If I'm building a simple page to which one person (or a small number of people) will have admin access, how do I (ideally language-agnostically, but in Ruby if relevant) conceal the log-in link from most users, but reveal it to those who should have access?
I feel like this is something people must do all the time, and the answer is presumably all over Google, but I'm not quite sure what question I'm asking. I don't know what info I'd have to condition on (IP? What if admins want to log in from a different Wifi network?).
Is the normal approach to just not have a link, and use cURL or similar tools to log in? (which seems unwieldy)
Ah, I just realised at least one way of doing this is to have a page that I need to direct link to as the login page, so no-one sees a login link they can't use.
Feels obvious in retrospect :\
Related
Apparently there are a lot of people having this problem, but none of the scenarios seem to be exactly what I'm experiencing. I'm using Azure AD B2C with HTTPS. I can consistently create the problem, but am at a loss to know how to fix it.
Recreating the problem:
Make sure to be logged out.
Go directly to a link in the site. This will bring up the login screen. After successful login, the user should be taken to the page in question.
Hit the "Back" button. This brings up the error, and the user will be at https://domain/MicrosoftIdentity/Account/Error.
I've tried every combination/permutation of cookie policies I can think of, but to no avail.
If I can't solve the problem, perhaps someone could tell me how to redirect https://domain/MicrosoftIdentity/Account/Error to https://domain/MicrosoftIdentity/Account/SignOut, thereby simply forcing a loggout. I'd be satisfied with that.
What this really is:
From an authentication/application's perspective this behavior is correct. Let me clarify. I bet the following is something almost every internet user has experienced:
You submit a form, click on the back button and this alert pops up, asking you to 'resubmit the form'?
When you clicked back in the browser it simply executes the exact same request that you did earlier. Not a big deal in HTTP-GET requests, but kind of a pita in POST-requests because it can potentially cause duplicate data or worse. Or in this case, you run into security measures preventing the (ab)use of one-time tickets.
Although the behavior is correct, I understand that your client's perception is, that the app must simply be broken..
The solution, or preventive measure:
To be clear, I haven't actually tried this and this is more of a 'could-possibly-work' answer in the case of AzureAD B2C.
Nevertheless, I think you might be able to circumvent this perceived problem through:
Implementing a POST-redirect-GET pattern inside your application so that you point the redirect URI of the B2C tenant to an endpoint inside your application and when the request comes in, simply redirect the request to a GET method.
Hopefully this helps, but in case you want a more definitive answer try searching Google for the pattern or maybe someone else here knows about a working solution and wants to contribute to this post in the comment section or provide an answer. Either way, good luck!
Today, out of the blue on the google page, a window popped up asking me for my username and password. It didn't say what it was for, just googleads.g.doubleclick.net. It then happened on my phone which is linked to the same account. I was wondering if anyone else has had this issue and if anyone could help me. I am really worried. Thanks.
Others have seen it. I did, when I opened Google Chrome. I was just on the new tab page, not even an actual website! Many people seem to have encountered this in the past 24 hours:
https://security.stackexchange.com/questions/127667/what-should-i-do-about-gmail-ad-asking-me-for-password
https://superuser.com/questions/1092011/firefox-googleads-g-doubleclick-net-basic-authentication-prompt
https://nz.answers.yahoo.com/question/index?qid=20160621202130AAxY0F2
https://steamcommunity.com/discussions/forum/11/358415738179518104/
https://productforums.google.com/forum/#!msg/chrome/Rt3zSPiSyHk/zdB52fBqAQAJ
http://forums.windowscentral.com/windows-10/429066-edge-wants-me-login-googleads-g-doubleclick-net.html
https://techreport.com/forums/viewtopic.php?f=1&t=118101
https://forums-windowscentral-com.blogspot.com/2016/06/edge-wants-me-to-login-to.html
The best response I've found is over on the security stack exchange:
https://security.stackexchange.com/a/127668/43188
To summarize, yesterday, googleads.g.doubleclick.net (a Google domain that serves ads) either was briefly compromised by an attacker seeking people's passwords, or a Google engineer messed up and it's a result of a mistake in their servers.
