Moodle - Get current User session key - single-sign-on

I'm trying to create a new API that allows me to automatically check session status from an external application (SSO) based on the presence of a cookie (cross-domain),
following moodle's logic (code), I found that you key session key by just calling sesskey() function (based on $_SESSION['USER'] )
but when I call this function in externallib file every time it gives me a new random session key
The problem was call sessKey() from an external lib get an empty $_SESSION['USER']
any help would be greatly appreciated

Related

Specify Google Task ID on insert

I am working with Google Tasks, using the PHP library:
https://developers.google.com/tasks/v1/reference/tasks
I am trying to insert a task with a custom ID.
I found this topic:
Setting id to task using Google Task API returns 400 invalid value
which points to this topic:
Google tasks update error
They suggest to send the Task ID with the Task title. I think I have done that.
This is the code info from the Google API reference
$task = new Task();
$task->setTitle('New Task');
$task->setNotes('Please complete me');
$task->setDue(new TaskDateTime('2010-10-15T12:00:00.000Z'));
$result = $service->insertTasks('#default', $task);
echo $result->getId();
This is my code, I got setID() from the library itself.
$taskNew = new Google_Service_Tasks_Task();
$taskNew->setId('2013');
$taskNew->setTitle('Notify');
$taskNew->setDue(new TaskDateTime('2018-10-27T00:00:00.000Z'));
$results3 = $service->tasks->insert('.....', $taskNew);
I keep getting an error and it refuses to make the task.
Using this API tool:
https://developers.google.com/apis-explorer/#p/tasks/v1/tasks.tasks.insert
I can insert tasks successfully, so long as the system makes the ID. The Google Task API will insert the task, but assign its own ID.
If I specify a custom ID, then I get a 400 error "Invalid value".
I am making tasks to correspond to events saved in my program's database. I need to be able to find the task that matches a database event when I need to make changes to the due date or completed.
The reason I want to set my own ID, is so I can find the specific task and make changes.
I could add a new field to the database with the ID that google generates. But I would prefer to not have to change the database and the rest of the program as well.
Thanks so much for any help,
- Jon
Task Id is the read-only parameter.
I solved this question by using a prefix for the task`s Title.
For example: "[my_id] Task Title".

Set default Global XSS filter- Session - CodeIgniter 3x

Hope someone can help me explain some of my questions in order:
1. When i set application/config/config.php:
Determines whether the XSS filter is always active when GET, POST or
COOKIE data is encountered.
$config['global_xss_filtering'] = TRUE;
So if I set the default value is FALSE. What benefits will I get? For example, the performance or processing speed of the server?
2. Session
function save(){
$data = $this->input->post('number',TRUE);
$this->session->set_userdata('TEST',$data);
}
//Suppose Client request GET to action
function insert(){
$num = $this->session->userdata('TEST');
//Do I need to filter data in session?
$num_clean = $this->security->xss_clean($num );
$this->model->run_insert($num_clean);
}
I do not trust the user. And I still do not understand much about: session activity
The server just sends the ID Session to the client. Does the server send the data, which I set up to the session, to the client?
Best way xss_clean for session Which i am using is: Filter the client data by xss_clean input class. Is that enough? And need to re-filter session again?
Hope someone helped me because I just using only Codeigniter's XSS filter. Thanks
part 1:
From CodeIgniter User Guide Version 2.2.6
XSS Filtering
CodeIgniter comes with a Cross Site Scripting Hack prevention filter which can either run automatically to filter all POST and COOKIE data that is encountered, or you can run it on a per item basis. By default it does not run globally since it requires a bit of processing overhead, and since you may not need it in all cases.
It's not something that should be used for general runtime processing since it requires a fair amount of processing overhead.
So answerto your 1st part of question : yes ,
setting $config['global_xss_filtering'] = false; has performance benefits. also in codeigniter 3 its This feature is DEPRECATED. So i prefer to set it false.
part 2 :
Session is different from cookie
Unlike a cookie, the information is not stored on the users computer. So when you store a session ,its safe to trust the session data.
session data are stored in server. Most sessions set a user-key on the user's computer that looks something like this: 765487cf34ert8dede5a562e4f3a7e12. Then, when a session is opened on another page, it scans the computer for a user-key. If there is a match, it accesses that session, if not, it starts a new session.
here is a simple guide to session to read https://www.w3schools.com/php/php_sessions.asp
deftailed one : http://php.net/manual/en/intro.session.php
in short $num_clean = $this->security->xss_clean($num ); this is unnecessary.

