I have rather special need in login to vBulletin not from forum directly. I looked through topics by searching "vbulletin login", but found nothing.
So here's the structure.
domain.com - main site, access is
restricted by ip range
domain.com/forum/ - vB with cookie's
host set to .domain.com, of course
it's also restricted by ip
extra.domain.com - secondary site
which is available to almost anyone
('almost' includes users of vB
created manually via ACP)
As for now users already authenticated at domain.com/forum/ are recognized both at domain.com and at extra.domain.com.
So the problem is to login from extra.domain.com to domain.com/forum/
However i can't just post entered usernames and passwords to forum because of ip restriction. As I get it, there should be some wrapper, which will do all the login procedure via cURL or somehow, get all the cookies and then return them to user.
First of all, please tell me if I'm on a right way in my thoughts? Also are there any other ways to complete task without having to spend hours with HTTP sniffer? I mean are there any SOAP plugins for vB auth from trusted domains? Forum version is 4.0.8
Does the code on the secondary site have access to the vBulletin code & database? If so, you can handle vBulletin logins in PHP like so:
chdir('/directory/where/vbulletin/is');
require_once('global.php');
require_once(DIR . '/includes/functions_login.php');
// Check for too many login attempts
$strikes = verify_strike_status($username, TRUE);
if ($strikes === FALSE || $strikes >= 5) {
// TODO: Your error handling here
}
// Attempt authentication
if (!verify_authentication($username, $password, '', '', TRUE, TRUE)) {
exec_strike_user($username);
// TODO: Handle bad username & password here
}
// Clear records of previous bad logins
exec_unstrike_user($username);
// Create a new session
process_new_login('', TRUE, '');
The code above should work with vBulletin 3.8.x, but from what I remember of 4.x it shouldn't take much tweaking to make it work with 4.0.8.
Set the 5th parameter to verify_authentication to false if you wish to make the login non-persistent (like not checking "Remember Me" on login).
Related
I'm currently troubleshooting a login issue for a deployed Moodle. Login page uses an alternate page which I have managed to identify. The alternate page considers everything except successful login as invalid or expired login or password.
Since some correct login and password are also getting the same issue.I am trying to restore the Moodle instance to use its default login page but did not find any $CFG->alternateloginurl configuration set in moodle.php. Kindly please provide any pointers you can think of on where to look next to restore the login page.
PS: I've also searched within the active theme, and there has not been any code changes. Uses a variant of Moove
Thank you
Rest assured that its a common issue
https://docs.moodle.org/401/en/Managing_authentication#Alternate_login_URL
There is an entry in the database
SELECT *
FROM mdl_config
WHERE name = 'alternateloginurl'
Note the value, just in case, then blank it out
UPDATE mdl_config
SET value = ''
WHERE name = 'alternateloginurl'
Then purge the cache to update Moodle
php admin/cli/purge_caches.php
When you do manage to log in, check which other authentication methods are active via
Site administration > Plugins > Authentication > Manage authentication
https://docs.moodle.org/401/en/Managing_authentication
The default methods are manual and email self registration
Although self registration is disabled by default in the settings on the same page (registerauth)
I can't get zap past the login page. It just fixates on the login and forgotten password forms.
I have followed various official HOWTOs and this FAQ but even though I have deleted the zap user, it still uses login_id=ZAP&password=ZAP when trying to log in.
I'm in standard mode, forced user mode, forced user is defined, logged in and logged out strings are defined - and I have tried others.
login form target url: https://xxx.yyy.net/affiliate_login_action.ido
login request POST data: login_id={%username%}&password={%password%}
logged in regex: \QLogout\E
logged out regex: \QAgent Login\E
I can't think what else to try.
The regexs doesn't seem right. In my experience when you don't specify correct login/logout regexs ZAP is using just ZAP, ZAP.
Try to change regexs to .*\QLogout\E.* and .*\QAgent Login\E.*
My requirement is this:
I have a DNN website www.websiteA.com.
I want to build www.websiteB.com and www.websiteC.com on the same DNN installation. www.websiteB.com and www.websiteC.com should allow users of www.websiteA.com to login with the same username and password.
When a user logs in to www.websiteA.com, and then navigates to www.websiteB.com or www.websiteC.com, they shouldn’t have to login again as they are already logged in to the main website.
I found modules that will let me share users between these websites, such that they can login to any of the three websites using the same credentials.
However, I cannot find a way to login a user to all websites simultaneously, so that the user does not have to login again.
I would prefer to do this without modifying the DNN source too much. Since all three websites are on the same DNN installation, I was hoping there would be a way to share authentication cookies, but I haven't found any yet.
Can anyone provide me more direction in this matter? Thanks!
I did this exact thing for two clients using the Site Groups feature but it required the caveat as in the above comments. You must use a child aliases for your other portals so that they are all on the same domain. That is key so that the user's session cookie can be used across portals.
