Shared login credentials

178 Posts

bobd72 Reply #1, 8 years, 11 months ago

Hello all,
Using Revo 2.3.3
I have a problem on a club website I run.
Currently I use Login for username and password validation on the Modx site. I then pass the username to a remote asp site encrypted in the url which logs the user onto that site without having two login processes. Both sites can then be accessed by the user.
I am now faced with a change of remote sites where this will no longer work as the site providers will not cooperate ( beyond my control ).
I can use a HTML form on the club Modx site where the user puts in their username and password and this logs them on to the remote site on a new page.
However, I want to avoid users having to log on in two different places with two different passwords but the same username.

Is there any way that I can capture the username from the form for the remote site (just a simple html form) and use it to log the member on to the Modx site in the background and have a time managed automatic logout? I would be happy to do this without a password (or a common password for all) as this would remove the problem of syncing passwords, and completely remove the Modx login form.

24,544 Posts

BobRay Reply #2, 8 years, 11 months ago

You might be able to use JavaScript to make an Ajax call to a processor on the MODX site that logged the user in in code. You wouldn't need a password for this or a login form on the MODX site. I think the use would stay logged in as long as that session existed (iow, until they close the browser). I'm not sure it would work.

The problem is that *anyone* who entered a legitimate username on the remote site would be logged in to the MODX site, even if they enter the wrong password (or no password) on the remote site. If they guess your MODX username, they would be super users on the MODX site and would have access to the Manager.

If you have the users use the same password on both sites, you could send both in the Ajax call and check before logging them in. You'd probably want to encrypt the username and password before making the Ajax call and decrypt them in the processor before authenticating the user. I would also put a check in the processor that disallowed logging in by members of the Administrator group.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

178 Posts

bobd72 Reply #3, 8 years, 11 months ago

Thanks for the response Bob,
I had hoped that perhaps someone else had dealt with this problem - maybe not

My feeling was that this may best be dealt with using PHP sessions? That way I may be able to capture the user details from the form directing to the remote site and use them to log them on to the Modx site without any additional user input?

24,544 Posts

BobRay Reply #4, 8 years, 10 months ago

I think the login snippet will function as a web service, so it should be possible to redirect a user to a login page with the credentials in the URL and have them seamlessly logged in and forwarded with no user input, but I've never done it.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

178 Posts

bobd72 Reply #5, 8 years, 10 months ago

Thanks again bob,
Yes - I use a script that does similar to that with a shared key now, but the problem now is that I now need to log in first to a remote page with credentials which are stored on their server, not mine. Hense the need to log onto my server with the same username and perhaps a common password in the background. If I am able to do this with a session they will be automatically logged out when the browser is closed I think?

24,544 Posts

BobRay Reply #6, 8 years, 10 months ago

Yes, I think when the browser is closed, their session will be invalid and they'll be effectively logged out.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

178 Posts

bobd72 Reply #7, 8 years, 10 months ago

I'm struggling with this - perhaps someone can help.
I have created a chunk which contains the form for logging into the remote site and call the form in a page with [[!$MyForm]]
This works and I am logged on to the remote server in a new window as it uses target="_blank".
I have written a snippet to capture the Username from the form and place it in a session variable then show the session variable on the page so that I know it has been captured as below:

<?php
if (isset($_POST['Submit'])) { 
 $_SESSION['user'] = $_POST['user'];
return $_SESSION["user"];
echo "Username is " . $_SESSION["user"] . ".<br>";
 }
?>

I am calling this after the form:
[[!$MyForm]]
[[!MySnippet]]

However, all I get when I enter the Username and Password in the form and click submit is the login page with no change (the remote page has opened logged on correctly in another window) - the username and password are still in the fields and no info is displayed by the snippet.

Obviously my code or process is incorrect?

[ed. note: bobd72 last edited this post 8 years, 10 months ago.]

24,544 Posts

BobRay Reply #8, 8 years, 10 months ago

First, add an else to the if statement so you can see if the issue is that Submit is not set.

Is the form using method="post"?

Is the submit button an input with the value 'Submit' (not 'submit')?

You might try this, to see what's in the post. It will dump the post array to the MODX Error log:

$modx->log(modX::LOG_LEVEL_ERROR, print_r($_POST, true));

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting

178 Posts

bobd72 Reply #9, 8 years, 10 months ago

This error shows up in the error log:

 [2015-06-23 05:55:07] (ERROR @ /index.php) Array
(
)

My form chunk is:

<div>
<form id="form" action="http://remote.server.com/logon.msp" method="post" name="form" target="_blank">
<div id="loginUsername"><label for="loginUsername">Username:</label><input id="action" type="hidden" name="action" value="login" /> <input type="text" name="user" value="" size="11" maxlength="32" /></div>
<div id="loginPassword"><label for="loginPassword">Password:</label> <input id="action" type="hidden" name="action" value="password" /> <input type="password" name="password" value="" size="11" maxlength="64" /></div>
<input id="submitBtn" type="image" name="Submit" value="Submit" src="../path/to/image/loginBtn.gif" alt="Submit" /></form></div>
<div> </div>

My php Snippet is:

<?php
if( isset($_Post['Submit'] )) {
$_SESSION['userLogon'] = $_POST['user'];
 echo "Username is " . $_SESSION['userLogon'];
}
else{
 $modx->log(modX::LOG_LEVEL_ERROR, print_r($_POST, true));
 }
 ?>

In my resource I call them with:

[[!$MyChunk]]
[[!MySnippet]]

Logging on to the remote server is successful but it appears the PHP code isn't executing?
[ed. note: bobd72 last edited this post 8 years, 10 months ago.]

24,544 Posts

BobRay Reply #10, 8 years, 10 months ago

You have a return statement before the output. It will never reach line 5 unless the submit value isn't set, and then it will skip the output.

Did I help you? Buy me a beer
Get my Book: MODX:The Official Guide
MODX info for everyone: http://bobsguides.com/modx.html
My MODX Extras
Bob's Guides is now hosted at A2 MODX Hosting