I'm using Laravel 5.7 and have successfully sorted out login and logout for user using manual authentication.
I have this in my login blade template to alert to bad credentials:
#if (Session::has('status'))
<div class="alert alert-danger text-center" role="alert">
{!! Session::get('status') !!}
</div>
#endif
This is in my controller, after determining that the username and password provided is not accepted:
$request->session()->flash('status', 'These credentials are not working.<br>Refresh and try again.');
return redirect()->back()->withInput();
When it works, I get the status message and the username is provided. The thing I can't figure out is what happens next. I've tried all of the following and sometimes the message will display again, and sometimes it won't. It has never shown more than twice in a row. And once it doesn't show, it seems to not show for awhile.
Enter in a different password (while username has already been inputted)
Refresh browser, and try both again
change username, and then enter password
Even when I clear cookies, it does not seem to make any difference. I have double checked my cookie and session settings in .env and config files. I'm getting no error messages. I'm using database with mysql. I used migrate to build the sessions table.
Sessions noted in the database are not inappropriately duplicating. The last activity field is updating appropriately.
When I view the session cookie in Chrome, it's changing after every submission. I don't mean the XSRF-TOKEN, I mean the session cookie. I'm surprised it's changing.
I'm thinking my code is okay but I have a setting wrong somewhere. Where should I look?
UPDATE: If I check "Disable cache while DevTools is open" then it works much better. I can submit bad credentials, and it will show the message and the username is in the field. If I enter the password and submit it redirects to a clean login, no message, no data.
If I get the message and then manually refresh the browser to a new login, I will get the message again probably half of the time. But then I will attempt the same thing again (refresh, try again) and get multiple redirects to the login page again with no data/message.
Final Resolution:
I changed session handling to file.
Instead of flashing try redirecting with the message:
return redirect()->back()->with('status', 'These credentials are not working.<br>Refresh and try again.');
Related
I have an Instagram social login implemented and it was working as expected until few days ago. Now when you try to log in, and just after the user inputs its username and password, the web view shows an error related to disabled cookies. I have not changed anything on my side... It is happening in both iOS and Android platform.
I've tried to log in using VPN to a non Europe country and the login works as expected... Have any of you encountered this issue?
This is the error I get:
Error
This page could not be loaded. If you have cookies disabled in your browser, or you are browsing in Private Mode, please try enabling cookies or turning off Private Mode, and then retrying your action.
Facebook have now resolved the issue as per the issued bug report previously mentioned by #user1017674
https://developers.facebook.com/support/bugs/406930029718049/
They didn't provide details on what caused the bug, but now it seems like you will be redirected to the new design of the Instagram login form rather than the classic one.
You need to go to the Instagram home page first and click "allow cookies". After that open the link in the password reset email again.
What helped in my case is going on the homepage, site settings, and allowing "Unsafe content". Reload after changing, and repeating the normal procedure with the last password you entered that you want to be now your actual PWD - and worked.
Ok. I have a login page. After I entered the email and password correctly and it redirects to me to the user profile. When I hit the browser back button, it also redirects to the user profile which works fine. But the problem raises when let's say if I enter the email or password wrongly, it says "email/password incorrectly", and I enter second time correctly it redirects me to the user profile, but when I hit the browser back button, the page will show "Comfirm form resubmission". This doesn't make sense.
"Confirm form re-submission" has nothing to do with Rails. This is Chrome trying to help you and/or your users.
A POST request is by definition an operation that alters data. Executing a POST a second time, unintentionally, may mess things up. Imagine paying twice for the same product.
As Rustam A. Gasanov pointed out in his comment, you really shouldn't bother much with the behavior of the back button in this case.
I'm trying to create a new user in MODX REVOLUTION 2.3.0 but for some reason, the user cannot access the manager area. I tried to clear every bit of cache as well as to made sure the password is created by the system (email has been sent) and the user belongs to the Users Group.
Strangely, when looking at the user settings, it says that the user has made some 10 logins, but in reality, he has not.
When I type a wrong password, I get the wrong password error message, when I type a correct password, the input field gets cleared and nothing else happens.
Any idea how to solve this?
Thanks.
It seems that user don't have access to mgr context. Any user needs «frames» permission to get access to the manager.
Try to update user's data and make him a sudoer. It'll help to understand if wrong permissions cause the problem.
Exactly. Like #proxyfabio said, he needs access to the manager. To at least asses if the user login works, give him temporary SUDO rights. If that works, work your way from the ground up.
Make sure an Access Policy Template and Access Policy is created. Make sure the policy contains "frames" and is checked at the Policy Template edit screen. Next, PLEASE, make a separate Role, like "Customer". Go into the Aministrator group (or again, PLEASE, create a Customer group) and head on over to the Users tab. Add the User to the group with the Role Customer - "your level" (I usually use increments of 500 or 1000).
Under Context Access, add the user to the mgr context with the specified role and your Customer policy. Do the same for web if you with to avoid any in depth issues.
Finally, save your settings, flush your permissions, clear your cache and optionally flush your sessions table (you can also delete cookies for the browser you're using). When you've done all that, create an Incognito tab in Chrome or Firefox to avoid issues and try the login again.
I have somewhat the same issue if I try login a duplicate manager user from an android phone, the login count goes up, wrong password gives error and correct password just refresh the login page.
However logging in from a computer works. Initially it didn't...
Here are my steps:
Duplicate manager user
Set new password
Login fails
Click forget login for e-mail
Login successfully (computer) with the new generated password
Change original password to original password!? :D
Login works everywhere except my phone
So, I think it is because of the JSESSIONID cookie that is causing the problem, but not too sure, here goes.
Basically, users are required to enter a special token when logging in. But somehow users are able to access the private/member pages even without entering that token.
So user enters credentials minus the token, errors pops up, user ignores it. Of course since there is that error, user is not directed to the members pages. BUT user can manually type in the specific member page and get access to it.
user goes to mysite.com/home
user enter username/password, no token --> error pops up
user ignore the error pop up, enters mysite.com/member/home manually and get access to it
I believe it is the jsessionid, once i remove that cookie the access to the members page are gone as well.
Any ideas?
Actually, it is not jsessionid that is causing the issue, but some weird servlet doing weird stuff...
I have an odd bug on one of my sites. I use authlogic for all the login-related stuff, including a password reset process which works as follows:
First, the user types in their email address and hits a button to send a reset password link. In the subsequent action i do this:
user.reset_perishable_token!
user.host = request.host_with_port
token = user.perishable_token
'token' goes into a link in the email they are then sent, which has this format:
<domain name>/users/edit_password?id=1670&token=y1j6k__imXOajyNGq8DN
where id is the user's id and token is the token i just generated.
On the action that the email link points to, i do this:
#user = User.find_using_perishable_token(params[:token], 1.day)
And on the basis of whether #user is blank or not, i decide whether the token is valid and they can go ahead and change their password. Generally that's working fine, but i have a problem where if someone generates the reset email in one browser, then recieves the email in another browser and clicks on it (thus opening the 'edit_password' page in browser B), the link is decided to be invalid.
I can't think why the browser would make a difference. I thought of it being due to system time maybe but that would be the same in both browsers right?
Grateful for any thoughts - max
Shouldnt make a difference. Be sure that you dont save the user after sending the perishable token - the perishable token will be changed on saving.