So this is how I setup the portal aliases:
websiteA = portal 0, alias websiteA.com (Primary)
websiteB = portal 1, alias websiteA.com/b (Primary) and alias websiteB.com redirect alias
websiteC = portal 2, alias websiteA.com/c (Primary) and alias websiteC.com redirect alias
The Site Groups user interface to manage the groups is an Evoq feature, but the backend is a core platform structure.
Here is how you would configure it without the UI in DNN Community:
Create a record in PortalGroups table:
MasterPortalID = 0, PortalGroupName = 'WebsiteA Group', AuthenticationDomain = 'websiteA.com'
Now update the PortalGroupID field in the Portals table:
WHERE PortalID = 0, SET PortalGroupID = -1
WHERE PortalID = 1, SET PortalGroupID = 1 (assuming the new PortalGroupID you added was 1)
WHERE PortalID = 2, SET PortalGroupID = 1
Another thing you could do is write your own custom DNN Authentication Provider (http://www.dnnsoftware.com/community-blog/cid/134678/dotnetnuke-tips-and-tricks-12-creating-your-own-authentication-provider).
Then, just have the authentication provider check an authentication cookie on the user's system. If the cookie is valid (and not expired), you can automatically log them in. Otherwise, redirect them to the main login screen. I did this, but the other site was a Java based dashboard.
I was trying out the new enhanced revocable sessions in Parse on my Android app. It works well when logging in or signing up via email password or facebook but doesn't work well for custom authentication, e.g. google+.
I'm currently logging in the user using the cloud code which also creates the new user when signing up. This does not create a new Session object, that means the new enhanced sessions are not used and it still uses the legacy sessions.
I pass the session token back to client where using the become method the user logs in but it's the legacy sessions.
This feels like the feature is not complete but I would really like to move to the new enhanced sessions with my app. Has anyone worked with them yet? Are there any workarounds using the REST API or by creating the sessions manually and handling them manually? I looked into the JS API but it says it's only read only.
Here's the Blog post on Enhanced Sessions.
Where should I go next?
Yes, I found a solution but it's a workaround, works for my case because I don't support signing up with user/password.
Basically, the solution (cloud code) in semi pseudo-code is:
Fetch the user with master key
Check if user.getSessionToken() has value
if it has, return the session token and do a user.become() in the client as usual
if it's not, here the workaround, do the following:
yourPreviousPromiseInOrderToChainThem.then(function(user)
password = new Buffer(24);
_.times(24, function(i) {
password.set(i, _.random(0, 255));
});
password = password.toString('base64')
user.setPassword(password);
return user.save();
}).then(function(user) {
return Parse.User.logIn(user.get('username'), password)
}).then(function(user) {
var sessionToken = user.getSessionToken();
// Return the session token to the client as you've been doing with legacy sessions
})
That means, I'm changing the user password each time in order to make a remote login and, of course, I know thist can't be applied to all cases, it's enough for app because I don't support login with user/password (only third party logins) but I understand that maybe it's not for all cases.
I got the idea from this official Parse example.
I don't like this solution because I think is not a workaround, it's a mega hack but I think there is no other way to do it currently (either Parse.com or Parse-Server)
If you find other workaround, please, share it :)
I'm using devise/omniauth to do facebook authentication and works great. However, I would like to add a flow where an existing (non-facebook) user has ability to connect his account with facebook. This would require different facebook permissions. so i can't seem to find two things
how to use devise/omniauth to request facebook connect without logging out current user
request different extended permissions from user (different from those specified in the devise configuration file)
any ideas? thanks
Answer to 1 is pretty easy: just add a if path into the omniauth_callbacks_controller::process_callback method like this
# If a user is signed in then he is trying to link a new account
if user_signed_in?
if authentication.persisted? # This was a linking operation so send back the user to the account edit page
flash[:success] = I18n.t "controllers.omniauth_callbacks.process_callback.success.link_account",
:provider => registration_hash[:provider].capitalize,
:account => registration_hash[:email]
else
flash[:error] = I18n.t "controllers.omniauth_callbacks.process_callback.error.link_account",
:provider => registration_hash[:provider].capitalize,
:account => registration_hash[:email],
:errors =>authentication.errors
end
redirect_to edit_user_account_path(current_user)
This is what I do in my application and it works fine.
Regarding question 2 I do not know how to support 2 different facebook authentication configurations however I have hard time seeing how that is useful to users since they need a consistent experience across both path: "sign in using facebook" and "link your account to facebook".
(If you still want to pursue this path one idea I would explore is to create a new facebook application with its independent keys and configuration...)
Hope this help.
One simple way to implement multi-tier permissions is to use Facebook Javascript SDK(in addition to omniauth, if you want). You can simply specify different "scope" parameter, which specifies permissions required, at each call you want. What I'm doing is making omniauth provide a basic set of permissions, then, after the user has connected through omniauth(and thus stored their data in our DB), if further permissions are needed, we show them JS-based buttons which provide expanded sets of permissions. If you want to check what particular permissions a user has granted to you, you can simply use me/permissions API call.