Jump to content

Custom Login


Frank Vèssia

Recommended Posts

Ah! I wonder if you can do the same with Textmate?

I haven't thought about switching in a while — might be time to look at Sublime again.

If you ask me... :)

Textmate: Right click ->Convert ->Tabs to Spaces

Link to comment
Share on other sites

  • 8 months later...

I think I've read it somewhere but I can't find it again.

How can I protect file access from the assets-directory? So that just a user who can see the page, can view the attached files?

thx

Link to comment
Share on other sites

  • 9 months later...

First thank you for the snippets and nice discussion. I was trying to logout the user.

$session->logout();
if($user->isLoggedin()) {
    echo "Logged in";
}

If I have not done a redirect like

$session->redirect("/login/");

then the

$user->isLoggedin()

is true. Seems like a bug to me for the $user->id is not rest on logout. We need to reset the user->id .

Thank you.

Link to comment
Share on other sites

Just wanted to mention it also here that all front-end login code posted mostly in this forum has one flaw. The problem is with the login throttle that once it's kicking in, you'll get an WireException thrown and interrupt your login as you will only see this error and nothing else.

There's a thread where this was asked and the solution is to use a try/catch to perform the login, this way you can catch the error message and output it where you want it.

Looks like this

try {    
    $u = $session->login($username, $password);
    if($u && $u->id){
       // user logged in do something
       $session->redirect("/profil/");
    } else {
       $errors .= "Login failed.";
    }
} catch(WireException $e){ // in case of multiple false login (throttle login)
   $errors .= $e->getMessage(); // get the error message
}

There was a mention here

https://processwire.com/talk/topic/1716-integrating-a-member-visitor-login-form/?p=50501

  • Like 4
Link to comment
Share on other sites

Yeah but the $user is still from the request and it's not overwriting it for $user as that was already set earlier, you may have to load it again before user is the new logged out user.

$session->logout();
$user = wire("user");
if($user->isLoggedin()){
    $content .= "user is logged in $user->name";
}

BTW I don't trust that API gen and never use it, I would recommend to use github so cause the code you linked isn't the exactly the same in current version. Although the behaviour remains the same. https://github.com/ryancramerdesign/ProcessWire/blob/master/wire/core/Session.php#L324

Link to comment
Share on other sites

  • 2 months later...

Hello!

 

I am developing a website/app using the ProcessWire framework. Just for testing purposes, I have created a custom index.html page which takes care of the ui for registration and login. The registration will ask the user for a few questions, and when the Register button is clicked it will register the user and possible add it to a database. Multiple users with the same information cannot be created. I am totally lost on how to do this. I have also included my index.html page for reference. It is still a work in progress.

 

Please do let me know. I am creating something of this sort for the first time ever. Is it possible for anyone to guide me to a very good, basic, and simple starting point. If you click open the index.html page in the attached file, I want the user to be able to enter their information and after that they can access other features of the website.

Attached Files

tennis.zip

Link to comment
Share on other sites

Hey @tarang9211 ,

I did looked into the files you have provided.

You can see already some well written help over https://processwire.com/talk/topic/126-anybody-did-user-registrationlogin/ .

I assume you are looking for a ajax based user registration. So what you need to do is create a template register.php and do the post validation and return back the response. Depending on response send the user to next page.

In the register.php template you can validate and create a user via the api something like

$data = array(
    'username' => 'someone',
    'password' => 'password',
    'email' => 'someone@something.com',
    'fullname' => 'Some One',
);
$successflag = true;
$sql_check = wire('users')->find("email={$data['email']}");
$messages = array();
if (count($sql_check)) {
    // user already exists
    $messages[] = array(
        'Email already exists',
    );
    $successflag = false;
}
$sql_check = wire('users')->find("name={$data['username']}");            
if (count($sql_check)) {
    // user already exists
    $messages[] = array(
        'Username already exists',
    );
    $successflag = false;
}
if ($successflag) {
    $newuser = new User();
    $newuser->name = $data['username'];
    $newuser->pass = $data['password'];
    $newuser->email = $data['email'];
    $newuser->fullname = $data['fullname'];
    $newuser->roles->add($roles->get("guest"));            
    $newuser->roles->add($roles->get("member"));
    $newuser->save();
}

Hope that helps you a bit to start.

Thanks

Link to comment
Share on other sites

Just wanted to mention it also here that all front-end login code posted mostly in this forum has one flaw. The problem is with the login throttle that once it's kicking in, you'll get an WireException thrown and interrupt your login as you will only see this error and nothing else.

There's a thread where this was asked and the solution is to use a try/catch to perform the login, this way you can catch the error message and output it where you want it.

Looks like this

try {    
    $u = $session->login($username, $password);
    if($u && $u->id){
       // user logged in do something
       $session->redirect("/profil/");
    } else {
       $errors .= "Login failed.";
    }
} catch(WireException $e){ // in case of multiple false login (throttle login)
   $errors .= $e->getMessage(); // get the error message
}

There was a mention here

https://processwire.com/talk/topic/1716-integrating-a-member-visitor-login-form/?p=50501

I too get the error as if there are failed login attempts. Does this mean that doing the session->login attempt, to check if the user is logged in is creating a failed attempt when I just load the page? Is that the reason for the error, that processwire thinks there is a bad login attempt? Thanks. 