The answer on the security stack exchange suggests changing your password, even if you didn't fill it in the popup. The suggest this because, if it's an attack, and the attacker is able to create the popup, they could have added malicious code you didn't see.
Also, though in principle I'm not a fan of ad blocking, I've recently realized it's probably necessary these days for security. This incident only demonstrates this. I recommend uBlock Origin, but Adblock Plus is also popular.
In particular I'm interested in the possibility of getting an App Access Token with no expiration time, exactly as I do with Facebook.
I want to publish on behalf of the user via server, and I found very useful and convenient the Facebook's procedure in which we ask for the user permissions only the first time.
I have been working with this kind of social-networks interaction for merely three weeks, so I will be very happy to hear any type of suggestions or critics.
Google+ does not currently have a public write API. There are selected partners that they work with (such as HootSuite) that provide this feature, but they are making access to it available very slowly. See https://developers.google.com/+/api/pages-signup for further details.
Google+ does have a concept of Moments, which are activities that happen in your app that are reported to Google+ and which the user may later wish to share, or may make available to people in their circles on a limited non-notification basis. This is probably not what you want, but may serve some needs. See https://developers.google.com/+/api/latest/moments for more info and examples how to use it.
Simply, No there is no way to do that in Google+ in current time. In general, apps for Google plus is read only.
This has been something I have been trying to work on for a good long time. It first started with Prestashop as an integration with other scripts or pieces of the puzzle I needed to make for an overall website. I am currently still using Prestashop as my webstore but have since switched to Magento.
I switched to Magento because of it's complex flexibility and because overall I think it is the best solution, best backing and best overall eCommerce script to go with.
That being said, the same issues I was having with Prestashop appear to be the same I will continue to have any in aspect that I try to integrate things together in perfect harmony.
I have Magento setup, as the main portion of the website, and inside Magento in sub folders I have Wordpress installed in a folder called "articles" and I have also went with FluxBB as my message forums because of it's simplicity in not having a crap load of bloated extra features that I could care less about and that is in a sub folder called "forums".
From this point, we know that Magento, Wordpress and FluxBB all have their own way of managing users; creating, managing, and tracking them.
What I am wanting to do is find the best way to fit these three and more together for my website to make the experience for the customer as smooth and as functional as possible. After emailing the ever talented and helpful Alan Storm, he told me the best solution he was aware of working was to make a third party user management that they all point to and it manages the customers authentication. I do believe his thoughts may be the best but I wanted to put this out there here on StackOverFlow and I may post this on Magento as well to get the broad scrope of magento developers and smart guys that like challenges.
I have several thoughts, none may work, some may work half ass, or one may just be something workable. But first let me tell you what I have accomplished so far. I have done the necessary steps to integrate my overall design for the header and footer, so essentially Wordpress and FluxBB are wrapped and are contained inside Magento's outer design layer. So with that being said I have also made it where Magento will check the session to see if the user is logged in to Magento or not by saying "Hello Guest" or "Hello User". This is where I have hit a stopping point because I am out of my depth and would like assistance, whether it is something we create together out of pure challengeness or someone says if I pay them they will help me, either way I would like this accomplished. If and when I get the code figured out whether by means of paying for assistance of a group effort I would like to make it freely available for others to use the concept for their own projects.
Brain Fart #1:
Adjust the user tables for both Wordpress and FluxBB to conform more to the structure of Magento, as for the password and username/email login portion. The rest of the fields can respectively stay as they are for post counts, and etc.
From there, I would like to figure out which class in Magento does the actual input into the database when a customer is created out of registration. When I find that code, I would like to extend upon it the ability to copy the user credentials into the other two tables in the database for Wordpress and FluxBB. If necessary it can just be an added couple of fields to Wordpress and FluxBB if that seems like a better idea and yes I do mean the actual encrypted password that Magento creates, I want this to be secure as well.
