user related fields per template - what is secure?

[bwakad]

In user template of PW I see Email, Pass and Roles. I could not see where the Username comes from... probably the title?

I would like to know, how people look at a secure login. Let's say, email/pass vs phone/pass vs username/pass. What would be the most secure? If I know the email, or phone or username, it would all mean the same: guess the pass...

Do I need to see login vs user template (with user extended fields) separatly? :

For example, extended fields such as "about", "interests", etc. are all fields for a profile page / member page to display. I can add them to usertemplate, and call them on another template without trouble. Why would I need to add those fields on a separate template?

[Martijn Geerts]

In user template of PW I see Email, Pass and Roles. I could not see where the Username comes from... probably the title?

name field (This insures the uniqueness of the user)

I would like to know, how people look at a secure login

On every custom login send name / pass secure, use https or ssl 

[Pete]

If you're building a member/customer site though and are dealing with real names you might want to use email address and password as there are many John Smith's in England for example

[bwakad]

You guys always give great suggestions to think about!

Pete: I was actually thinking about John Doe's. But to come back on this, I like to use email/pass for login since it is more easy to remember for people. So I will change my login accordingly.

Martijn: Upon the registration I create a page for this Member, and will use the username (as you say this is a unique field). However I do not know if PW checks the uniques on a front-end register by default. If not, what to do?

For the other part, I will add general fields to a member template in PW, so a user logged in can edit this field contents without by mistake change login credentials.

[Martijn Geerts]

Martijn: Upon the registration I create a page for this Member, and will use the username (as you say this is a unique field). However I do not know if PW checks the uniques on a front-end register by default. If not, what to do?

The users as actual pages.

users
   |
   +-- admin
   |
   +-- bwaked
   |
   +-- martijn

There's no way you could put a double bwaked in the above structure. (remember $users->get('bwaked') syntax, getting bwaked user from users PageArray )

If you want to create a new user front-end, you should first check if the user already exists by asking the id.

if ($users->get('bwaked')->id) {
    // user already exists, if it didn't existed the returned id was 0 so bools to false 
} else {
    // there's no bwaked, goahead and create
}

If you create a new user that already exists and you want to save this user, ProcessWire prevents saving. (error)

[bwakad]

ok. Thanks for the haeds up... Now, when I use my login form (changed input to email), it does not let me login.

<input type='email' name='email' placeholder='Email Adress' required/>

$email = $sanitizer->email($input->post->email);
                $pass = $input->post->password; // need to sanitize this too?
                if($session->login($email, $pass)) {
                    // login successful - change redirection later

- edit -

I did found this code (ryan), and it seems I need to GET the email from registered users first. But it did not work.

Thinking I need to say $users = somethinghere :

if($input->post->login && $input->post->email && $input->post->pass) {
   $email = $sanitizer->email($input->post->email);
   $emailUser = $users->get("email=$email");
   if($emailUser->id) {
      $user = $session->login($emailUser->name, $input->post->pass);
      if($user) {
         echo "Login success!";
      } else {
         echo "Login failed!";
      }
   } else {
     echo "Unrecognized email address";
   }
}

[Martijn Geerts]

You can't login that easy with email address. $session->login wants the name of the user. (Page name)

Email is not unique in processwire. Something like this can work. (Could have a bug or 2 didn't test it)

$email = $sanitizer->email($input->post->email);
$password = $input->post->password;
$amount = $pages->count("template=user, email=$email, include=all");
$error = false;

if (!$email) {
    $error = "Not a valid emailadres";
} elseif ($amount === 1) {

    // if we have only one user with this email address, give the username back
    $username = $users->get("email=$email, include=all")->name;
     
    try {    
        $u = $session->login($username, $password);
        if ($u && $u->id) {
           $session->redirect(1234);
        } else {
           $error = "Login failed.";
        }
    } catch(WireException $e) { // throttle login
       $error = $e->getMessage(); // get the error message
    }
     
} elseif (!$amount) {
    $error = "No user found";
} elseif ($amount > 1) { 
    $error = "multiple user accounts";
}

if ($error) {
    echo "<p class='error'>$error</p>"
}

Edited August 13, 2014 by Martijn Geerts

[bernhard]

hi bwakad,

this thread could be interesting for you: https://processwire.com/talk/topic/1716-integrating-a-member-visitor-login-form/

$email = $sanitizer->email($input->post->email);

$password = $input->post->password

is there a reason why you don't sanitize the password input here? i googled a little bit and found the link above with ryan's example code. he also didn't sanitize $input->post->password so that should be good  

but in the api docs it says:

Always sanitize/filter any data you get from $input->get, $input->post, $input->cookie (and PHP's $_GET, $_POST, $_COOKIE if you use them).

sorry for being a bit offtopic

[bwakad]

Martijn, you are really good. I see that was quite more then a normal login. It works! Since I am using this in a modal (foundation) and this modal closes when submit is clicked. is it possible (in case of errors) to redirect and echo these errors?

ps. I have corrected some typos: missing ; and } at some places:

<?php
    $email = $sanitizer->email($input->post->email);
    $password = $input->post->password;
    $amount = $pages->count("template=user, email=$email, include=all");

    // if we have only one user with this email address, give the username back
    if ($amount === 1) {

    $username = $users->get("email=$email, include=all")->name;

    try {    
        $u = $session->login($username, $password);
        if($u && $u->id){
           $session->redirect("/login");
        } else {
           $errors = "Login failed.";
        }
    } catch(WireException $e){ // throttle login
       $errors = $e->getMessage(); // get the error message
       $session->redirect("error-page"); ----------------- on that page echo $errors 
    }

    } elseif (!$amount) {
        // no account with this email address
    } elseif (!$email) {
        $errors = "Not a valid emailaddress";
    } else {
        // multiple user accounts
        $errors = "Login with username instead.";
    }
?>

[bwakad]

@zwergo

I really have no clue about this since, as you also found out, no one does. I do however use <input type="password"/> and use in PW pass field the pattern [A-Za-z0-9](.{6,16}). So I am thinking it would be verry hard to obsuce code in that field... but you never know...

[adrian]

is there a reason why you don't sanitize the password input here? i googled a little bit and found the link above with ryan's example code. he also didn't sanitize $input->post->password so that should be good

Ryan explains why here: https://processwire.com/talk/topic/3543-register-users-and-add-page-same-as-username/?p=35151

[Martijn Geerts]

@bwaked: “Übung macht den Meister”

Don't redirect on the session throttle. (WireExeption)

If you set before all if statements the $errors = false; then you could after the statements ask:

if ($errors) {

    // continue with the page.

    echo $errors;

}