Michael Posted July 9, 2013 Report Share Posted July 9, 2013 Thank you both Scott Horsley, MemoryX2 and Paul for the support and help as I had a few mistakes. Please make sure you remember the link to your customer area for this. Please be careful, this step is very important go to /config/blesta.php find the following line just at the bottom of the page: Configure::set("Blesta.csrf_bypass", array()); and replace it with: Configure::set("Blesta.csrf_bypass", array('client_login::index')); The link below must be the link to your client area we've edited the link ourselves by editing the file (/config/routes.php): <form method="post" action="http://billing.licensecart.com/customers/login/"> Then after the custom code edits and the hard bit for a few people, simply copy the rest of the code below: sername: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn" /> </form> You can use the "class=btn" if you are using the bootstrap framework on your website. So the final code should look something like: <form method="post" action="http://billing.licensecart.com/customers/login/"> Username: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" /> </form> That will now allow users to log straight into your billing system. You can use target="_blank" on the form to open into a new tab. Using Bootstrap and wish to use the posh Modal just edit the code below: <!-- Button to trigger modal --> <li><a href="#login"role="button" data-toggle="modal">Login</a> <!-- Modal --> <div id="login" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal" aria-hidden="true"><i class="icon-remove text-error"></i></button> <h3 id="myModalLabel">Billing Area Login</h3> </div> <div class="modal-body"> <p><form method="post" action="http://billing.licensecart.com/customers/login/" target="_blank" style="width: 200px;margin: 0 auto 0 auto;"> Username: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" /> </form></p> </div> <div class="modal-footer"> <button class="btn btn-danger" data-dismiss="modal" aria-hidden="true">Close</button> </div> </div> Good luck with your great layout and the best billing system. MemoryX2 1 Quote Link to comment Share on other sites More sharing options...
Paul Posted July 9, 2013 Report Share Posted July 9, 2013 I'm pretty sure you will need to disable csrf tokens for the login page in the config file. Quote Link to comment Share on other sites More sharing options...
iAlex Posted July 9, 2013 Report Share Posted July 9, 2013 I'm pretty sure you will need to disable csrf tokens for the login page in the config file. I thought this, as surely the point of the token is that it changes? Quote Link to comment Share on other sites More sharing options...
Michael Posted July 9, 2013 Author Report Share Posted July 9, 2013 I thought this, as surely the point of the token is that it changes? I'm pretty sure you will need to disable csrf tokens for the login page in the config file. I'm not sure haha It lets me log in via that token Quote Link to comment Share on other sites More sharing options...
Paul Posted July 9, 2013 Report Share Posted July 9, 2013 I'm not sure haha It lets me log in via that token It changes with each new session. In config/blesta.php look for this line: Configure::set("Blesta.csrf_bypass", array()); You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work: Configure::set("Blesta.csrf_bypass", array('client_login::index')); Michael 1 Quote Link to comment Share on other sites More sharing options...
Michael Posted July 9, 2013 Author Report Share Posted July 9, 2013 It changes with each new session. In config/blesta.php look for this line: Configure::set("Blesta.csrf_bypass", array()); You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work: Configure::set("Blesta.csrf_bypass", array('client_login::index')); Thank you Quote Link to comment Share on other sites More sharing options...
Kenneth Posted July 19, 2013 Report Share Posted July 19, 2013 Do you have a code for using the modal login from a image button? I think its a stupid question but i am not a webdesigner Quote Link to comment Share on other sites More sharing options...
Michael Posted July 19, 2013 Author Report Share Posted July 19, 2013 Do you have a code for using the modal login from a image button? I think its a stupid question but i am not a webdesigner Try this mate: <!-- Button to trigger modal --> <a href="#login" role="button" class="btn" data-toggle="modal">Login</a> <!-- Modal --> <div id="login" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal" aria-hidden="true"><i class="icon-remove text-error"></i></button> <h3 id="myModalLabel">Billing Area Login</h3> </div> <div class="modal-body"> <p><form method="post" action="http://billing.licensecart.com/customers/login/" target="_blank" style="width: 200px;margin: 0 auto 0 auto;"> Username: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" /> </form></p> </div> <div class="modal-footer"> <button class="btn btn-danger" data-dismiss="modal" aria-hidden="true">Close</button> </div> </div> Quote Link to comment Share on other sites More sharing options...
Bit Bayou Posted July 20, 2013 Report Share Posted July 20, 2013 It changes with each new session. In config/blesta.php look for this line: Configure::set("Blesta.csrf_bypass", array()); You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work: Configure::set("Blesta.csrf_bypass", array('client_login::index')); So this turns it off all together for client login? Not sure I'd like that idea? Quote Link to comment Share on other sites More sharing options...
MemoryX2 Posted July 21, 2013 Report Share Posted July 21, 2013 So this turns it off all together for client login? Not sure I'd like that idea? Personally I want to still be able to use csrf.. Quote Link to comment Share on other sites More sharing options...
