What to do when a logged in user goes back to the log in page? - authentication

I found three different approaches on various websites that requires a user to log in:
Log out a user who goes back to the log in page
Redirect the user to a welcome page
Do nothing, allow the user to stay on the log in page
I wanted to change the approach from 1 to 2 to improve user experience on my website. But I would like to seek some advice first regarding whether there could be some nasty security exploits awaiting me.

Redirect the user to a welcome page is a good one..
1 and 3 are not unacceptable for any application

Check if the user was referred by the "login page"(enters creds). if not and is logged in bounce to safe side. else bounce to public home page

login/register links should not be visible to the user if he is logged in. If we manually traverses to the page by typing the url (ex: www.example.com/login.php) u can put check on these pages
$_SESSION['userid']!=NULL then redirect to the home page.

I think it will be best for you if you redirect Logged In user to PREVIOUSLY VIEWED PAGE.
Like -
<input type="hidden" name="redirect_url" value="print_HTTP_REFERER" />
Then on Login action page - redirect user to HTTP_REFERER using (header or meta refresh)

Related

How to handle "Unauthenticated" when User is logged out but is on an authenticated route?

Let us say the user is on the Settings page but goes away from the keyboard for a while.
Technically the user is not authenticated but is able to "surf" his/her settings page until the user hits a page where some new data from the server is requested.
Currently, I just catch the "Unauthenticated" response and reload the page so the user gets to /login.
I'm using Laravel, but the setting page is based on Vue + Vue router. The setting is thus a single page but acts as it has many.
So how do you handle this kind of situation? Are you checking the authentication status like every 1 minute?

MODX Login Chunk for isLoggedIn

I am using isLoggedIn Script for a members only site. It seems to work nearly perfect besides one thing: I am using the normal Chunk (lgnLoginTpl) which comes with the complete Login package. There in the form an action with an url/domain etc. is needed but i need it dynamic. This means if you enter an protected page you are redirected to login and after logging in back to protected page. I have more than one protected page so it must be some kind of "intelligent".
&redirectToPrior=1 is also not working in this case.
Can anybody help and tell me how to set up lgnLoginTpl correctly to get isLoggedIn script to work as I need?
It sounds like the first part of your problem, redirecting to login page when needed, is solved simply by setting the correct "unauthorized page" in your system settings. &redirectToPrior should be what you need, by "not working in this case", do you mean it's not working at all or not redirecting back to the previous page, regardless of what it was?
If it is the fact that it simply isn't working, thats probably because it relies on $_SERVER['HTTP_REFERER']`, ie a php server variable telling the page which page redirected to it. This will however not always be set depending mostly on browser. A workaround i've implemented is to place a little snippet at the top of the Unathorized page
$_SERVER['HTTP_REFERER'] = 'http://'.$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
This will "manually" set the HTTP_REFERER to the current URL, which is what you want, as the URL doesn't change after you've been redirected from a protected page to the unauthorized URL. And then you can use the &redirectToPrior param of the Login? snippet.
Thank you for your answer.
I tried some things and I now it seems I have only one problem which is that I am redirected to unauthorized page (login page), that works fine but after logging in I am not redirected to the right protected page.
I made to different pages test1 and test2. If I am loggin in I am always redirected to test1.
test1 login -> test1
test2 login -> test1
It seems &redirectToPrior=1 is overriden by &loginResourceId=12. I am calling the plugin with following code:
[[!Login? &loginTpl=`lgnLoginTpl` &logoutTpl=`lgnLogoutTpl` &errTpl=`lgnErrTpl` &logoutResourceId=`0` &loginResourceId=`12` &redirectToPrior=`1`]]
Removing &loginResourceId=12 (ID 12 is test1) doesn't work at all and redirects my to my 404 page (home).
&loginResourceId=12 should be removed but what to insert instead?

Add a Sign in portlet on the login page

I am building a basic login page using the existing sign-in portlet.
I just want to have a functionality that when a user access the website, right now localhost:8080, the sign-in portlet should pop up!
Is this doable? If so, Can someone please hint me how this can be done?
This is how the default page looks like right now:
To log in, I have to explicitely click on the "sign-in" blue button and then it pops out a modal sign in portlet.
But what I am trying to do here is:
Whenever a user clicks on the default url, it should immediately ask the user to login rather than showing a blank page with a sign-in button (something like the output image)
Or even a modal sign-in box (Whatever is easy to customize.)
and
Whenever a user hits any other url for eg. localhost:8080/web/project1/home and if the user is not signed in, it should force him to sign in first.
Two possibilities out of the box:
place nothing but the sign in portlet on the homepage, appearing at that location (typically /web/guest/home)
protect your default page to be not visible to the guest user (this will automatically forward to the sign-in portlet) - see the "Permissions" button on the "Manage Pages" interface
There are more, but these seem to be the first and most obvious ones. Let me know if one of them works for you or what the reason for your request is
From what I understand, you want the Login Portlet to popup as a modal window/lightbox on the current page (i.e. without leaving the page). AFAIK, to achieve this, you'll have to develop all your portlets to use AJAX to create links that point protected resources. So when you get an unauthenticated request, you can stay on the same page and show login dialog.
This is high-level approach. You'll need to 1) embed the Login portlet in your theme and 2) put the below javascript functionality in Theme:
callback function - to handle response for unauthenticated request,
to render modal/lightbox
You might face surprises while implementing this.

how to prevent back button to login page after user logs in

i have a log in page where user enters username and password and then the user is redirected to his account page, but when i press the back button it takes me back to the log in page. How do i prevent that from happening.
You should add checking if user is logged in on login page. If yes, you should make redirection to default page.
In your controller (where you check if user is valid or not), make a session variable and initialise it to "connected" for example.
And in your login form check if your session variable is connected if so redirect to wanted page.

Joomla mod_login vs com_user

I'm having a very weird issue with user logins.
I'm building a site where all the content/menus are only available after you login.
I made a 'login' through the Modules and assign it the "userlogin" position.
Now when I go to the home page or any page, the login box comes up, but there's also a second login form. It seems to be coming from com_user.
This com_user login form doesn't work. I can't login using any credentials. If it was working I can simply remove my login module.
Is there a way I can either:
get com_user to work with normal user logins
or
disable this and so I can only see the Module login.
I can hide it from CSS, but I want to know where it's coming from.
Check the menu link which you have created should be public.
If these are not public then whenever user clicks it, he/she will be asked for login. Thats why the second login option is coming up.