- Moderated by:
- Support Team
Session sharing inquiry
-
- rank:
-
Freshman
- registered:
- July 2007
- Status:
- offline
- last visit:
- 15.08.07
- Posts:
- 6
Hi all,
Hope this is the appropriate forum for my inquiry. I'm currently using PN as a backend for a project. We have a login form which was internally created and redirects + logs in a user to PN if a successful login has been found.
My question is, I'm looking to modify the source code so users cannot type in the URL explicitly of the PN FrontEnd and attempt different logins. I want to attempt doing this with sessions/cookies. If a user does not have a valid session, it should redirect them to our login portal. The same for when they logout of their current PN session.
Any hints on starting points would be greatly appreciated.
Thank you!
-
- rank:
-
Professional
- registered:
- December 2003
- Status:
- offline
- last visit:
- 21.11.08
- Posts:
- 2975
If you are using Xanthia you could add this to all your public templates (home.htm and master.htm, ect..
Code
<head>
// your head stuff
// ...
<!--[if pnuserloggedin($loggedin) eq 0]-->
** openARROW meta HTTP-EQUIV EQUALS "REFRESH" content EQUALS "0; url=http://www.yourdomain.com/index.html" closeARROW
</head>
<div>
<p>
<h1>AmmoDump Rocks!</h1>
You need to login.. hang tight buck-a-roo!
</p>
</div>
<!--[else]-->
</head>
<-- Thanks for viewing the source code, AmmoDump Rocks! -->
// the rest of your template
// ...
// footer
<!--[/if]-->
This should force a redirect to login, and prevent any information from being passed to the browser.
** This line is wrong to get it to show, but just use a redirect normally **
edited by: AmmoDump, Jul 05, 2007 - 10:57 PM
--
David Pahl
Zikula Support Team
-
- rank:
-
Freshman
- registered:
- July 2007
- Status:
- offline
- last visit:
- 15.08.07
- Posts:
- 6
We're just currently using a base install + very customized internal modules. Everything else is pretty much bare essentials. I'm trying to figure out if it's pnAPI.php, pnUser.php or pnSession.php that I need to modify for when a user gets to http://site/user.php to redirect them if they aren't already logged in.
-
- rank:
-
Professional
- registered:
- December 2003
- Status:
- offline
- last visit:
- 21.11.08
- Posts:
- 2975
Well Xanthia is part of the core, so using it should be no issue, as it should not interfere with anything. There is also a Xanthia port of the ExtraLite theme, if this is the template design you must use. Using this (xanthia) you can easily modify your templates to allow this type of extended control and flexibility. Keeping the core intact as much as possible also make future upgrades to the system easier, as well.
Otherwise you can use the same logic as above to modify the theme.php for ExtraLite, of course using PHP conditional statements against the pnSecAuthAction and echo statements to push out your HTML to render the page or not...
--
David Pahl
Zikula Support Team
-
- rank:
-
Freshman
- registered:
- July 2007
- Status:
- offline
- last visit:
- 15.08.07
- Posts:
- 6
AmmoDump,
First and foremost, I'd like to thank you profusely for your assistance, I'm learning a lot from your insight on how PostNuke works. This community is wonderful! As for home.htm and master.htm, I'm seeing multiple instances. Can you recommend a starting point?
steve-finkelsteins-computer:/usr/local/Zend/apache2/htdocs/mednotes sf$ find . -type f -iname "home.htm"
./themes/PiterpanV2/templates/modules/home.htm
./themes/pnDefault/templates/modules/home.htm
./themes/PostNuke/templates/modules/home.htm
./themes/PostNukeBlue/templates/modules/home.htm
./themes/PostNukeSilver/templates/modules/home.htm
./themes/SeaBreeze/templates/modules/home.htm
./Wddx_SDK/joust_files/home.htm
etc..
Thanks!
-
- rank:
-
Professional
- registered:
- December 2003
- Status:
- offline
- last visit:
- 21.11.08
- Posts:
- 2975
Well those are all theme names, which one do you want to use.. You only need to Edit the one you want to use, disable the rest.. And for extra security, rename the Extralite/theme.php to something unsuable..
--
David Pahl
Zikula Support Team
-
- rank:
-
Freshman
- registered:
- July 2007
- Status:
- offline
- last visit:
- 15.08.07
- Posts:
- 6
AmmoDump,
I actually did the following in user.php and it seems to work just as intended. Do you see any possible security issues with the following?
//if (!pnUserLoggedIn() && empty($op)) {
// $module='NS-User';
// //$op='getlogin';
// $op = "loginscreen";
//}
if (!pnUserLoggedIn() && empty($op)) {
header('Location: http://www.example.org');
}
Also, should all themes not in use get disabled? Is there any documentation I can use to get apprised with all of this information?
-
- rank:
-
Professional
- registered:
- December 2003
- Status:
- offline
- last visit:
- 21.11.08
- Posts:
- 2975
It looks fine, but I am no Security Expert...
Ah, the documentation... There really is no definitive work.. It would seem almost impossible to do, just due to the increasing flexibility... The deeper I get into it, the more I see what is really possible. The system is very open ended... There is more than one way to do everything it seems.... Check the Wiki, search the forums, ask...
--
David Pahl
Zikula Support Team
-
- rank:
-
Professional
- registered:
- December 2003
- Status:
- offline
- last visit:
- 21.11.08
- Posts:
- 2975
As far as disabling templates, They don't need to be, unless you are using permission logic in your templates, which another template doesn't have...
--
David Pahl
Zikula Support Team
|
