I have a basic plugin where I create some data when a user fills out form.
When the user enter a email which is already used I add a flash message and forward him back to the same form.
This works.
But after everything is OK I redirect the user to an another page, there I would like to show an another flash message like "Account created". But the Flash message is not being displayed at all.
Setting and redirectit this way:
$this->addFlashMessage('Account created', null, \TYPO3\CMS\Core\Messaging\FlashMessage::OK, true);
$this->redirect(null, null, null, null, $this->settings["loginPageUid"]);
Render this way:
<f:flashMessages />
Did I miss something?
Setting the Flash message and showing it is inside the same extension/plugin, it's also the same view.
typo3 version 9
The issue was that we deleted the cookie fe_typo_user on a completly different place because we thought that's the correct way to log out a user. But this cookie is also used for the Flash message session.
Now we us:
GLOBALS['TSFE']->fe_user->logoff();
$GLOBALS['TSFE']->loginUser = 0;
to log him out and didn't touch the cookie at all.
Related
After a user has failed to log in too many times in too short a time, is there a way to have the Keycloak login screen tell the user that they are temporarily locked, so they can know they have to wait and try again later?
At the moment, it continues to tell them their password is wrong, so they will probably keep trying, and may end up being told their correct password is incorrect.
Keycloak provides you the possibility to define custom messages and to provide a custom theme where you can overwrite certain views and messages as well as provide messages for other languages.
https://www.keycloak.org/docs/latest/server_development/#_themes
Custom message key
You can modify the message key 'invalidUserMessage' which is the message shown when the user is locked. It defaults to 'Invalid username or password'.
We do it by providing a custom theme for the login type, but you can modify the message key provided by the keycloak installation at 'keycloak/themes/base/login/messages/messages_en.properties'.
Custom view
When you provide a custom login-password.ftl or login.ftl, depends on what you use, then you could check for the message during the rendering, and conditionally render a part which is only shown when the user is locked.
<#assign userLocked = message?? && message.summary == msg("invalidUserMessage")>
<#if section = "header" && !userLocked >...<#/if>
For instance, we use it in javascript to disable all inputs when we see that the user is locked along with displaying the modified message to the user.
<script>
const serverFieldErrors = {
"password": "${(message.summary)!""}"
}
if (serverFieldErrors.password === "${msg('invalidUserMessage')}") {
document.querySelectorAll("input").forEach((element) => element.setAttribute("disabled", "disabled"));
}
</script>
To my knowledge, keycloak provides no other way to handle such a use case.
I am having issues using the Facebook send dialog. If I open this window in a new browser, everything works:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
So by doing that, I am able to send a message just fine. However, I need this to be in an iframe, which according to the send dialog documentation, this should work. So I then do this:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&display=iframe
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
Doing so, I get the following error:
API Error Code: 102
API Error Description: Session key invalid or no longer valid
Error Message: Iframe dialogs must be called with a session key
I find it a little strange that I can do this with a popup, but they require a session key for iframe. But even so, that isn't a problem. Because I have already gotten an access_token. So, this should work then:
https://www.facebook.com/dialog/send
?app_id=[My_App_Id]
&display=iframe
&redirect_uri=https%3A%2F%2Fwww.example.com%2Fcallback
&link=https%3A%2F%2Fexample.com%2Fimage.jpg
&access_token=[MY_OAUTH_ACCESS_TOKEN]
The access token was obtained from calling /v12.0/dialog/oauth, and I have confirmed that the access_token is valid:
However, I now get this message:
This Content Isn't Available Right Now
When this happens, it's usually because the owner only shared it with a small group of people, changed who can see it or it's been deleted.
So now this really makes no sense. I can send this link just fine if I use a popup with NO access_token present. But to set the display to iframe, I must include the token, which is fine, but it doesn't like the token for some reason?
It is also worth noting that this behaves the same way regardless if the Facebook app is in development mode or live mode. In development mode, all of the permissions should work for my test users. So it seems very unlikely that this is a permissions issue?
Anybody have any insight on this at all?
I'm using oracle apex 5.
From the application, I'm sending mails for different users with different page links based on user roles.
For example, my app_id is 222.
For an user: the url link sent to user mail id is <hostname>:<port>/apex/f?p=222:5
For a manager: the url link sent to user mail id is <hostname>:<port>/apex/f?p=222:7
In Chrome it works fine, as the user or manager goes to link and after login, they are redirected to respective pages as 5 or 7.
But in IE, it always goes to Home page which is 1.
I have tried with APEX_CUSTOM_AUTH.LOGIN in the after submit branch pl/sql procedure of login button as well (of the login page ).
BEGIN
APEX_CUSTOM_AUTH.LOGIN (
P_UNAME => :P101_USERNAME,
P_PASSWORD => :P101_PASSWORD,
p_session_id => V('APP_SESSION'),
p_app_page => :APP_ID||':7'|| :p_session_id);
END;
Again it works good in chrome, but NOT in IE.
