In my wordpress site i wants to add an additional step in user login.
Means After user enter username and password successfully. He/she has to enter the security question answer which is enter by the user at the time of registration.
Till he/she has not enter the correct answer is not able to access rest of the page.
I can able to redirect the user after login to security question answer page but here he/she can access all other pages without going any security validation.
Please suggest how to restrict user to access all other the pages before validating the security question answer page.
Why don't you let them answer all 3 questions in one form? That way you could verify the security question first and check for the right password/log-in immediately afterwards.
You could start here and build in the security step yourself: http://natko.com/wordpress-ajax-login-without-a-plugin-the-right-way/
WordPress by itself does not provide such functionality of multi-factor authentication. Just redirecting the user after login process to security questions page will not work as the user is already authenticated and cookies are set in the browser. So the user can browse any authenticated URL without answering the security questions.
What should be done is to delay the authentication process of the user until the validation of security questions so that the authentication cookies are not set in our browser.WordPress has several free plugins that provide this functionality.
miniOrange 2-factor authentication plugin in WordPress directory enables to implement this feature easily. The user will have the option to set the security questions in the settings page of the plugin. These questions are presented in a single form after the login process. Without validating these answers users will not be able to navigate to any post-login page even if the URL is correctly entered.
It is better to go for such trusted plugins rather than creating the functionality from the scratch. This plugin is free to use after registration.
Check this guide to add security question in a few simple steps.
I have an existing Wordpress site. The plan is to rebuild the site using the cakePHP framework. Due to time restrictions, I want to replace individual sections of the Wordpress site one at a time. This will mean that both apps will be running side by side for a certain period of time. I need to control access to the cakePHP app using the authorization provided by Wordpress. I'm not sure the best way to go about doing this. I've seen similar questions asked a lot, but I have not yet found a clear solution.
I'm thinking about two approaches:
Plan A:
Configure Cake to look for Wordpress's authorization cookies.
configure Cake to look at Wordpress's database.
Borrow some of Wordpress's authorization logic to teach Cake's Auth component how to authenticate WP users.
Plan B:
set up an authorization API on my Wordpress site.
set up separate auth component in cake.
ping the WP endpoint when a user hits a protected page in the cake app and then manually log in the user. (This would create a second set of auth cookies)
Do either of these sound like the right approach? Is there a better way to do this?
Helpful references: Article about Cake session handling, Cake Auth component documentation, Cake Auth tutorial, brief overview of WP authorization, a more in depth look at wordpress authorization
UPDATE
We've started working on this, and it seems like it will work, but there is a very tricky aspect involving password hashing that warrants its own question. If you're following this thread, you may want to have a look.
I once had a similar situation: Cross framework authentication zend + codeigniter which was few months ago...
Anyways, this is what I will prefer:
set up an authorization API on my Wordpress site.
set up separate auth component in cake.
ping the WP endpoint when a user hits a protected page in the cake app and then manually log in the user. (This would create a second set of auth cookies)
Here, I would suggest a slight change which is do-able.
Make sure, you have a token system of SSO. As in, when person is logged in on Wordpress, set another cookie which will have a token: Token will be username + password (hashed) + secret key, which will be same between Wordpress and CakePHP. On either site, look up for cookie and manually log the user in or just perform a database look up. Hashing is important for that cookie!
However, if the site is using different domains, you might need to re-strategize:
I had different domains once. At the login or unauthorized page, I would ping the other website and bring up their login box. On the other website if the user is logged in, they get post login page and if request URI has sent a token, we perform normal operation and return the authorized token to this (current) domain.
In simple words:
Site A = WordPress & Site B = CakePHP
Site B hits a page where authorization is required then, ping Site A for a login (as it happens when u do Login-with-Facebook sort), which will request via a Token (private key) and REQUEST_URI which will be part of SSO verification table on Site A, if person is already logged in then, Site A will return (via POST) a token, which further will be decrypted via (private key) of Site B and log the user in. Private key of B and A will be same.
Hope this was understandable.
Questions? :)
Answer to your questions in comment:
Ideally, why we use SSO? We use it because of many constraints. For example: You have a database of say... a million row with more than thousand tables, you need to add a module over ur huge app already... so, instead, you will use another database... SSO will return user information, which can further be replicated. For example, when you click on 'Login with Facebook', it returns requested information, like email address, or user's name or even profile picture. Which can further be added to our database... Keeping different databases is strongly recommended :)
To your 2nd and 3rd question: Should both sites reference the same users table in the database? different databases is recommended unless, you are using the same data. Or say changing the software platform.
