Recently Browsing 0 members
No registered users viewing this page.
By Jennifer Stock
Greetings. I would like to restrict access to certain sections of my organization's ProcessWire site using pubcookie. We are rolling out Shibboleth authentication later this year but for now, it seems I can only make use of our institution's single sign-on routine by utilizing rules in an .htaccess file.
I am wondering if there is a way to ask PW to apply these rules to certain pages in the site, whether via template type or location in the page tree:
AuthType UWNetID PubcookieAppID "MyApplication" require type staff faculty
I posted a question on Stack and as yet not got an anwser that is something novel. I'm interested to know if this worries anyone else and whether we can do something about it.
So here goes:
If a user logins to your online sevice, let's say a job posting site, they give you an email and password to access your service later... Lets say a malicous person with access to the server could write into the template to store the passwords as plain text somewhere. Given that people generally don't use a new password for each website, now that malicious person has the potential to access other online services using these details (where there isn't any secondly security like 2-factor).
Is there anything we can do to battle this? In an ideal world, maybe setting up a zero-knowledge algorithm to log people in and out...
food for thought
A question regarding security/best-practice concerning a simple front-end login through AJAX calls. My plan is to use this kind of module inside a small AngularJS architecture to update the entire application when someone is logged in/out.
I've made a simple HTML form in which the user can login by typing his/her username and password in the corresponding fields. After submitting the form, these values are fetched with jQuery. Then an Ajax GET request is made with these values to a page which has access to the Processwire API. This page checks if these values (after sanitization) correspond to an existing user in the CMS.
If the user and password matches, the user is logged in, and a success message is being returned.
If the user and password mismatches, an error message is being returned.
I don't know much about encryption, therefore I highly doubt if this a 'safe' way of doing things. Hopefully someone can give me some pointers on this!
By Vineet Sawant
I'm working on a simple Ionic app which is going to use ProcessWire as the backend.
This app allows people to upload images and then like/comment on them. It's a lot like a stripped down imgur app.
I've set up some basic services such as register, login & reset password.
There are a couple of things I am doubtful about.
1. How do I get user's unique session Id once he's successfully authenticated through AngularJS's http post request?
I'm currently using following code:
$sessions = $session->getAll(); $session_id = $session->_user["fingerprint"]; But I'm not sure if that's the right way to do it. I'm not even sure if that's the session id. I know there's something called SessionCSRF["name"], I tried that.
I'm sending session_id as response to http post request. Then I'm using that session id to check if user is authenticated for his/her further actions such as commenting/liking/posting etc.
2. Now that I've got the session id, how do I identify the user based on the given session id? or should I send user ID back to PW everytime user is performing any action?
Is it possible to identify user just based on the session fingerprint that I'm giving back to the app?
Among other things I'm considering are keeping a device id on the server for each user, so as to gain better control over user's sessions.
I can log out all the devices linked at once etc.
I'd really love to hear from you guys how you'd plan to do this app. I'm experienced with PW but not very much with AngularJS.