I have a CakePHP website with its own login system. In the same server (but different folder), I have a Wordpress blog. A user that is already logged in the CakePHP website can click a link that takes him to the WP blog and logs him into the blog at the same time. All this works perfectly.
The problem comes when going back to the original CakePHP website. If I place a link in the blog pinting to the website and the user clicks it, he is taken to the website, but his session there is lost, meaning that he has to log in again.
Is there any way to prevent that from happening? Shouldn't the session be still valid even if the user leaves the website? It's not that it expires, I have it set to 30 min.
This also happens even if the user doesn't access the blog via the link in the website. If I log into the website, then open a new tab and enter the blog (without even logging in), and click the link to the website, the session in the website is lost. Well, there's a new session actually (I've been printing the session id and it changes).
Any ideas on how to keep the session open would be useful.
Also, just in case, here's the script that I use to log in a user from the website into the blog:
$sid = $_GET['sid'];
session_id($sid);
session_start();
if (isset($_SESSION['Auth']['User']['username'])) {
require('../blog/wp-blog-header.php'); //includes wordpress functions
$username = $_SESSION['Auth']['User']['username'];
$user = get_userdatabylogin($username);
wp_set_current_user($user->ID);
wp_set_auth_cookie( $user->ID );
}
header("Location: http://myblog.com/"); //Redirect user to the blog
Check your Security level. In some cases, it does a check on the 'referer' site. If you are coming from a WP blog, it might have a fit about that. That is what I am assuming is happening since it is generating a new session id.
Related
We want to have a page that displays different content based on whether a user is logged in. If they are logged in, they should be able see their private content. If they are not logged in, there should simply be just a link to a login page. Once they log in, they can navigate back to the original page.
The problem is that when they re-visit the original page after logging in, it's essentially like the page is cached as it still displays the content as if the user is not logged in. However if you refresh the page, it then loads the right content.
$current_user = wp_get_current_user();
if(!user_can($current_user, "custom_user_role")){ ?>
<p>You are not permitted to view this page. Please log in or sign up.</p><?php
}else{ ?>
<p>You are logged in</p><?php
}
I have tested with a new, blank WordPress/WooCommerce install, and the same issues occured.
We aren't using any caching plugins (as this is still very much in development).
I have had the same result in Chrome and Firefox, across various machines.
The closest I have come to an answer was by testing within Chrome, utilising the "Disable cache" option, and had the expected outcome, i.e; the content loaded correctly without needing the refresh.
Is there a simple answer to this?
If not... is there a way to force a local cache refresh when a user logs in?
I've got the error above in my Joomla website when I either try to log in or create a new account from the side site. I have also noticed the two following things:
if I create a new user from the backend, this doesn't appear in the _users table;
a file named ".myjoomla.configuration.php.md5", containing an alphanumeric string, is automatically generated in the website root every time I try to log in vainly from the frontend. Besides, it turns up again if I remove it manually through FTP.
Did my website get hacked? How could I fix it?
".myjoomla.configuration.php.md5" contains the md5 hash of the configuration.php file and appears on your site as part of the mySites.guru service you either subscribed to or trialled. It is part of the near-realtime alerting service which detects when configuration.php has been changed and alerts you if you are a paying subscriber of the mySites.guru service. It is NOT an indication of a hack at all.
Disclaimer: It is code I wrote and a service I run, so I know what Im talking about.
Not being able to create users - Im guessing you have Admin Tools or RSFirewall installed and configured, both these products stop users being created IF configured that way.
Token issues: These are well covered in Joomla documentation and forums. They are CSRF tokens and if yours is not validating then try NOT double clicking the buttons, check your session handlers are working, and check your cookies are working as expected
Nothing you say leads me to believe your site is hacked
The issue I've encountered was about the Joomla native Login module. As I published it in all the pages of my website and clicked on the login link appeared on the frontend side, I was redirected to a link that looked like
mysite.com/index.php/component/users/?view=login&Itemid=yourid
which displayed the login page correctly. Yet, once filled in the form and submitted it, the warning message in question popped out. The same problem occurred when either trying to register a new account or reset the password.