Should I copy the site-specific user rows into separate user tables for each app? Yes, that should happen automatically. Once you are registered on a main site, nothing happens, things should happen once you are logged in already and then go to site B... Once logged in, user info can always be requested :) That way, new site will have active users ! 2 birds?
Don't complicate (bother) yourself with how what works but, concentrate on how, what is achievable in short period. SSO - Logged in - Restricted page - Look out for log ins - Either login - If already logged in - fetch user info - If user info exists - login via secondary site OR set the new user info . Done!
We developers love flow charts! Don't we? I just created one:
Further answers:
Does the "Fetch User Info" stage mean that we take the user info from the site which is logged in, and create a new user (row) automatically in the other site?
Ideally, you will ask permission from the user before they 'allow' their info to be used but, it varies how your privacy policies are.
In other words, one site handles all the registration/user-creation and the other site just waits for that user to show up and trigger automatic creation. OR at the moment a user registers on the one site, BOTH databases get a user row inserted?
one site handles all the registration/user-creation and the other site just waits for that user to show up and trigger automatic creation. You can have both. Sign up on your website and also a trigger based automatic creation. Depends on your strategy. OR at the moment a user registers on the one site, BOTH databases get a user row inserted? That would be a horrible practice! It will kill the motive of SSO. Motive of SSO is to create an auth family which can be used by users so that they do not have to register every now and then for different websites. update only one database at a time and other when required :)
Questions? :)
I have done this once. I don't have the snippets and/or any references to anything. But thought it might be helpful.
Configure WP and CakePHP both to use same session, you can do this by session id and session name,
When User registers for your website, register them using both WP and CakePHP,
Choose one framework that will handle login view from the front end. I had chosen CakePHP as I was more proficient with it, once the login is successful locate the same user in other framework's DB and authenticate the user using their authentication system.
Hope this helps !!!
Suggestions:
If you are building a closed system, meaning you have to be signed in to access anything useful in the site, then you can use CAS . I know it's used by mainly universities, but for closed systems it works.
( If you need to handle anonymous users the suggestions below might help)
Keep it simple and, similar to Part A of your plan, have a cookie ( visible by both cake and wordpress ) that simply states if a user is logged in. The cookie should be created/checked by both cake and WP. Cake does not need to look at WP's DB. The cookie can have information on how the users in each system are mapped.
Have a central login screen, this is similar to what CAS does. But please build your own. CAS does not handle anonymous users. I am currently creating a central login screen for work. It's simple. The central login screen will handle all authentication and create the cookie visible to both WP and cake. This would mean that the login link for WP and cake will redirect a user to a common page. The link will need to provide a callback URL so that after the user authenticates successfully, he is redirected back to the original service. You will need to decide on a central DB for user authentication.
The cookie approach has following bonus:
It's a lightweight solution and can be wrapped with an on/off switch. In WP, simply wrap the cookie logic with a wp_options value.
You can use WP's and cake's authentication system. no need to work with API's and/or sessions. No need to couple applications by looking at each other's DB.
You can keep roles and permissions native, meaning WP will work with it's own roles and permissions system and your cake application will work with it's system.
Adding a new "service" to your platform is as simple as "create/check for a cookie" then use the system out-of-the-box auth system to log the user in.
Single Sign On is as simple as creating a cookie. Single Sign Off would be deleting the cookie.
I can definitely go into more detail on each suggestion if you're interested.
On Drupal 6 I am attaching a file to a node. This can be done using the core upload module or as a CCK field (What ever will achieve the permissions issue).
I would like anonymous users to be able to see the file, but once they click on it to be prompted to login or register. Once logged in (or registered) then to be taken to either the same page they started on or start the download.
Not really sure where to start on this (related to the permissions and then the eventual redirect).
One method that i would do is in the template files detect if there is a userid variable (To indicate they are logged in), if there is show the link to the file - if they are not then to send to the login/registration page. I can store the link they wanted in the user session. But then how would i detect their registration is complete and redirect them to the page/file?
Ideally there is a module (which I am still hunting around for) that does this task!
