Login Script to Automatically Find User and Log In

[briangroce]

Hi guys,
I am having trouble with a script on a website I built. Here is the scenario:
 
The site that I built (in ProcessWire) runs inside of an iframe on a page within a members only section of another website. I'm going to call the Members Only site (not ProcessWire) that is holding the iframe the parent site. I will call the ProcessWire site that I am working on that runs inside of the iFrame the child site.
 
When a user logs into their account on the parent page, they can navigate to a "Tools" page. This tools page has the child site running in an iFrame.
 
The parent site sets a few variables and submits it to the child site as $POST. The child site should take that post data and lookup a user. If it finds the user in ProcessWire matching that same information, it needs to log them in and redirect them to a dashboard page.
 
Here is the script on the parent site that sends the variables:

<form action="https://domainnamehere.com" method="post" target="section">
	<input type="hidden" name="usid" value="Identifier Here that Relates to PW died" />
	<input type="hidden" name="firstname" value="Brian" />
	<input type="hidden" name="lastname" value="Groce" />
	<input type="hidden" name="email" value="Email Address" />
</form>
<body onload="document.forms[0].submit()"></body>

<iframe id="section" name="section" src="about:blank" frameborder="0" scrolling="no" style="width:100%; min-height:1600px; height:3000px; margin 0 auto"></iframe>

On the ProcessWire page, here is what the code looks like:

$asmUserID = $input->post("usid");
$email_address = $sanitizer->name($input->post("email"));

   if ($asmUserID!="") {
	   if ($session->login($email_address, $asmUserID)){
		    if ($user->id!="40") {
			    if ($user->active) { $url = $pages->get("/dashboard/")->url; } else { $url = $pages->get("/account-setup/")->url; }
				header("Location: ".$url);
//				$session->redirect($url);
			}
		}
		
		else {
			if ($user->isLoggedin()) {$session->logout();}   
				$changePass = $users->get($email_address);
				if ($changePass->id!="") {
				$changePass->setOutputFormatting(false);
				$changePass->pass = $asmUserID;
				$changePass->asmUser = $asmUserID;
				$changePass->save();
				$changePass->setOutputFormatting(true);
				}
				
				else {
				if ($email_address!="") {
					$changePass = new User();
				    $changePass->name = $email_address;
				    $changePass->asmUser = $asmUserID;
				    $changePass->pass = $asmUserID;
				    $changePass->membership_level = $pages->get(95165);
				    $changePass->addRole("member");
				    $changePass->save();
			    }
			}
			if ($session->login($changePass->name,$asmUserID)){
			    if ($user->active) { $url = $pages->get("/dashboard/")->url; } else { $url = $pages->get("/account-setup/")->url; }
				header("Location: ".$url);
//				$session->redirect($url);
			}
		}
	}

I am trying to find the user in ProcessWire, then log them in. I want to check to make sure the user is not the guest, then redirect them to the page.

If login fails, I want it to change the password to the correct value, then log them, check if it is the guest, then redirect.

If that still fails, then ProcessWire needs to create an account, log in, then redirect.

This is working fine for many people, but some people are having trouble getting ProcessWire to let them in. There are a few things that I noticed. I noticed some inconsistencies on some people browsers with SSL Certificates. We need to manually "Trust" some of the SSL certificates and it worked better.

Also, sometimes when you visit the parent site and the child site is loaded nothing happens, but if you reload the page, then it redirects you like expected.

I have found that when I do this:

if ($session->login($email_address, $asmUserID)){
         if ($user->id!="40") { 

ProcessWire is not giving me access to the $user variable that quick. Is this possible? Also maybe the $session->redirect() is not working.

I know this is a lot, but any help/suggestions would be GREATLY appreciated.

Thank You,

Brian

[ryan]

After you do a $session->login() the $user variable that was already there will still be the same one that was there before the login. So you need to change the $user variable yourself, i.e. 

$user = $session->login($email_address, $asmUserId);

Also be certain that none of this is mission critical from a security standpoint. This is a publicly accessible interface to creating, modifying and accessing user accounts.

[briangroce]

Ryan,

Thank your for your response. I went ahead and did that and it fixes the problem I was having of accessing the $user.

I am having another problem though...

This script does not automatically log some users in. Processwire logs the user in, then redirects to a page but thinks it is still a guest.

I have repeatedly solved the issue by visiting the child site directly (https://www.childsite.com) and the site comes up with a request that wants you to manually "Trust" the SSL certificate. If I manually trust it and return to the parent site, it automatically logs in no problem.

The SSL certificate is for https://childdomainname.com and not https://www.childdomainname.com. The browsers accepts the certificate for the non www version. It seems that maybe somewhere, the site is trying to access the www version and is being blocked for not having a valid SSL for it.

Can I make ProcessWire always use https://childdomainname.com and is it is possible that it might be trying to access the www version at some point?

Thank You for your help!

Brian

[horst]

Hi Brian,

you may use a .htaccess snippet to solve that?

The following one I use to solve exactly that, but with http instead of https. If you try it and it doesn't work with HTTPS,  sorry, you must refer to the Apache httpd manual.

<IfModule mod_rewrite.c>

    RewriteEngine On

# Domain-name without WWW
	RewriteCond %{HTTP_HOST} ^www\.childdomainname\.com$
	RewriteRule ^(.*)$ http://childdomainname.com/$1        [L,R=301]

</IfModule>

This way, I think, PW always is invoked _after_ the domain name is sanitized.

[briangroce]

horst,

Thank You for your reply! I had a script in the htaccess file similar to that, but your thoughts got me thinking so I searched Google for edits I could make in the htaccess file. I came across this:

RewriteCond %{HTTPS} !=on
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Forcing the request to be a https like this seems to work great!

My only problem now though is that it acts like the certificate isn't actually processed or downloaded when the request comes through the iFrame. The site doesnt work when you look at it through the iFrame, but if I visit the URL directly, it gives me no message about trusting, etc... then when I go back to the iFrame it works.

So basically, I have to visit the direct URL to get the certificate to take effect. Has you ever come across this?

- Brian

[horst]

Uuh, this is a security restricted thing, but, sorry, I have no clues about that.

search?q=iframe+cross+domain+http+https

[briangroce]

I have narrowed this down a little bit. It seems that until I visit the direct url with the SSL on in (which registers that on my computer I guess?) I cannot store any $session variables (including the $user) The variables are stored on that page, but as soon as it goes to a different page, those variables are not accepted.

I tested this using:

$session->hello = "Hello World";     // Placed on the first page
echo $session->hello;                // Placed on the second page

I get no output on the second page.

[ryan]

I'm not sure I follow all of this or understand the https certificate issues that may be interfering with it, but you might want to try having a second invisible iframe that comes before the first (in the source/markup), to attempt to register/initiate the session?