cakephp auth session regeneration - cakephp

We are using Cakephp framework version 2.0.6
The site is "supposed" to allow an anonymous user to "add to cart."
We are using the session id (using cake's native session class) to store the anonymous user's information in a db table.
When the user goes to checkout, then we want to ask "are you a current member? If so, click yes to login or no to create an account."
ISSUE:
Regardless of what they choose, the user either then has to login, or create a new user/pass (and then login) which is causing cakephp to regenerate a session ID. This is making it impossible in the new session to grab what that user added to the cart when they were anonymous just 5 minutes prior. In other words, the anonymous user's session id changes between when they are anonymous and after they login/create-user, making it impossible to identify their cart post-login.
Is there a way to prevent cakephp from regenerating a session in this scenario, or a better way to accomplish what we are trying to do while still keeping our order flow (ie: anonymous being allow to add to cart, before login/create)?

It is this reason that shopping carts are more often than not stored in Cookies. That way you can easily retrieve the saved information post-authentication.
If you insist on using Sessions to store this data, consider setting your Security.level setting to 'low'. That should prevent CakePHP from regenerating the session ID.

Related

Best way to implement one-time feature after signup?

Note: This is likely a duplicate question but I couldn't search for a solution/suggestion for my use case, so if anyone can re-direct me, that would be appreciated.
Problem: I have a NextJS application that runs on Prisma ORM and MySQL database. I am using NextAuth for OAuth authentication for sign up and log in.
So far the application works just fine but I want to check whether a user is logging in for the first time and redirect them to a set up page whether they would input personal details in order to populate a table on the database, so that the app can form a dynamic page based on their newly added information.
On the database, there are the user table (populated by NextAuth immediately at login) and the profile table.
Under NextAuth, the user table is populated automatically with the account's user name and email etc. However, that is not a unique entry and NextJS getStaticPath requires a unique entry to generate a dynamic page. That's why I have created the profile table to allow users to add their custom username where the dynamic URL will be generated (e.g. localhost:3000/u/[slug])
Here's my question - I want to check that the user is first time logging in and send a form for them to fill out the necessary information to input data onto the profile table, otherwise they would go straight to their profile homepage. What is the best way to check that and to redirect them to that form page?
Do I do it at server side with getServerSideProps by checking that the id from user table is missing from the profile table and do a redirect? Or is there some method that's customarily used to implement this "initial set-up" procedure?

Firestore: create hidden data when creating new document

I'm adding a new document every time a user is logged in with Google authentication and that user does not exist in firestore.
What I want is to add a 'USER' role when creating this new USER.
I was expecting to do this outside the react application so it can not be hacked into creating different types of users by calling the Firestore api.
At first I thought of a function but now they are only allowed by having a paid plan.
Thanks in advance for the help.
If you want to implement a role-based access control to your Firestore database, the recommended approach is to use Custom Claims. This indeed requires using the Admin SDK via Cloud Functions or a server you own.
Activating Cloud Functions indeed requires entering the details of a credit card but there is a free tier which allows up to 2M invocations/month for free. So, unless your app is very popular, you'll be only billed for each container required to deploy a function but this is a negligible cost of few tenths of $.
If you don't have any credit card, there is another solution: using some Firestore documents to declare the users roles, as explained here in the doc.
I wanted to add this as a comment but I guess you could make use of the firestore rules to make sure that the role value sent by the client is always set to user and not anything else or you could make sure that this USER role added it a boolean value and in the rules make sure he can only edit his own document this way he won't be able to change his role even if he set it to false it won't give him a different role

Maintain user session in same browser in react

I am working on a web app that follows dual user-role type: Admin and Investors. I need to disable two users (be it admin type or investor type) to log in simultaneously on a website, which is opened within the same browser but different tabs.
Irrespective of their role type, at a time, either user A(admin) or user B (Investor) can log in. I am using localStorage for this purpose, storing two different key names for admin and investor.
I am new to handling sessions this way. Also, my code is quite big and nested, so I am unable to paste the snippet out of it here.
Any help even regarding how I can follow this approach, will be appreciable.
There are different approaches for handling sessions in client side of your web app, such as cookies and local storage.
In your case I think you should store your app user type and session ID in local storage like this:
s_id: admin_54759eb3c090d83494e2d80494e2d80
So before login app will check for s_id availability in local storage or not. Then in your app login flow you can decide to logout previous user and replace new session ID or just prevent from new login.
But I'd rather to use cookies. One benefit could be setting expiration time for session. For more info check out here.

Wordpress site protection with unique password for every user

How can we develop a voting website based on Wordpress where the landing page is login and password protected and logins and passwords are based on a preloaded database of users. The idea is to create a page for employees where they can enter after they provide the individual credentials. It cannot be based on a system where they register - their data should already be in a database.
I am assuming that you do not want different user roles for different users. If that is the case then you will need to create a function in your theme's functions.php file that will check if user is logged in using is_user_logged_in() and if not, redirect them to login page. In order to work around the problem of every user registering on site by themselves, you can create another piece of code that will iterate user details from a csv file, register them and set each user's password.
The reason for this suggestion/approach:
All the users are registered in your WP Users list so your passwords are not easily stolen.
You can assign custom user roles and capabilities later down the line if you wish.
You can do single or bulk addition of user down the line without redoing the same amount of efforts every time you need to add users.
You do not risk breaking the database structure in WP which is decently optimized.
Now do understand that you will need to leverage object caching and work using pre_get_posts to manage the large size of site.
Good Luck!!

Create unique id per computer and use it as identifier when no user is logged in

I am trying to create a web app that would submit ratings to some articles. The backend is django and frontend is angularjs.
A rating is a model with the following properties: rater, value, and article
I would like to let anonymous users to submit ratings, in which case, the rater is null, but a sessionid is attached to the rating object to identify where this rating comes.
Currently, I am using the session module from django, and attaching session_key attribute to each rating object. However, this has issue that the session changed if a valid user is logged in and logged off.
What I would like to have is to have a unique identifier for each computer from which the rating is created, and attach this id to the object. So, as long as no user is logged in, the objects created by one computer, regardless of refreshing, rebooting, loggin+logout, etc., share the same identifier.
By doing this, my ultimate goal is to allow anonymous user using the App as if he/she is always logged in. In another word, each computer is a unique "implicit user" when no real user is logged in.
My question is that, is there a way to achieve this?
Thank you in advance!
LocalStorage
Anonymous users can't be tracked perfectly.
Best you can do in my opinion is using localStorage:
localStorage.setItem('anonymous-key', 'some-key-you-generated');
and then whenever no user is logged in:
var anonymousKey = localStorage.getItem('anonymous-key');
Persistence
Local storage stays saved until the user specifically clears it. Some browsers may also add a expiry date to your data for safety reasons.
See also: https://developer.mozilla.org/nl/docs/Web/API/Window/localStorage

Resources