I'm using plone4.1 and would like to create a cookie for my whole domain (.site.com) when a user logs in on the web site. This cookie will be read by other sites/applications in my domain. Alternatively changing "__ac" to apply to the domain instead of www.site.com.
I've seen from other questions that setCookie(...) would do it. I would like to create the cookie on a successful login. Where would be a good place to do this?
Thanks for your help, I'm new to plone programming.
You can set the domain in the session plugin (controlling the __ac cookie).
Go to the ZMI via the Site Setup control panel:
Find the acl_users folder:
Inside of this folder is a session object:
This in turn has a Properties tab:
On that tab, there is a Cookie domain field:
Here, fill in your .site.com domain and hit Save Changes.
Related
I am working on an application running on IBM Websphere 8.0.
Whenever I append ibm_security_logout?logoutExitPage=<any other website or domain>, the session gets terminated and the user is redirected to the other website.
I am fine with session getting destroyed, but I do not want the user to be redirected to any other website mentioned after the logoutExitPage parameter.
Could anyone help me with this?
Let me know if more information is required.
Make sure you applied the latest fix pack. This was fixed in the 8.0.0.1, which only allowed pages from the same website. If you need to go to external sites you have to configure following paramters:
By default the URL to the logout page should point to the host to which the request was made or its domain. Otherwise, a generic logout page is displayed. If you need to point this URL to a different host, then you need to set the com.ibm.websphere.security.logoutExitPageDomainList property in the security.xml file with a list of URLs that are allowed for the logout page. You can choose to allow any logout exit page to be used by setting the com.ibm.websphere.security.allowAnyLogoutExitPageHost property to a value of true. Setting this property to true might open your systems to a potential URL redirect attacks.
For more details check Customizing web application login
I want to implement a login section in wp such a way that can also logged-in me in the Codeigniter site with is a sub-directory in may site. These two site (WP|CI) runs paralleled. If one user logged-in in WP then automatically he will be logged-in in the CI portal to. Assuming same user name and same password used.
Any suggestion most welcome.
If they are on the same domain you can simply check for the needed cookies and confirm that data for a logged in user.
http://codex.wordpress.org/WordPress_Cookies
You can check this cookies trough the CI Cookie library or simply with checking the $_COOKIE var, but you still need to verify this info with the WordPress database.
Once I visit a ecommerce website and then go to some other website, I see the items that I visited on the 1st ecommerce website. I want this technique to be implemented on my website too. What is this technique called and how can I implement this?
Any help would be appreciated.
Poor man single sign on ? The basic technique is quite simple - you have one root cookie domain like 'www.cookie.com'; and cookie like "ID" on that domain.
On your ecommerce page, include javascript, that will check if cookie "LocalID" exists in page; if it doesn't add reference to
<script src="www.cookie.com"></script>
This script will be served by .ashx handler on www.cookie.com domain; with behavior:
1) if no cookie value for "ID" exists, create new "ID" cookie and assign it random guid
2) send back script
3) this script will set cookie "LocalID" to have the same value as the "ID" cookie (handler on www.cookie.com will generate javascript dynamically)
That's pretty much it, you can now relay on LocalID cookie to be unique for the same user (more precisely browser with cookies turned on) across different websites on every ecommerce domain implementing this. Now you just need some persistent storage to which your applications have access to (webservice, database) and use LocalID cookie as key for retrieving/persisting user profile.
Our ASP.NET website is very consistent internally in using the same URL structure to change pages.
For example: https://mysite.org/page1.aspx to http://mysite.org/page2.aspx.
We use Session variables to keep track of a user's logged in state. Our specific problem is a user setup a shortcut pointing to the login page as https://www.mysite.org/LoginPage.aspx. The Session variable is set to LoggedIn=True.
The login page then sends the user to the Homepage http://mysite.org/homepage.aspx.
The server creates a new session and the logged in session variable is no longer available to the new session. How do we fix this?
You should configure your web server to redirect all requests from www.example.com to example.com (or vice-versa).
This prevents the situation from occurring in the first place.
Here is the scenario...
I have a site:
http://internet.com
and I set a token(cookie, something like that) from http://internet.com when a user has SUCCESSFULLY logged in.
I also have http://web.internet.com.
On http://web.internet.com I want to display data to users that have that token/cookie/etc available to them.
Here is the use-case
user logs into http://internet.com (asp.net framework hosted on different server - this is our primary product that requires a subscription / username & login )
user then has access to a section that is hidden from plublic view on http://web.internet.com (wordpress site hosted on goDadday - this site contains a knowledge base that we do not want to make public unless they have done [XXXXX] )
both sites are hosted independently of each other and do not share a common username and password
======
Another scenario is to set up wordpress to allow a specific section as a jsonp response. but only if the user is logged in at http://internet.com to allow the user to have access to the jsonp response located at http://web.internet.com
Any ideas from you beautiful people?
It really depends on the level of security you require. You can log a user in to a Wordpress site without a password by using wp_set_auth_cookie, however if you are just validating that a user is logged into the ASP.NET site and then using JSONP to load a page that set's the auth cookie, it will work, however you definitely have some security gaps.
A better solution would be to set a domain level cookie for .internet.com with a token that can be read by any server in your domain. The Wordpress site could then check is_user_logged_in(), and if not take that cookie value and make a back end call to the ASP.NET site to verify its authenticity, and then call wp_set_auth_cookie(). A simple web service would likely be the best option. You would still need some level of mapping between usernames on the ASP.NET and Wordpress site however to know which user_ID to pass.