I have a Rails 3.2 app which works on multiple domain names eg: www.domain1.com, www.domain2.com, ... I use CASClient::Frameworks::Rails::Filter for some public pages. On those public pages, I need to show the current user logged in as well. Everything works, but the thing is that it usually redirects when the user firstly requests the page. It's really bad for SEO for those public pages to be indexed.
Let's say I have two domains: domain1.com and domain2.com. The user logged into domain1.com. In order to display the current user logged in both domain name, I must call CASClient::Frameworks::Rails::Filter. However, this method will redirect at the very first request for each domain. Is it possible not to do redirection while able to display the current user logged in for both domains?
Could you clarify a bit more about what you mean show that they logged in? Based on what you wrote, if a user logs into domain1.com then they logged into domain2.com. You could:
1) at a minimum, check whether the user has logged on at all to a domain and then list out all domains.
2) because you mention seo, i'm assuming you have a database of some kind that stores a user's record and authenticates that they're okay as a user. you can update the user's record. if the data is normalized into a table of domains to which the user could connect, you can insert/update the user's record there. (i.e. a table userdomains like id, user_id, domain_id, lastupdated, signed_in_count) and pull from that table.
Plenty of other things you can do from the model, but in all the question may need more clarification.
Hope this helps
Related
Let's say I have a table of food items to bring to a lunch on a very simple web page. I don't want there to be login, but I would like there to be some smartness to my app.
Let's say a user puts in a food item. Other than a login, couldn't I use the IP address to do things like: only the user that created the record at same IP address can edit this record. Something like that.
I was thinking one more step toward a login, have a single text box where a user can put initials.
This way first person to suggest bring an item can be happy to know their todo for the lunch is done and can't be "overwritten"
That's it!
Pros and cons, welcomed!
This is more of a helper app than a formal thing, like to help around the office of local users.
Authentication and Authorization are separate functions, and I'm drawing the distinction here for a reason.
Authentication is the process of positively identifying a user, so you know who they are.
Authorization is the process of allowing or preventing that user from accessing parts of the application.
IP addresses can be used to partially identify users, but as #Dai pointed out in his comment, it has problems. Even using a Mac address is problematic since some people know how to spoof Mac addresses. If you can use someone else's authentication service, you can authorize them yourself.
Once you have positively identified a user, you can track them using a randomly generated ID that is good for a session. It is possible to use a cookie to track that ID. If that ID is associated with a Role you can authorize based on that role.
I am using Zend Framework 2 with ApiGility.
I have the following scenario:
A website where users login and manage their accounts: www.website.com
Apps hosted separately: app.website.com (that users want to use)
The sub-domain is not necessarily hosted on the same environment or even in the same datacenter.
Now, if a user accesses an app directly, I need to check if they are logged into the main website so that I can grab user related information needed by the apps.
I am not 100% sure of the best way to go about this.
For the App to work I need the following:
A 32 bit code (a unique identifier that the app uses in place of private information)
Account balance (to make payments for app services)
To get the 32 Bit code, I was thinking of setting up the following:
www.website.com/api/is/logged/in
Which would return the 32 bit code I need, if the user was logged in.
To get the account balance I would then use the code:
www.website.com/api[:/code]/get/account/balance
If the user was not logged in then the app would provide a form for the user to login which would be sent to: www.website.com/api/logg/user/in
If the users account balance needed to be topped up, then I would likely open an iframe to a payment page on the www.website.com for the user to make a secure payment.
This is kind of new territory to me so not 100% sure of the direction I should be taking or best practices...
Any advice appreciated.
thanks!
It sounds like you're looking to implement Single Sign-On (SSO) between a number of completely distinct applications. I would check out SimpleSAMLphp...it will do everything you need:
https://simplesamlphp.org/
https://github.com/simplesamlphp/simplesamlphp
I would simply like to ask if I'm doing the things right or if it is better if I stop before going in this direction. I have an administrative area in my website and I though to manage login using a table on my database.
When the user correctly login, I then write on a sql table the username, the session id and the IP obtained from REMOTE_ADDR server variable.
When the user ask for a private page that require to be logged in, I lookup the username on my table filtering by IP and Session ID, this return the user of the current user asking for example for "prices.aspx" page on my admin area.
I have then made my so saved records be deleted after 30 minutes. Is this safe enough? Is this a good way to expose my website to hacks? How could I improve the security?
If your site can be hacked, it doesn't matter how your login system works. What keeps a hacker from getting at your data?
Encrypted Transmissions
Never show database names, file names, passwords in front end code.
2 Step verification login to your website and database
The basic principles of logging a member in, or logging someone in to an authorized page are no different.
Whether you delete a record 30 minutes after it's been saved or not is totally immaterial. If a hacker can access that data, saving it in an unsecured manner for 1 second is to long. If you want the user session to time out after 30 minutes, just deleting the database record won't achieve that. So, to your question, "Is it safe enough?". No, it's not.
If your regular member login is safe, then all you need to do is have a field in your user information database, that indicates whether the user is authorized to see certain pages or not.
When your website is first loaded, don't ever load the admin pages unless it's requested, and then have the user give their password a second time. If the user who logged in is not authorized to see an admin page, then don't even load the HTML that allows a user to request an admin page.
I have a site, and I would like to make it "multi-country".
I have created several organizations and users that belongs to one of them.
I'd like to do this: when a user logs in from one organization page, say it MySite/EN/home, how can I prevent it to be logged in also for another organization page, say it MySite/IT/home?
Actually, if a user logs-in in mysite/en/home and visit mysite/it/home, he is logged in also in that page.
Can this be prevented?
Liferay, out-of-box, doesnt permit what you desire, if a user is logged in this is true in every part of the liferay portal.
I try to write some chances you can do:
1st chance)
If each organization has different virtual host setting, the login cookie is only valid for the domain the user logged in.
2nd chance)
A logged user can be organization-member on a organization and a simple user on each others organizations. You can set the permission on different roles to allow different actions and different view level among different organizations for the same user.
3rd chance)
You have to develop new portal extension througth ext-let plugin that can alter the portal behaviour...
bye
Is there a way to create a sort of authentication for wordpress which would block unauthorized users from some particular pages and posts but would allow any user to view some pages. I would also like the users of the blog to be able to register and login through facebook-connect, or google accounts. Is this possible.
for the authentication purpose you can use the_content filter and check for the conditions in there...
if you dont want unregistered users to view the post you can check the condition using is_single() and is_user_logged_in() there are other conditional tags like is_page(), is_home(), etc use the following code to check for if a particular template is active http://www.wprecipes.com/how-to-check-if-a-page-template-is-active
you can even selectively allow some users to access a post or page by comparing their user_id's if the are logged in