EDIT: I tried the Try/Catch solution you posted and now at least I don't go to a blank page with that error. But I still have the problem that for some reason the session throttle will tell me that I have to wait 60 seconds to login again after I logged out(logout redirects to the login page), and return back to the login page. Seems to me that the session throttle should not be invoked here??? Also it's weird that it says 60 seconds, where before it would start at like 15 and work its way up to 60. 

Link to comment
Share on other sites

  • 6 months later...

What I did was setting the path as a setting within my user-login template, using a page field (with the output set as single page). 

So the admin/editor can choose where to redirect frontend users to. Nothing hard coded there.

Link to comment
Share on other sites

Ryan,

Thanks this gave me a great place to start. I thought I'd share the version I created in case anyone finds it useful.

• Single template for the login/logout.

• Automatically redirects the user back to whatever page they originally requested after they login.

./includes/login.php

<?php

// Handle logouts
if($input->get->logout == 1) {
	$session->logout();
	$session->redirect($page->path);
}

// If they aren't logged in, then show the login form
if(!$user->isLoggedin()){

// check for login before outputting markup
if($input->post->user && $input->post->pass) {

	$user = $sanitizer->username($input->post->user);
	$pass = $input->post->pass;

	if($session->login($user, $pass)) {
		// login successful
		$session->redirect($page->path);
	}  else {
		$session->login_error = 'Login Failed. Please try again, or use the forgot password link below.';
	}
} ?>

<!DOCTYPE HTML>
<html lang="en">
<head>
	<title>Custom PW Login</title>
</head>

<body>
<form action='./' method='post'>
<div class="login">
	<? if($input->post->user && $input->post->pass) {
	echo "<p class='error'>" . $session->login_error . "</p>";
	}?>
	<p><input type='text' id="user" name='user' placeholder='Username'/></p>
	<p><input type='password' id="pass" name='pass' placeholder="Password" /></p>
	<p><input type='submit' class="btn" name='submit' value='Login' /></p>
</div>
</form>
</body>
</html>

<?
die(); // don't go any further if not logged in
} // end !logged in
?>
In any template you wish to protect:
<? require("./includes/login.php");?>
To trigger a logout:
<a href="?logout=1">Logout</a>
Note:

I'm using the HTML5 placeholder attribute. Browser support is not 100%.

You may want to use labels instead, or use some jQuery (like I did) to add the placeholder text for browser that don't support it.

SideNote:

How do you get code indents to stick when posting? I'm having to go back and add spaces to each line. I use tabs when coding.

I'm studying your code.

Which line(s) of code which save the path for redirection back to it when login sucessfully.

Link to comment
Share on other sites

$session->redirect($page->path);

As mentioned in the post you quoted the login handling code is supposed to be included in any page that is supposed to be protected. This means redirecting to $page->path is merely a solution to ensure the same page you are on at the moment is reloaded once logged in. At least that's how I'd read it.

Link to comment
Share on other sites

  • 2 weeks later...

Insteed of (which isn't works for me):

/_main.php

<a href='?logout=1'>Logout</a>

I'm using:

/_main.php

<a href='{$config->urls->admin}login/logout/'>Logout</a>

I don't know why first doesn't work. Second have a little "bug". When I'm logged as a regular user, when I log off it redirect me at homepage (which is ok), but if I'm logged as admin it redirect me to Admin Panel login. I can guess that solution is to include login.php before echoing these lines.

Link to comment
Share on other sites

  • 2 weeks later...

I had a problem with this error "Call to a member function isLoggedin() on a non-object" when using the login-code from Ryans very first post in this thread here.

Just like adrianmak here: https://processwire.com/talk/topic/8835-cause-internal-server-error-when-login-with-a-wrong-username-or-password/

The code at the very beginning of this thread goes like this:

$user = $sanitizer->username($input->post->user);

But that is bad because $user gets overwritten !?

Jan Romero gave the answer in that other thread ... 
 

Now I use this and everything is fine:

$username = $sanitizer->username($input->post->user);
$pass = $input->post->pass; 

if($session->login($username, $pass)) {
  $session->redirect($root_url."login/");
}

Could be related to some other bugs on this forum? When you search for "Call to a member function isLoggedin()" you get some topics displayed - maybe the examples at the beginning should be corrected!?

  • Like 1
Link to comment
Share on other sites

Yeah, that’s true. It works in Ryan’s example at the beginning of the thread because he calls isLoggedin() before overwriting the $user variable with a normal string (strings in php are indeed different from objects). So, confusingly, in that example $user refers to different things at separate times. He should probably edit the post for posterity.

  • Like 1
Link to comment
Share on other sites

  • 9 months later...

Hi everyone,

A question regarding security/best-practice concerning a simple front-end login through AJAX calls. My plan is to use this kind of module inside a small AngularJS architecture to update the entire application when someone is logged in/out.

*

I've made a simple HTML form in which the user can login by typing his/her username and password in the corresponding fields. After submitting the form, an Ajax GET request is made with these values to a page which has access to the Processwire API. This page checks if these values (after sanitization) correspond to an existing user in the CMS.

If the user and password matches, the user is logged in, and a success message is being returned.

If the user and password mismatches, an error message is being returned.

*

I don't know much about encryption, therefore I highly doubt if this a 'safe' way of doing things. Hopefully someone can give me some pointers on this!

Best,

berechar

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...