get("id={$page_id}"); } Above code is giving me error : Error: Call to a member function get() on a non-object From what I've read probably, I should be using $wire('pages')->get. But this gives following error: Error: Function name must be a string Removing $ from wire solves above error but it doesn't print anything. Any help would be very much appreciated. Thanks a lot.

Joss, this is something very important that you've shared. These are words of experience. Project documentation is indeed very important. I do write down project details on some documents but in the flow of development, I tend to be lazy and ignore to update it. But now I understand why having a project documentation important, it's the first step & a key requirement for big team based projects. That's a perfect example!

@Joss Thanks. Just like you said I try to write comments, sometimes I write detailed comments first and code later. These comments help in documenting solutions, bugs, issues or those ideas that flash suddenly. I wish to learn how high performing sites with tons of features are built, I mean what if I wish to distribute a ProcessWire project in a team of 5 people? How will they be working on it? I suck at management so this kind of thing puzzles me. If you are given a really big project to work on with team of 5 people, which you're expected to develop on PW, what are the things you'll consider? How will be the logical distribution of work? I hope you understand I'm just trying to learn from your PM experience which definitely be higher than me as I'm just a newbie! p.s: let's suppose you've to make Facebook for a small town.

Hello, I've been developing sites with ProcessWire for a while now, and all those sites have been performing really well. It's a good enough proof that PW itself is very efficient & well performing system but I'm not sure how efficient coder I'm. Just wanted to learn from you guys, what are the things you do to keep PW's page structure clean, few good practices you follow & how do write smarter code that reduces server load, etc. For example, I learnt following things from tutorials that I always do for every site: Creating a site settings page to store all global static variables in one place such as site logo, site title etc. Using globals.inc file for regularly needed variables, functions & information Under home, creating ajax/json (locked & hidden) pages for processing forms Using tags to group fields & templates Prefixing field names with template name for easy identification Naming similar or related templates & template files with similar prefixes Thanks!

Hey Ryan, Will try that & update you. Just wanted to know if having debug mode on will provide any important information which might provide some clue? Also do you think such problem can happen due to multiple users being online at once and server not being able to maintain sessions? We already have over 7k users registered.

Just another update, problem hasn't been fixed yet Anyways, with Ryan's help, we've fixed another possible hole.

@Ryan, You are the man Ryan, I can't thank you enough. I checked redirection settings and it was indeed redirecting back to http not https as it should have. I've fixed that now let's see if it works, I don't see any reason for it to fail now. Once again, thanks a ton, I feel so foolish now!!!

Another *UPDATE* Hey everyone, So just wanted to give an update to whoever is following this post & probably reading right now. So I did implement cookies based solution and now, after about two weeks, it's doing great job I must say. 7 out of 10 transactions are being handled by this solution and people are getting their tickets even after getting logged out in the payment gateway's redirect process. While there's nothing to complain about all this, but still some questions remain unanswered as Why are they getting logged out in the first place? Sessions are stored on server and fingerprinting technique is used along with user's IP to identify the session for each user, right? Then change in which parameter can lead to session loss? Probably dynamic IPs are causing the problem, so can we just turn off the fingerprinting, in that case, will sessions still work? I was also wondering if no one else has faced similar situation before? (If I've found this bug then let me name it ) I mean there must be many ecommerce websites built with ProcessWire right? Would love to hear what you guys think about this. Thanks for your time, have a great day.

Hey Adrian, thanks for your reply. I'm currently checking out the cron jobs!

Hello, I've been reading about Cron & Lazy Cron for days, but since my knowledge of programming is fairly limited, I couldn't get a single task done, so I'm here again to seek some help, probably learn a thing or two. Firstly, Cron is task scheduler run by the server, right? And lazy cron is run by ProcessWire which runs only when page is loaded?? If lazy cron runs only when pages are loaded, how will it run periodically? My requirement is, on every first minute of a day, a specific page(which will contain some code to perform several tasks) should run. Since right now, the code doesn't need any specific time to run, I just run the page manually every morning. But there will be a time when it'll need to run at very specific time. I wish to know if this requirement can be fulfilled by Lazy Cron or will I also need to use cron? TL;DR I wish to know what's the difference between Lazy Cron & CRON? And when to use which? Also, I need to run a PW page specifically a minute after every midnight. Will it possible only with Lazy Cron or will I have to use Cron as well? For running URL instead of file in CRON, I'm looking at this solution by Horst.

