I've got a Symfony2 site where I would like to display extra information on the Login page depending on the URL that the user is trying to access. I'm using "use_forward". Is there a way to see the URL in the login form's controller?
I guess I could set up multiple firewalls pointing at different login pages, but there could be quite a lot of them, so I'd rather avoid having to do this.
If you want something "proper" then look at the answers to this question.
OR
If you want to do it quick and dirty you can use:
$this->container->get('request')->server->get('PHP_SELF');
Whick will yield something like /project_name/web/app_dev.php/controller_name/ and you can work with that string, but take into account that it will change depending on the enviroment you are working on. The Request class documentation will be your ally in this, ie:
$this->container->get('request')->getBasePath()
Will give you /project_name/web/
You can try to look for this URL in some places:
$url = $request->get('_referer');
If it is empty, then you could try to check the headers
$url = $request->headers->get('Referer');
Related
I want to replace the url which include query string so end user only not able to see the original path of web page. what can I do?
Either:
Use HTML forms with POST instead of regular links or GET forms.
Alter the address bar on client side with javascript, but users can bypass this if they know how to and it's kind of sketchy.
Save the state and redirect from the backend if possible in your environment, though this is an ugly method as well imo unless it's a one-time thing because of people landing on your page from some external link.
I want to set user logged when he fulfill some requirements and I'm using following function to set cookies in which I'm passing user's id as parameter which is according to wp_users table. But somehow it's not setting user logged in. What's missing and what I should do to set user login and also I want to logout user on some conditions. Both functions are not working.
wp_set_auth_cookie(1)
wp_clear_auth_cookie();
You're most-likely calling these functions after all headers have already been sent to the browser, so in effect you can't send the logged-in cookies to the browser.
The most common error for this is that you try to log-in a user when rendering a shortcode - this will not work in most cases(certain server configurations will allow this, but it's best not to rely on it).
You can hook to the init action and move your logic in there, together with the call to both wp_set_auth_cookie() and wp_clear_auth_cookie().
Use the following code
wp_set_current_user($user_id);
if (wp_validate_auth_cookie()==FALSE)
{
wp_set_auth_cookie($user_id, true, false);
}
Reference wp_set_auth_cookie and wp_set_current_user
I faced a similar issue and worked on solving it for a couple of days.
My solution was pretty interesting, I found out that the wp_clear_auth_cookie function was not working for me if it was called in a regular GET request.
I was able to make it work only if I called it inside of a POST request.
I found this behavior weird and no other reference can be found to this on the web.
I hope it will help you guys.
Is there way to force Symfony throw 404 if there is some extra params ?
For example, I have route /news/ and I want to allow only date parameter. So link could exist in this form: /news/?date=243242, but I want 404 if user enters following link: /news/?param=2 ?
Thanks.
(I don't want to check query params in controller, I know I can)
Do you really need these to be get params? You meet your objective buy having them as values in the URL itself e.g.
#Route("/news/date/{date}")
Slightly different I know - but you can enforce it
Why do you care about the extra params anyway? If some nasty user decides to play with the URL directly, your app is not supposed to behave correctly.
Don't bother with all these checks — unless those params somehow affect security.
Based on your comment, you want to respond with 404 to get rid of duplicate content in Google. There are several steps you need to take to solve that problem.
If a user enter an extra parameter manually, in no way that would add a page to the Google index. So, if you're having duplicate pages based on different params in the Google index, it means that you have links with those extra params on your site. That's how they end up being indexed.
First thing you could do would be to get rid of those links. Then you could go to the Google Webmaster Tools and manually remove the indexed pages with those extra parameters from the index. If you don't have the problematic links anymore, they won't get to the index again.
If for some reason you can't get rid of those link, go to the Webmaster Tools and consult the URL Parameters section to understand how to add parameters that Google should ignore.
I'm dealing with this matter since a while, I have read a ton of articles and stuff out there but I couldn't find a place that shows the RIGHT way, standard, correct, whatever you like to call it, to prevent access to my wp-admin or wp-login.php
On all Wordpress sites I see (the well made ones) you will never see anything if you type thesite.com/wp-admin
As I could see, one way to do this is by restricting the access to that folder by creating an .htaccess file and restrict by IP the access to the folder. Seems to be the "cleanest" way to do. What I'm not sure about it is that I have a dynamic address provided by my ISP, so on a certain time my IP will change, that will force me to also change the .htaccess to my new address, I don't see that practical. I can set a range also, but by doing that I will also authorize access to all people within that range of IPs (other clients of my ISP for example).
I'm then struggling to find the best/standard way to do this.
Anyone can help me?
Thanks
From this Codex discussion - this blog article claims to provide a solution for renaming wp-admin. I haven't tested it, but it does seem to have worked for people.
However,
This hack has its drawbacks.
The “edit” link on your posts will no longer work. You may want to remove it from your theme.
The admin link on your side bar will no longer work. You may want to remove it from your theme.
The standard login link will no longer work. Instead, use a bookmark as it will redirect you back to your hidden login page after you finish logging in.
As an alternative, there's also the option of adding an Apache .htaccess password dialog on top of the wp-admin login. That won't hide it, but it will provide another (albeit annoying) layer of security.
I'm not aware of a good .htaccess way to limit access IP-wise if you have a dynamic IP, or want to access the site from different networks.
I think it would be possible to work your way around the drawbacks described above by adding filters for admin_url (or possibly even site_url if you just check the $path parameter).
This is pretty much untested but will probably be a good starting point:
function my_admin_url($url = null, $path = null, $blog_id = null) {
// This our `wp-admin` replacement
// probably wiser to use a filter/function for this, so that you can
// do it dynamically by checking for the actual directory or something
$custom_admin_dir = 'my-admin';
// Remove filename.php
if (!empty($path))
$url = dirname($url);
// Remove wp-admin
$url = dirname($url);
// Build up a new URL
$url = trailingslashit(trailingslashit($url) . $custom_admin_dir) . $path;
return $url;
}
add_filter('admin_url', 'my_admin_url', 10, 3);
Also, if your on a network site you might want to take the $blog_id parameter into account and/or do the very same thing for the network_admin_url filter.
There is an article on how to secure wp-admin. It also has its drawbacks, since it gets overwritten every time you update wordpress, but it gets the job done.
I'm working with ASP.Net MVC and I would like to make a web site accesible via the internet, but only to a select few people right now. I want to do something basically exactly like the beta access page with password just like they did on stackoverflow, serverfault, and superuser.
I don't just want to check and redirect in the home controller, I want it to always go there no matter what url is used.
Anyone know how they do it?
I don't know enough about MVC in particular, but it would probably mean creating a base controller and overriding OnActionExecuting or OnAuthorization.
I'd create a custom filter that extended AuthorizeAttribute. That way you can put it on the controllers/actions you wanted, and remove it easily enough. Since it's essentially a decorator, you would be playing nice with the Open/Closed principle too.
If you override AuthorizeCore you can check session/cookie/whatever for the login and if that passes, run the base AuthorizeCore too.
The easy way is to put something in the users session. Run a check either on the master page or in an http handler to see if this session is correct or not. If not redirect to the password capture page. When the password is provided then set the session variable...wa la they are in.
If you want to remember them then also drop a cookie and add that to your check as well.