In IE, it always goes to home page. IE version is 11. Why in IE, it's not able to goto the page needed?. Please help.
(Chrome version 54. By the way how it works good in chrome?).
This is not academic solution but will work.
Set a parameter in your application to know if people comes from a mail or normal login.
Set a parameter in your application where you store the value from the link in the mail.
Now the magic, do a Dynamic Action on Page Load and use JS to redirect to the desired page, obviously the DA has to be conditional and the condition must be the parameter where you came from.
This question already has answers here:
Prevent user from seeing previously visited secured page after logout
(7 answers)
Closed 6 years ago.
I have a JSP page with a form where you fill up certain details. On submitting the form i call a servlet which then updates details in a database after that i redirect to a page i display a confirmation message to the user.
The problem i have here is when the user clicks back he goes to the form page again where if he clicks a submit button, it creates a new record in the database.
Consider this similar to a shopping cart example where in this case he would buy the same item twice. But the only problem here is i cannot handle this in backend, i.e. the database can never know a redundant operation is taking place.
I need to handle this from the client side.Bit weird but i have to do it this way.
Basically when the user clicks the back button i don't want him to be able to go to the form page and may be just to some other page.
This is a typical HTML form issue, you can solve it through any one of following methods
1) Server side (page expiration): Since you've mentioned that the page refreshes and goes to the confirmation. You can set no-cache and add a page expiration time as -1 to the page you have that form.
So that when user presses the back button, he will see that the page has expired. He will be forced to load the page freshly. This is the behavior that I see in most banking websites.
Response.Buffer = True
Response.ExpiresAbsolute = Now() - 1
Response.Expires = 0
Response.CacheControl = "no-cache"
2) Using turn Key method: When the form loads, you can generate a random key in session memory and also embed it as a hidden value in the page.
During form submission, check the submitted hidden key against the value in session. If exists, then add the entry to database otherwise you can reload the page with a fresh key for the user (who might have done that unintentionally).
In load balanced or web farms, consider persisting the turn key in Database against the current user.
3) Client Side (Not recommended) : You can restrict the user from using the browser back button by removing the page from the history. (One side effect is that it will remove the entire history for that browser tab/window)
history.pushState(null, null, document.title);
window.addEventListener('popstate', function () {
history.pushState(null, null, document.title);
});
If you need the same support for older browsers where push and pop states are not supported, you can use following snippet.
<script>
function preventBack() {
window.history.forward();
}
setTimeout("preventBack()", 0);
window.onunload = function() {
null
};
</script>
Before redirecting to the JSP page send these headers with the response from the controller so that the page is not stored in cache and the browser will always request a new page from the server.
response.setHeader("Cache-Control", "no-cache, no-store, must-revalidate"); // HTTP 1.1.
response.setHeader("Pragma", "no-cache"); // HTTP 1.0.
response.setDateHeader("Expires", 0);
So every time you go back to that page a new page will be requested from the server and will be displayed with the cleared input fields.
You could implement a PRG-Pattern (https://en.wikipedia.org/wiki/Post/Redirect/Get) using php.
Basically, after successfully submitting the form you redirect to a confirmation page which informs the user that their submission was successful/accepted/etc. and also set a variable which you can later use to check if said submission has been submitted yet.
When the user tries to reload said page or go back you can check the variable and display either the form again or the confirmation page based on if the submission has been submitted already.
I think following flow is the best:
Client submits data to server
Servlet processes it
It returns HTTP 303 redirect to client
Client redirects to success page
After this flow, refresh, back button will work properly.
For more information read Simple Post-Redirect-Get code example
first post in SO, even though I've been browsing it for years now to solve those mind-blowing and not so much coding problems.
What I want to do is:
* Use hash navigation (#!/).
* Use Zend controller actions, not php files.
* Load these actions through javascript/jQuery.
So far, I've got this working:
indexController, several Actions, each attached to AjaxContext via addActionContext(), I can call them though my javascript/jQuery file via "hashchange" plugin jQuery(window).hashchange(function(){ bla bla }). I can cycle through actions just fine.
But I want to redirect the user to a login page if he/she is not logged in, which brings me to my issue: How can I achieve that? The redirection is made to another controller (login controller, login action). I was trying something like $this->_redirect('/#!/login/login'); w/o any luck (yes, I've set up an AjaxContext in that controller's init). I keep getting a redirection error ("The page isn't redirecting properly"). If I just type in the address bar "/#!/login/login" I get everything display properly.
Anyway, thanks in advance!
Cheers
Now this starts to get complicated if you ever introduce other non-ajax contexts, but you could add the Ajax context to the Error Controller. Then have the error controller return JSON for the unauthenticated exception if the active context was AJAX (and keep the redirect if the default context was active). Your JS would then listen for that specific error provided by the JSON and manually bounce the user to the appropriate login URL.