Login With Curl To Blesta.

[AllToolKits.com]

I was trying to login to blesta with curl post, butcan't get it working. Anybody did it earlier. Is it possible to do. I am doing this for a bridge for blesta.

[Michael]

I was trying to login to blesta with curl post, butcan't get it working. Anybody did it earlier. Is it possible to do. I am doing this for a bridge for blesta.

 

Not sure what a Curl Post is but is it like this: http://www.blesta.com/forums/index.php?/topic/510-login-form-outside-blesta/

[Paul]

If you are trying to login to do a loginshare or something, you might want to check out events - http://docs.blesta.com/display/dev/Event+Handlers

[AllToolKits.com]

What i am trying to do is, there is must be a way to login to belsta from another webapplication.   We can login to whmcs from joomla using curl.

So that user can browse whmcs pages without leaving joomla. We are trying to do same for blesta. But csrf token is preventing me from doing that.

[Michael]

What i am trying to do is, there is must be a way to login to belsta from another webapplication.   We can login to whmcs from joomla using curl.

So that user can browse whmcs pages without leaving joomla. We are trying to do same for blesta. But csrf token is preventing me from doing that.

 

check post #2.

[AllToolKits.com]

@CubicWebs

Thanks, but i don't want to add or modify any code in blesta. Without touching any code in blesta, i must be able to login using curl or submitting a form.

csrf token must be on too.

 

Is it possible?

[Paul]

@CubicWebs

Thanks, but i don't want to add or modify any code in blesta. Without touching any code in blesta, i must be able to login using curl or submitting a form.

csrf token must be on too.

 

Is it possible?

 

Disabling CSRF tokens on the login page is just a configuration file change, and will eliminate CSRF as an obstacle to logging in in a non-standard way.

[AllToolKits.com]

Do you think asking customer to disable the CSRF token is good? 

[AllToolKits.com]

one funny thing is that whmcs too have this token, but curl works even if you provide any value for it.

[Michael]

one funny thing is that whmcs too have this token, but curl works even if you provide any value for it.

It's generated by blesta and changes every time you refresh. Therefore its hard to implement it outside blesta and blesta is secured enough so there's no need to worry.

[Cody]

one funny thing is that whmcs too have this token, but curl works even if you provide any value for it.

 

WHMCS does not validate CSRF tokens on login.

[Cody]

Do you think asking customer to disable the CSRF token is good? 

 

Paul is referring to disabling CSRF token validation for the client login page only. Disabling CSRF token validation on a login form does not introduce any security vulnerabilities. At best an attacker that knows a particular user's login credentials could trick that (or another) user into logging into that system. Of course, if your login credentials are known to an attacker you have bigger problems to worry about.

[AllToolKits.com]

So for developing joomla bridge for blesta, you all agree asking the blesta user to disable csrf token for client login page?

As i want to login to blesta from joomla, how about proceeding like that?

[Cody]

There are a number of ways shared login could be handled using a plugin. I mentioned one of them in another thread. Using a plugin would be the most preferable way as it would not require any changes in Blesta. But for those who don't want to or can't create a plugin, disabling CSRF check on client login is the best solution.

 

Another simple way of implementing shared login through a plugin would be to have the plugin generate a unique, time-restricted token for a given user, then redirect the user to the plugin with the token (which could then forward the user to a separate page), or perform an AJAX request on the plugin URL.

[AllToolKits.com]

Hi thanks for the reply.

 

So i have two options

 

1)Disable the CSRF check on client login is the best solution.

2)Create a plugin to generate token for a user. Use API from joomla to get the token. in this way we can implement login with token too.

 

Am i right?

[Cody]

Plugin coming on Monday. See this thread.

[AllToolKits.com]

Great news   That will save my time. Thanks