Jump to content

Keep user logged in with different browsers


clsource
 Share

Recommended Posts

Hello, 

I'm wondering if this aproach is correct, had not been tested yet.

What I'm trying to do is Log In an user from one browser and keep the user logged in a different browser.

example:

I have an app and send a login command to a processwire backend, 

the backend respons with the user id if the login was successful.

http://example.com/login

POST (encripted):

username
password

response: 123

The code begin could be

$username = $input->post('username');
$password = $input->post('password');

$user = $session->login($username, $password);

if($user){
  echo $user->id;
}

Then I read the User Id and open a new browser like this

http://example.com/user/123

And the website checks if the user is logged in and opens a section only for logged in members.

because PW saves the sessions in the server I think this could work.

The code for this would be

$userId = $input->urlSegment1;

$user = $users->get($userId);

if($user->isLoggedin()){
    $session->redirect('/private/');
} else {
    $session->redirect('/');
}

Thanks in advance :)

Link to comment
Share on other sites

There's an issue with your proposed approach; namely the way isLoggedin() works. As you can see, it only checks if this user is guest, i.e. if it's ID matches that of the guest user. It's going to return true for any user you've fetched with $users->get().

Putting that aside for a moment, there's an even bigger issue here.

If I'm getting this right, you're logging user in, and later trying to check if that specific user (123) is logged in when anyone opens URL like http://example.com/user/123. Isn't that a huge security issue right there? How would you validate that the user opening this URL is the same one that earlier authenticated using correct credentials?

I really wouldn't recommend pursuing this. There are going to be severe security implications no matter how you approach it.

.. but if you really have to, I'd consider some sort of token-based authentication method. When the user logs in, provide an URL she can visit to log in. Typically that URL would be invalidated after single login (and after certain period of time) to make it slightly more secure.

Automatically generating something like this would still be very risky (please don't do it). It's more often used in combination with, say, valid email: user types in her email and receives an URL that's valid for certain period of time and allows her to login (preferably once) before it's invalidated.

  • Like 4
Link to comment
Share on other sites

What Teppo said - since the admin user is a known ID it would be trivial to log in as the admin this way and wreck your site (or actually install a module like Hanna Code, throw in some PHP and do significantly more damage to your server).

It's an extremely bad idea.

  • Like 4
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...