Bit Bayou Posted July 21, 2013 Report Share Posted July 21, 2013 I had made a bot once that would access the page in question to get the csrf token for use elsewhere. pfSense.org uses it, and I made a custom version of their software so my company can manage 100s of hotel guest networks. After installing the first 10 or so, I figured there had to be a better way! While in Blesta's case, this might be overkill, but I had made a script that turned the original pfsense install into my flavor. The script did things like create and manage folders, transfer files over SCP, set CRON tasks for special commands, and make changes in the admin interface <- that's where i had the csrf problem, so the first accesses the page like normal to get the token, then post the form with the specific data and the csrf token it received. It works great, but not sure I like that for this either. Quote Link to comment Share on other sites More sharing options...
cosname Posted September 25, 2013 Report Share Posted September 25, 2013 Hi! Also you can get _csrf_token by using plugin and API (with Blesta SDK), so you just fetch the csrf record, and place it anywhere you whant to!I posted details as separate posts here:http://www.blesta.com/forums/index.php?/topic/1107-login-and-redirect-client-user-from-custom-website-to-billing-website/?p=9077 Quote Link to comment Share on other sites More sharing options...
turner2f Posted November 18, 2016 Report Share Posted November 18, 2016 Not certain if this modification works anymore since posted from 2013. Looked inside the /config/routes.php file and did not find " form method " . <form method="post" action="http://billing.licensecart.com/customers/login/"> =========== Is there another way for the Blesta version in 2016? Quote Link to comment Share on other sites More sharing options...
Michael Posted November 18, 2016 Author Report Share Posted November 18, 2016 12 minutes ago, turner2f said: Not certain if this modification works anymore since posted from 2013. Looked inside the /config/routes.php file and did not find " form method " . <form method="post" action="http://billing.licensecart.com/customers/login/"> =========== Is there another way for the Blesta version in 2016? The bit in the routes.php is only if you changed client to something like I did, I don't use the default client route: client, I use customers. Quote Link to comment Share on other sites More sharing options...
Stu Posted March 14, 2017 Report Share Posted March 14, 2017 Thanks for this, just what I needed. I have added a hmtl front page to my blesta install that has a model login. I have made the recommend change in blesta.php... Configure::set("Blesta.csrf_bypass", array('client_login::index')); I have modified the action url for my login form as follows... <form method="post" action="https://mysite.com/client/login"> Everything is now working fine. I have 2 question. 1. Is this safe to do? obviously csrf tokens are there for a reason so is disabling them like this safe? 2. when I logout from the client area I am taken back to /client/login am able to change this behaviour so the client is taken /index on logout? Thanks everyone Paul 1 Quote Link to comment Share on other sites More sharing options...
Paul Posted March 14, 2017 Report Share Posted March 14, 2017 24 minutes ago, Stu said: 1. Is this safe to do? obviously csrf tokens are there for a reason so is disabling them like this safe? Most CSRF attacks are to perform actions as an authenticated user. For example, the form that creates a new admin in Blesta would be a good target for a CSRF attack, but you'd have to be logged in and CSRF disabled for it to work. If I had to pick a page to disable CSRF for, it'd be an unauthenticated page, like the login form. 24 minutes ago, Stu said: 2. when I logout from the client area I am taken back to /client/login am able to change this behaviour so the client is taken /index on logout? It might be possible by modifying the code, I don't have an example off the top of my head for you though, and I probably wouldn't recommend changing the core. Might be a good feature request though, to be able to set where the user is directed after a log out. Michael 1 Quote Link to comment Share on other sites More sharing options...
Stu Posted March 14, 2017 Report Share Posted March 14, 2017 22 minutes ago, Paul said: If I had to pick a page to disable CSRF for, it'd be an unauthenticated page, like the login form. so in doing this.... Configure::set("Blesta.csrf_bypass", array('client_login::index')); am I just disabling it for the login action? then CSRF is still enabled for the session within the client area for all subsequent actions after? Quote Link to comment Share on other sites More sharing options...
Paul Posted March 14, 2017 Report Share Posted March 14, 2017 53 minutes ago, Stu said: am I just disabling it for the login action? then CSRF is still enabled for the session within the client area for all subsequent actions after? Yes, that's correct. CSRF is still enabled everywhere else. Stu 1 Quote Link to comment Share on other sites More sharing options...
Stu Posted March 14, 2017 Report Share Posted March 14, 2017 18 minutes ago, Paul said: Yes, that's correct. CSRF is still enabled everywhere else. Ah ok I didn't realise that. Well there's no problem with that at all then. Thanks for the help and advice Michael and Paul 2 Quote Link to comment Share on other sites More sharing options...
Ziaur Rashid Posted September 27, 2017 Report Share Posted September 27, 2017 How to setup external sign up & password reset? Need documentation with code Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.