Logging with Email and Password , Not with Username Yii 2

How I can manage to login with email address,not with the standart (username + password).I enter the website with my Users in my DataBase , but is there a way to change that to be with email address instead of that user name , because when I use Gii , I got a lot of errors , even I try to fix those errors
First, try to locate your SiteController or any other Controller you use for the index route. It should have an action function that corresponds to the login route; it is usually with signature public function actionLogin().
You should see the initialized model (usually, the LoginForm model). The model should have a function for login logic which is checked to determine user authenticity. You should find that this function invokes another login function which requires the User object as first argument/parameter. The function is usually the $this->getUser() function.
Looking into this will point to you a call to the actual data model that fetches user by whatever criteria/property you specify; this can be email or anything else that might not even need be unique but generally, you want to use a unique data property like username and email. This function relies on the User data model. It, by Gii default, calls the function User::findByUsername(search_property)
Yii2 provides a default User model that implements the Identity interface; that's where you want to make the adjustment you need. It should have the required static function findByUsername() or something similar. You would find that Yii2 default searches within static data to find user, you should link that to you (User) data model which I assume you generated using Gii.
My Gii sequence usually looks like such:
List item
Generate the yii2-basic/yii2-advanced using composer
Create Database (I have a user table in there) and set proper db credentials in config/db.php
Rename the default model/User.php to model/OldUser.php
Create Data Models using Gii
Make the newly generated User Model implement IdentityInterface to allow Yii2 freely-given session management by adding implements yii\web\IdentityInterface to the class declaration.
Implement all the required methods of the IdentityInterface. You can check in `model/OldUser.php' for guidance.
Create static functions to findUserByEmail($email) or findUserByUsername($username)
Mine usually look like this
I hope this helps.
I made it just change everywhere where must be email,instead of username,because of Yii default username loggin , thank u for the advices

How to get the current user using jsonwebtoken in Sails.js?

I've been working with Sails since couple of weeks ago, I came from Rails and I don't have any experience working with Node.js.
Now I'm trying to make a robust token authentication using jsonwebtoken.
https://github.com/auth0/node-jsonwebtoken
I followed this guide http://thesabbir.com/how-to-use-json-web-token-authentication-with-sails-js/ and everything worked fine.
I'm able to make a sign up, sign in and then use the token correctly for different actions.
Now, there are some actions where I'd like to use the login user,
something like devise current_user helper.
For example, when creating a comment, this comment should belongs to the current user.
Using Sabbir Ahmed guide, in the line 33 from the isAuthorized.js policy the token gets decrypted so I can get the current user id from there.
So, my question is, what should be the best way to get the current user and be able to use it later in some controller?
For example I tried something like:
# isAuthorized.js line 34, after getting decrypted token
User.findOne({id: token.id}).exec(function findOneCB(err, found){
currentUser = found;
});
But, on this way, because this is an async action I can't use this currentUser in a controller.
I want to store the current user in order to be able to use it later in some controller without repeated the same code in each controller, something like a helper or maybe a service.
The trick is where you place the next(). Since you are making an async call, the control should only be transferred to next policy/ controller once the database action is competed.
You should modify the policy to:
User.findOne({id: token.id}).exec(function findOneCB(err, found){
if(err) next(err);
req.currentUser = found;
next();
});
And you should be able to access the user details in controllers that use isAuthorized policy via req.currentUser
If by
For example, when creating a comment, this comment should belongs to the current user.
what you mean is certain attributes like username, and country etc, rather than querying the database after verification, what you can choose to do is to send these additional attributes to jwToken.issue in api/controllers/UsersController.js
eg.
jwToken.issue({
id: user.id,
username: user.name,
country: user.country
})
How that helps is, you can keep api/policies/isAuthorized.js as is, and in all the controllers that you use in the future, you can access the payload values from as
token.username or token.country
Instead of having to query the database again, thereby saving you valuable response time.
Beware however, of the data you choose to send in the token (you could also send {user:user} if you want to) however, as the secret key or hashing is not required to decrypt the payload as you can figure # jwt.io , you might want to exercise restraint.

Ending or dropping an Asp.net Session

I'm creating a session to transfering data between asp.net pages. Here is my session create in first page:
Session["Data"]=depo.Value;
Response.Redirect("rapor.aspx");
I using it with rapor.aspx(second page):
TextBox1.Text = Session["Data"].ToString();
this process runs perfect.But after I read data from session,I will end(drop) the session,because I don't will occupying the server.I'dont will using timout,I'll ending(droping) the session after user getted the data on second page.is tehere any way to do ending(droping) asp.net session?i.e
Session["Data"].end ?
If you want to only remove the key "Data" from your session you can do:
Session.Remove("Data");
But if you want to completely end the session and delete it's contents, you can do:
Session.Abandon();
Session.Clear();
See How to Kill A Session or Session ID (ASP.NET/C#) for more discussion on this topic.
To destroy a session, use
Session.Abandon();
If you want to remove a specific item from the session use
Session.Remove("YourItem");
And if you only want to clear a value use
Session["YourItem"] = null;