From there, when we know that a customer registers with Magento the data is copied over to the other two tables then we at least have made progress, whether this progress will actually work, is still to be determined.
We then disable the login/logout and registration links in any way that we can from Wordpress and FluxBB because they will no longer be needed because we want the user to register, login and logout through one location which is Magento.
Then comes the fun part in my eyes, keep the damn session going throughout the entire website as they order products, review wordpress articles and possibly leave comments, send to friends and etc.... as well as post topics, replies and etc in the FluxBB capacity.
To me this is where the creating the fields or adding the data from Magento's customer registration comes into play, I can make it check to see if they are logged into Magento already and from there we may be able to have it validate itself. This may be over kill or this may just be how it needs to be done. But to me if the credentials are located in all three databases then they should be able to be validated by changing the code in Wordpress and FluxBB or adding code. And Yes I am aware that we will also have to do something about Profile Editing and Password Editing if a customer so desires to change their information.
But that is my first thought on this whether it is the right decision or not, I would like hear from the vast knowledge of people here who have more experience and knowledge than I get with Magento, PHP and everything else.
Brain Fart #2
This illogical idea seems like an outside stretch entirely to me because of the complexity of Magento and how it is overall setup.
But the idea is to remove/edit the Wordpress and FluxBB (and any other third party software) to pretty much ignore it's own method of registration, login, logout, edit and look to Magento for it's credentials and establishing new customers. Essentially making them an oversized module of Magento.
I just know that the way Magento is setup is to be modulerized and its complexity seems like it would take a lot more coding and troubleshooting to do this.
Brain Fart #3
Dump both Wordpress and FluxBB and look towards modules in the Magento Connection Store that pretty much has all of the functionality that I need and can add to them what is missing and not mess with trying to integrate third party software.
I love Wordpress, I think replicating it with a module, at least after the hours I have spent looking at all of the modules available that are CMS/News related is a tough call. FluxBB I could take it or leave it, if someone had an already viable solution to use phpBB or vBulletin or SimpleMachines I would go with them. I rather it be free open source software, not because I am a cheap skate but just because I support open source as much as I can.
Brain Fart #4
Can this be a cookie this, but would only be effective if they allow cookies, or could somehow addon to the session to allow things to pass through but Magento sets up different sessions or allows you too so they things to crash against each other so this may not at all be an idea or may be one as well.
I know I am not giving examples of things I have tried, files I have looked at or anything related to that and I apologize, I provide some links related but nothing specifically found so far that matches what I am trying to accomplish. And I have tried to merge things together with some fun disastrous results.
Link Examples?:
http://www.magentocommerce.com/wiki/doc/webservices-api/api/customer#customer.create
http://www.magentogarden.com/blog/how-are-passwords-encrypted-in-magento.html
http://www.nicksays.co.uk/magento_events_cheat_sheet/
http://www.magentocommerce.com/wiki/5_-_modules_and_development/customers_and_accounts/registration_fields
How to access Magento customer's session from outside Magento?
Any assistance with this would be nice, I am trying to work on several parts of the website at once and this one is troublesome and I would say that everyone is going to find it hard or have found it hard. Anyone like challenges? :)
--------- EDIT:
I have got Magento and Wordpress to work perfectly together with James Kemp's module found on CodeCanyon's website (Single Sign-On for Magento and Wordpress) and I am going to adapt it to work for FluxBB or anything else I do.
Just passing along the information... I see this was edited, don't know what was edited and don't care. Just passing along information I have since found since posting this.
I am managing/customizing a combo of magento+vanilla forums+a custom app made in Yii framework. The users are "shared" between the apps. None of the two links are good. As Alan already replied to you, the correct SSO will be with an external user database/manager. But well, not everyone is up to recoding three apps just to get 1 post a week forum and 1 article a month blog to work with magento. So we are left with less options. First of all, if you don't want (most probably not) to rewrite a good portion of already written open source project that is being updated and maintained and then maintain your changes against periodical updates (you want them), then you have to duplicate the user data over three databases. Unless the project you adapt has some way to manage users data as plugin or external module. AFAIK both of your choice don't.
