Jump to content

Login Form Outside Blesta


Michael

Recommended Posts

Thank you both Scott HorsleyMemoryX2 and Paul for the support and help as I had a few mistakes.

 

Please make sure you remember the link to your customer area for this.

 

Please be careful, this step is very important go to /config/blesta.php find the following line just at the bottom of the page:

Configure::set("Blesta.csrf_bypass", array());

and replace it with:

Configure::set("Blesta.csrf_bypass", array('client_login::index'));

The link below must be the link to your client area we've edited the link ourselves by editing the file (/config/routes.php):

<form method="post" action="http://billing.licensecart.com/customers/login/">

Then after the custom code edits and the hard bit for a few people, simply copy the rest of the code below:

sername: <input type="text" name="username" value="" id="login_username" /><br />
Password: <input type="password" name="password" value="" id="login_password" /><br />
<input type="submit" name="login" value="Login" class="btn" />
</form>

You can use the "class=btn" if you are using the bootstrap framework on your website.

 

So the final code should look something like:

<form method="post" action="http://billing.licensecart.com/customers/login/">
Username: <input type="text" name="username" value="" id="login_username" /><br />
Password: <input type="password" name="password" value="" id="login_password" /><br />
<input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" />
</form>

That will now allow users to log straight into your billing system. You can use target="_blank" on the form to open into a new tab.

 

Using Bootstrap and wish to use the posh Modal just edit the code below:

  <!-- Button to trigger modal -->
  <li><a href="#login"role="button" data-toggle="modal">Login</a>
<!-- Modal -->
<div id="login" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
  <div class="modal-header">
    <button type="button" class="close" data-dismiss="modal" aria-hidden="true"><i class="icon-remove text-error"></i></button>
    <h3 id="myModalLabel">Billing Area Login</h3>
  </div>
  <div class="modal-body">
    <p><form method="post" action="http://billing.licensecart.com/customers/login/" target="_blank" style="width: 200px;margin: 0 auto 0 auto;">
Username: <input type="text" name="username" value="" id="login_username" /><br />
Password: <input type="password" name="password" value="" id="login_password" /><br />
<input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" />
</form></p>
  </div>
  <div class="modal-footer">
    <button class="btn btn-danger" data-dismiss="modal" aria-hidden="true">Close</button>
  </div>
</div>

Good luck with your great layout and the best billing system.

Link to comment
Share on other sites

I'm not sure haha It lets me log in via that token :)

 

It changes with each new session.

 

In config/blesta.php look for this line: 

Configure::set("Blesta.csrf_bypass", array());

You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work:

Configure::set("Blesta.csrf_bypass", array('client_login::index'));
Link to comment
Share on other sites

It changes with each new session.

 

In config/blesta.php look for this line: 

Configure::set("Blesta.csrf_bypass", array());

You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work:

Configure::set("Blesta.csrf_bypass", array('client_login::index'));

 

Thank you :D

Link to comment
Share on other sites

  • 2 weeks later...

Do you have a code for using the modal login from a image button?

 

I think its a stupid question but i am not a webdesigner :D

Try this mate:

<!-- Button to trigger modal -->
<a href="#login" role="button" class="btn" data-toggle="modal">Login</a>
<!-- Modal -->
<div id="login" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true">
  <div class="modal-header">
    <button type="button" class="close" data-dismiss="modal" aria-hidden="true"><i class="icon-remove text-error"></i></button>
    <h3 id="myModalLabel">Billing Area Login</h3>
  </div>
  <div class="modal-body">
    <p><form method="post" action="http://billing.licensecart.com/customers/login/" target="_blank" style="width: 200px;margin: 0 auto 0 auto;">
Username: <input type="text" name="username" value="" id="login_username" /><br />
Password: <input type="password" name="password" value="" id="login_password" /><br />
<input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" />
</form></p>
  </div>
  <div class="modal-footer">
    <button class="btn btn-danger" data-dismiss="modal" aria-hidden="true">Close</button>
  </div>
</div>
Link to comment
Share on other sites

It changes with each new session.

 

In config/blesta.php look for this line: 

Configure::set("Blesta.csrf_bypass", array());

You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work:

Configure::set("Blesta.csrf_bypass", array('client_login::index'));

 

So this turns it off all together for client login? Not sure I'd like that idea?

Link to comment
Share on other sites

I had made a bot once that would access the page in question to get the csrf token for use elsewhere.

 

pfSense.org uses it, and I made a custom version of their software so my company can manage 100s of hotel guest networks. After installing the first 10 or so, I figured there had to be a better way! While in Blesta's case, this might be overkill, but I had made a script that turned the original pfsense install into my flavor. The script did things like create and manage folders, transfer files over SCP, set CRON tasks for special commands, and make changes in the admin interface <- that's where i had the csrf problem, so the first accesses the page like normal to get the token, then post the form with the specific data and the csrf token it received.

 

It works great, but not sure I like that for this either.

Link to comment
Share on other sites

  • 2 months later...
  • 3 years later...
12 minutes ago, turner2f said:

Not certain if this modification works anymore since posted from 2013.

Looked inside the

/config/routes.php  file and did not find " form method " .

<form method="post" action="http://billing.licensecart.com/customers/login/">

===========

Is there another way for the Blesta version in 2016?

The bit in the routes.php is only if you changed client to something like I did, I don't use the default client route: client, I use customers.

Link to comment
Share on other sites

  • 3 months later...

Thanks for this, just what I needed.

 

I have added a hmtl front page to my blesta install that has a model login.

 

I have made the recommend change in blesta.php...

Configure::set("Blesta.csrf_bypass", array('client_login::index'));

I have modified the action url for my login form as follows...

<form method="post" action="https://mysite.com/client/login">

 

Everything is now working fine.

I have 2 question.

1. Is this safe to do? obviously csrf tokens are there for a reason so is disabling them like this safe?

2. when I logout from the client area I am taken back to /client/login am able to change this behaviour so the client is taken /index on logout?

 

Thanks everyone :)

Link to comment
Share on other sites

24 minutes ago, Stu said:

1. Is this safe to do? obviously csrf tokens are there for a reason so is disabling them like this safe?

Most CSRF attacks are to perform actions as an authenticated user. For example, the form that creates a new admin in Blesta would be a good target for a CSRF attack, but you'd have to be logged in and CSRF disabled for it to work. If I had to pick a page to disable CSRF for, it'd be an unauthenticated page, like the login form.

24 minutes ago, Stu said:

2. when I logout from the client area I am taken back to /client/login am able to change this behaviour so the client is taken /index on logout?

It might be possible by modifying the code, I don't have an example off the top of my head for you though, and I probably wouldn't recommend changing the core. Might be a good feature request though, to be able to set where the user is directed after a log out.

Link to comment
Share on other sites

22 minutes ago, Paul said:

If I had to pick a page to disable CSRF for, it'd be an unauthenticated page, like the login form.

 

so in doing this....

Configure::set("Blesta.csrf_bypass", array('client_login::index'));

am I just disabling it for the login action? then CSRF is still enabled for the session within the client area for all subsequent actions after?

Link to comment
Share on other sites

  • 6 months later...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...