Doc

Do I need to add users ? (session->login problem)

Recommended Posts

Hello,

Newbie question here.

I'm rebuilding my existing website with PW, it's a game where people can guess the winners of races.

I used to have a "players" table. Those are registered players, I used to identify them through their login/password, and when it matches, I give them access to the website. No rocket science.

So now with PW, I'm building my sign-up form and I'm trying to create a new session when a new user sign up.

I'm retrieving user/pass from the sign-up form which has been posted before but :

if($session->login($user, $pass)) {
    // login successful
    $session->redirect(elsewhere);
}
else
    echo "failed";

... fails everytime.

Do I have to use something like :

$u = new User();
$u->name = "bill";
$u->pass = "billpwd";
$u->addRole("guest");
$u->save();

... before doing a session->login('bill', 'billpwd') ?? (I've just checked, it works, so I guess this is the good way to do it ?)

I already have my players table so perhaps I can have the minimum in the PW's table and keep my players info in my historical table ?

... Or I can add all information I need into PW but I'd like to understand where it is stored.

Last question, if there is a PW matching between "user" and "session", I need to give to the session->login function the password not hashed. I'm using the password_hash php function, any problem with that ?

Thanks

 

 

Share this post


Link to post
Share on other sites

I'm answering to myself to a part of the question :

I've just discovered by dumping all the DB that a user is stored like a page, in the "pages" table, which is not too convenient if I want to dump my users table I guess.

Share this post


Link to post
Share on other sites
On 1/16/2017 at 10:42 AM, Doc said:

... before doing a session->login('bill', 'billpwd') ?? (I've just checked, it works, so I guess this is the good way to do it ?)

The $session->login($user, $pass) is going to return a user object if the user exists and password is correct. Otherwise, the session call will fail. That's why creating the user before the login check works when registering the user. It's okay to build users on-the-fly as long as you sanitize and do your role/permission assignments, etc. If you have a separate login form from the registration form, use one to create and login the user while the other simply logins in. I don't think you'll need to use any extra hashing, PW will compare the hashed value of the supplied password to that stored in the database.

  • Like 3

Share this post


Link to post
Share on other sites

Thanks @Mindfull.

Actually I sanitize everything before creating the user, on the fly as you said. That wasn't obvious for me to have to create the user before the session login returns OK.

I won't add any extra hashing but I keep only the minimum info (username/password/email) on the PW DB and have another table to store everything I need for my players. Also it's easier to have all the player's information in one table for me, export is easier too.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now


  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By modifiedcontent
      I have my own register-login-profile/account page system. I know that Ryan recently released an official module for this, but there may be an advantage to having my own custom solution. Anyway, it seems to work well.
      But, I have been getting annoying Russian hack attempt accounts, mostly as 'guests' that don't bother to use the activation link.
      Most if not all of these accounts have this in the name field:
      No Subscription Detected
      Not Recognized
      ...which makes them relatively easy to filter out from real name accounts.
      Where do these "strings" come from? I can't find them in Processwire's source. Are the hackers using some kind of tool that inserts these for some reason? Or is it a PHP thing? Does anyone recognize them? Does it mean they are using some kind of backdoor instead of the registration form?
      In general, what are the best practices to secure my registration form, prevent spam accounts, etc.?
      I'll start with adding a check to block IP addresses that try to register with 'Not Recognized' etc. in the name field I guess.
       
       
    • By AndZyk
      Hello,
      can somebody tell me, if it is possible to get the clear password of an InputfieldPassword inside a module, before it is encrypted?
      I have made a custom module which sets the password of an Auth0User after the hook publishReady with a random generated password. When I try to get a clear password from a InputfieldPassword in this hook, it is of course already encrypted (which is of course good). But is there a hook before the encryption, so I could get it one time to send it to Auth0?
      If there is not such thing, could be another possibility to add a jQuery script to get the value directly from the DOM and save it somewhere temporarily?
      I know this might be an unusual question, but I would appreciate any feedback. 
      Regards, Andreas
    • By Robin S
      Password Generator
      Adds a password generator to InputfieldPassword.

       
      Usage
      Install the Password Generator module.
      Now any InputfieldPassword has a password generation feature. The settings for the generator are taken automatically from the settings* of the password field.
      *Settings not supported by the generator:
      Complexify: but generated passwords should still satisfy complexify settings in the recommended range. Banned words: but the generated passwords are random strings so actual words are unlikely to occur.  
      https://github.com/Toutouwai/PasswordGenerator
    • By datomtom
      Being a newbie in ProcessWire I was wondering, whether I could have simple subdirectories on my webserver (serving specific self-developed php-apps) and use PW's built-in user management, to grant or deny access to those directories for specific users and groups. I was trying to wrap my head around LDAP for this, but it's not too easy to install on virtual servers running Plesk from my experience. So I thought I could possibly use PW's built in mechanisms for this purpose. Any ideas? Thanks in advance to the community!
    • By benbyf
      Is there a way to restrict logins for users so that one user can't be loggedin in two places at the same time?
      e.g. auto logout user after inactivity (of say 15 minutes..?), or logout action and disallow login if user still "logged in" somewhere?