So, how to implement it? Assuming you choose Magento as mother-of-all, you need it to export an API for authentication, which may work over browser using cookies and javascript but this is rather tricky, or you can use it's frontend cookie to validate the sessions doing server-server API requests from children apps. This is a preferred option as far as "classical" SSO goes. Technically, what should happen when your users open forum or blog, the respective apps detect magento's cookie and check if the session is valid and who is the user. If the user is found, his data is copied to the blog or forum tables. Then you need to start an authenticated session on blog or forum app using the newly created user record.
So far so good, but yet some work. you need to disable the user profiles management in the children apps or modify it so the data held in Magento is always the correct one and you need to invent something to synchronize the Magento's representation of user profile down to the children. This is better to be hooked up on Magento's events so every time a user changes his profile the data is updated in the children app. But there is another but too. You probably want to keep some data app specific, a display name on the forum is not necessary the FirstName+LastName from the Magento and some would like to keep it private.
The above is just what I can recall as interesting facts about keeping it running. There are certainly many other things I've left out, more or less specific. But hopefully my comment can help your brain farting.
We've tried to evaluate other options but anything without duplicate data seems to be too expensive to implement or to maintain. Maybe later. With budget and time.
Alright. So I am new, I know my way around html pretty well, and have gotten by for a while now doing so. But today I am presented with a seemingly simple issue.
My client needs the ability for users to create their own LOGIN/PASSWORD, my client wants to be able to MANUALLY approve visitors. And he want to be able to track how many times they login.
The login section will just be about 4 pages of PDF file downloads.
I cant imagine this is the hardest thing in the world, I just have no clue where to even start. Perhaps there is a code already written, as things like this are done every day using forum technologies...
Please help!
It may also help to mention that I am using Dreamweaver cs4 on a MAC
I'd check out Ruby on Rails if I were you. It's pretty easy to get something quick up with it that you can have users create accounts with that send e-mails to the client with approve/reject options, and be able to track downloads and users via MySQL or other databases.
I've found Agile Development with Rails to be a great source of info on how to do stuff like this (they do an online bookstore as the book's example) and with a little modification I think it should work for what you say you want to do (and the book is pretty cheap as far as programming books go).
If you want just really basic static login features without lots of coding, you can start with Password protecting your pages with htaccess. You can password protect directories like this without any effort at all. This way, you can be sure that your login routine is secure.
Then, you can continue with advanced features like account administration and login statistics. These will require some programming skills.
Tracking count of user logins should be easy too. You can put simple PHP code to the source of protected pages that will save the info about login to the database. This will require you to study some basics of databases. You can use plaintext files which is not as clean but much easier and it will allow you to export info for your client more easily.
If you want to do it profesionally, you should invest in learning about web development or hire someone to do it for you. These tasks might not be trivial.
Have you worked with PHP, ASP.Net or some other web language yet? What you're trying to isn't too difficult in the grand scheme of things but it may be somewhat challenging if you haven't programmed before and/or haven't had any experience with web development.
(P.s. Alter your question as a response and comment on my answer when you're finished.)
As you are looking into Ruby on Rails, take a look at bort which is a RoR app skeletton with RESTful authentication included, it should help (Chris Bunch answered on the general RoR question).
There is also this bort fork. There is also Authlogic which may be easier to work with.
Have a look at the ASP.net Membership provider and also the login controls which provides the UI for the login as well as registration screens out of the box.
Here is a Multipart Series on ASP.NET's Membership, Roles, and Profile
If this is too complex than probably you can also design you application from scratch using ASP.net. If you don't know asp.net than the best place to start is www.asp.net it has several videos and tutorials which would help you get going soon.