Thanks Adrian, giving the hardcoded path does seem like a solution as domain will never change. Thanks again.

Hello Adrian, I'm using Page Web Service module for passing data to android app. I'll have to pass full URL of the image. I just want to know how can I do that using your solution. I mean $config->urls->assets wont work outside of ProcessWire, so what can be a possible solution? Thanks a lot.

*UPDATE* So, I just had to implement a solution so I ended up using cookies. There are two cookies created for every user, when user reaches payment page, his/her user ID & transaction number are stored. Every time when user is redirected back to site, if he/she is logged out, using transaction ID returned by payment gateway, I identify user by comparing the stored transaction ID and get user id stored with it. Once I've user ID, I complete the post successful payment procedure to make sure user gets what he paid for. Updated it here so it might help someone in future and also, experts here can tell me if this solution is safe enough. Thanks & Have a great day.

Yes, it's the first thing I did and was hoping that it'd solve the issue. Are there any other config variables that should be turned off or on in order to keep users logged in longer? Should I increase the timeout time for session?

Oh, well then I guess this is not the solution to my problem. I want to log users in. But again, this also does not answer original question, why users are getting logged out in first place and how can I prevent that? I read somewhere in forum that it's cause of dynamic IP sessions are getting lost but even I've dynamic and have never lost sessions.

Hello Soma, thanks for your reply. I meant the above written code is not working for me even after turning $config->sessionChallenge to false. I did try without it this way, id=5446, but still it's not working for me. Also, 5446 is a valid user that does exist. Btw, just to make sure I'm expecting the right thing from this code, what I want is, user 5446 or whatever ID the cookie holds, should get logged in automatically. That's what this code does, right?

Hello everyone, I was looking for solution to my problem, I ended up setting a cookie of user id and transaction ID which is unique. If user comes back and is logged out, I can at least transfer seats to user's account based on his ID and payment status. But it'd be awesome if I could log user back in using user id. I read some articles of similar requirement but even after turning $config->sessionChallenge to false, //goes in pre-payment page if ($user->isLoggedin()) { setcookie('uid',$user->id); } //goes in payment response page $u = $users->get("id='{$input->cookie->uid}'"); $users->setCurrentUser($u); $session->_user_id = $user->id; is not working for me. Can anyone help me understand what am I doing wrong? thanks, have a great day!

Hello, I've this ticket booking website where people buy tickets for dramas. I'm using default user management system of PW to manage user and user sessions. I've a similar problem like this one : http://processwire.com/talk/topic/4986-session-gets-lost/ I've noticed that many users are getting logged out when they are redirected back to the site after payment. Since I'm using temporary pages stored for each user when they make a purchase, system can not identify the transaction and thus seats remain on hold even when the user has paid for it already. What I wish to know is, is there any way we can prevent users from getting logged out? probably by extending the session timeout? Also, how proper it'd be to maintain cookies of purchases like I could write a cookie of user's ID including the show & seat details. If user is logged out when redirected back, I could use his/her ID to automatically log user in and successfully complete the transaction. Does this idea sound okay to you? Is there anything else I should be considering? Thanks in advance, really appreciate your support.

Hey Ryan, Thanks for the code. Can you please check following code and tell me why it's not working for me? wire()->addHookAfter('Page::path', null, 'hookPagePath'); function hookPagePath(HookEvent $e) { $page = $e->object; if($page->template == 'u_profile') $e->return = "/$page->name/"; } If it helps you to understand, I've page structure as follows: //example.com/profiles/apple where 'apple' has template 'u_profile'. I've placed above code in head.inc before any other code. Still //example.com/apple/ gives me 404 error.

$pages->addHookAfter('Page::path', null, 'hookPagePath'); function hookPagePath(HookEvent $e) { $page = $e->object; if($page->template == 'u_profile') $e->return = "/$page->name/"; } For some reason, this code is not working for me. u_profile is the template of the profile page.

@Soma Thanks, you are very fast! Actually I was reading the same article before I posted, but I didn't understand how it can solve my query. Nevermind, I'm already reading some more documentation about routing. This clarifies one thing for me and that's routing is something I must be looking for to solve this issue!