thetuningspoon Posted February 16, 2014 Share Posted February 16, 2014 We're working on building a front end login form and the programmer I'm working with discovered that after the form is submitted and the post values are used to log the user in with $session->login(), $user->isLoggedin() still returns false until after the page is physically reloaded, changed, or $session->redirect() is used in the code. Maybe it's just late and I'm not thinking straight, but what is the reason for this? Link to comment Share on other sites More sharing options...
horst Posted February 16, 2014 Share Posted February 16, 2014 The reason could be that, at the point when you use $session->login() (in your template-file ?) the variable $user already is populated. And it can't be changed automagically when you do a call to $session->login(). You may use something like: $u = $session->login($username,$pass); // try to login a user if($u) { // if login was successful $u holds a user object $user = $u; // repopuplate the $user variable with the new user } // .. and then the rest of your code : if( $user->isLoggedIn() ) { 2 Link to comment Share on other sites More sharing options...
Harmster Posted February 17, 2014 Share Posted February 17, 2014 My idea (And don't take my words for it) is: The session needs to be re initialized and the credentials used must be set in order to generate other dependancies like the $user object. I took a look in the method in the $session class and you can see that a cookie is generated and some other things are set. Code for reference: https://github.com/ryancramerdesign/ProcessWire/blob/03387f8283d518e9cc405eff8f05cd6a5bf77c4c/wire/core/Session.php#L257 public function ___login($name, $pass) { if(!$this->allowLogin($name)) return null; $name = $this->fuel('sanitizer')->username($name); $user = $this->fuel('users')->get("name=$name"); if($user->id && $this->authenticate($user, $pass)) { $this->trackChange('login'); session_regenerate_id(true); $this->set('_user_id', $user->id); $this->set('_user_ts', time()); if($this->config->sessionChallenge) { // create new challenge $challenge = md5(mt_rand() . $this->get('_user_id') . microtime()); $this->set('_user_challenge', $challenge); // set challenge cookie to last 30 days (should be longer than any session would feasibly last) setcookie(session_name() . '_challenge', $challenge, time()+60*60*24*30, '/', null, false, true); } if($this->config->sessionFingerprint) { // remember a fingerprint that tracks the user's IP and user agent $this->set('_user_fingerprint', $this->getIP(true) . $_SERVER['HTTP_USER_AGENT']); } $this->setFuel('user', $user); $this->get('CSRF')->resetToken(); return $user; } return null; } 3 Link to comment Share on other sites More sharing options...
ryan Posted February 17, 2014 Share Posted February 17, 2014 Both guys here are correct. The session needs to be regenerated with a new session ID and some new cookies need to be set, etc. Redirecting after successful login ensures you are dealing with the new and authenticated session and $user, ready to work with. 3 Link to comment Share on other sites More sharing options...
thetuningspoon Posted February 17, 2014 Author Share Posted February 17, 2014 Thanks everyone! Link to comment Share on other sites More sharing options...
Craig Posted February 17, 2014 Share Posted February 17, 2014 To build on top of Ryan's response, redirecting is not just sensible to do on login, but whenever you have forms. The wikipedia page on the Post/Redirect/Get pattern explains it much better than what I can - it's definitely worth the read 4 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now