Basically, you just need to set the destination parameter, this works for the basic login/registration form. If you however require something like email confirmation for registration, then it's going to be a lot more complicated.
Example Links:
user/login?destination=download_url
user/register?destination=download_url
There is also an API function that will automatically generate the destination part for the current URL: http://api.drupal.org/api/drupal/includes--common.inc/function/drupal_get_destination/7.
I'm currently building a site where I want anonymous users to see a page which talks about what the site is about, but shows no content. It only offers two options
Register
Login (username & password field)
Once the user logs in, they should be redirected to a specific frontpage.
I tried using drupal/front module, but that did not work. Anynmous access was always shown as access denied
I think I could LoginToboggan to redirect authenticated users but not sure what to do about the frontpage.
thanks
When you say that you want the front page to show now content you really just mean you only want to show static copy right?
One way to do this is with views and the context module.
Create blocks with views of the content that you want to hide.
Create some regular blocks from the blocks menu.
The magic happens with the context module. It lets you set up custom rules for which blocks to display where and when. You can set it so that some blocks show up for anon users and other blocks show up for authenticated.
Set it up so that the static copy that talks about the site shows up for anon users along with the login block.
You can tell context module load whatever content you need on the home page with views generated with blocks.
Set up context module to load all of your blocks for you instead of drupal's core block system.
I'm sure you could do this somehow with panels too, but I couldn't tell you how.
Make sure that the page you are redirecting to is accessible for anonymous users. The most likely reason for your acess denied message is that anonymous users do not have permission for that page.
You could also try the Rules module to redirect after login.
Checkout my response to a similar question answered on Drupal.org. I'll repost here as well:
http://drupal.org/node/1962546
I also used Context but with a few other items to help.
I've done this, not with Facebook or LinkedIn however but with another
login based site.
Required modules: Omega theme Context Delta Views Some type of access
control Custom version of r4032login
How I did it: All content is locked down. r4032login redirects all non
logged in users to login, even if they try to get to a certain page.
Create a new delta: In here I have create a content region and shown
only what I need (custom login page).
Context Checks User Role must be anonymous user It then has a rule to
activate a delta, which is basically a copy of your theme
functionality: (Homepage login)
The login is set to forward the user to /frontpage which is a view, it
requires authenticated permissions to view. Once a user is logged in,
the redirect module forwards to the /frontpage (main page) and
permissions are verified and they're in.
If you need more details let me know. This is more of a complex
implementation I have in place but I'm sure there are also others
interesting in doing it.
I'm working on a Drupal 6 module to provide OAuth-based user authentication and registration. I'm already using the OAuth module to authenticate as described on http://oauth.net/core/1.0a/#anchor9. The next step is to create the user account using information provided after authentication using an custom API of the Service Provider.
According to http://drupal.org/node/497612#comment-3047302, I should not use user_external_login_register() but see the OpenID module for how to properly login an external user.
After studying the OpenID module, here is what I plan to do:
Try to load an existing user for a authname build from the custom API result using user_external_load().
If a user exists, use user_external_login() to log the user in.
If not, pretend the registration form has been submitted (like openid_authentication() does) to create a new user account. And redirect to a pre-filled form if any additional information is needed in order for the user to register.
Is this the right way to do it ? Is there another module worth looking at for how to this properly in addition to OpenID ?
You could have a look at the former Drupal module. That module did two entirely different things (hooray for the architecture :)).
* It puplished information to a central "who runs Drupal" directory. (and offered a page to show such a directory yourself!)
* It allowed login with credentials from other Drupal-sites.
The latter is what you are looking for. Note that the module was discontinued, not because the method for logging in was done wrong, but because the DrupalID mechanism itself is flawed. It has been replaced with openID and oauth.
http://drupalcode.org/viewvc/drupal/drupal/modules/drupal/drupal.module?hideattic=0&view=markup
The hooks and methods you would be looking for (in that order) are:
drupal_form_alter -- Adds validate-callback to the login forms.
drupal_form_user_login_alter -- Adds information about alternative login on login form.
drupal_distributed_validate -- Validation callback: calls drupal_auth to see if the user is valid. If so, calls user_external_login_register
drupal_auth -- Helper for validation callback: determines if the credentials are valid.
All other functions are either helper functions for these, or provide that directory-feature, or allow remote sites to authenticate against our database. Neither of which you will be using.