Although I couldn't find an explanation to the issue, I managed to fix it by creating a Login, Reset and Registration menu items under the main menu and then hidden them as I didn't want them to show up among the other menu items on the frontend.
Went back to the frontend and clicked on login, I was now redirected to a different url that looks like
mysite.com/login
where "login" is the alias that I had chosen for the Login menu item.
After having filled in the form and submitted it, I was able to log in successfully. Likewise, Registration and Reset operations worked.
Users get stuck in a login/out loop experience - ONLY on the /login screen.
I have a membership plugin activated (Restrict Content Pro) that utilizes a login shortcode which I'm using on a /login page. I have a global login/out link, utilizing wp_logout_url(); for logging out.
Behavior works as expected everywhere on the site except the login page. If I logout then return to the login page, I'm shown content as if I were logged in. If I attempt to logout from this page I'm thrown to the "You are attempting to log out of 'x'. Are you sure you want to do this?" error page.
The cookie 'wordpress_logged_in_' is also present only on this page. So, I'm under the impression this is why the site is displaying the 'logged-in content'. My question is - why would this specific cookie only be saved on this specific page? Can I completely destroy it on a log out?
Thanks in advance.
This issue seems to be persistent till date. Are there any updates on solutions for this? Seems to me that WP is not destroying all the cookies relevant to login. After investigating a little I found that the login cookie was set for a particular path(in my case it was /my-account). Maybe WP is missing this cookie as this is not set to /.
So I need a way to lock down both bigcommerce and wordpress if a user is not logged in. First suggestion was asking if when a user is created in bigcommerce create the same user account in WP... but that doesn't seem like a good approach to me since the user will not need any interaction as a user on WP just need to block access to pages if they are not logged in.
So my thought is to check if a user is logged into bigcommerce, then pass a variable to wp header file. If the variable does not exist then redirect them back to bigcommerce login. For this install BigCommerce is currently using the header from wp so they match and all works well so that is why I assume I should be able to pass a variable to check if a user is logged into bigcommerce or not. I have not been able to find any documentation in the API about accessing if a user is logged in or not.
Has anyone done anything like this and or know if this would be possible? Or know of a better solution for what I am trying to do. Maybe check for a cookie or session?
Recently I did a project where the client wanted to show custom content to bigcommerce loggedin users and block the rest. The best way I found was to check the value of %%GLOBAL_CurrentCustomerFirstName%%. It is "Guest" for non-loggedin users.
you can try this:
localStorage.setItem("user", %%GLOBAL_CurrentCustomerFirstName%% );
and then you can use on wordpress pages :
var user = localStorage.getItem("user");
if(user=="Guest"){
//redirect to login or block page
}
Obviously they can get around javascript so using ajax to store it somewhere and then retrieving it would be more secure but I hope this will help you proceed :)
I have a Web application where the users will be authenticated before they use it. The help documentation for this application is maintained using Wordpress installed on a different server (If needed the Wordpress instance can be installed on the same server also). In order to access the documentation also, user must be authenticated and now this is done using a Wordpress plugin.
Now i want to make the authentication process common for all. i.e User comes to the web application, then login to use the application and they can click the 'documentation' link within the application and user automatically login into the Wordpress also. How can i implement this?
I have had to do something similar before where a user had to click a link in an email and it automatically logged them in.
I added the following to my themes header.php
if (!is_user_logged_in())
{
if (isset($_GET['u']) && !empty($_GET['u']))
{
$u = $_GET['u'];
$result = $wpdb->get_row($wpdb->prepare("SELECT * FROM wp_users WHERE md5(concat(user_login,'SOMESECRETPHRASE',user_email)) = '%s' AND user_login != 'admin'",$u));
if (isset($result->ID) && isset($result->user_login))
{
wp_set_current_user($result->ID, $result->user_login);
wp_set_auth_cookie($result->ID);
}
}
}
The the users login link is created by Adding /?u=".md5($user_login."SOMESECRETPHRASE".$user_email)
To the end of the link
They will then automatically be logged into wordpress as the correct wordpress user.