External Client Login Form With Csrf Tokens Enable

[dieselb0y]

Hello all,

 

Someone can provide us a little tutorial on how to generate the crsft tokens for a simple HTML form ?

 

We can find some information in http://www.blesta.com/forums/index.php?/topic/1107-login-and-redirect-client-user-from-custom-website-to-billing-website/?hl=login+form , about a plugin creation , but nothing very explanatory . Somone can provide us an exemple , or a tutorial on how to achieve this?

[Michael]

CSF tokens are generated so you'd been to find something to generate it.

[dieselb0y]

Hey Licensecart! .. .thanks for the fast answer

 

I understand that the CSF tokens need to be generate .. but how can I acheive this ... Can I use the same method that the default blesta login form page use ? ... if yes ... where can I find the correct code to do it ?

 

I try to take a look in client_login.pdt .. . but I found nothing.

[Paul]

You need to add an exception for CSRF to log in from another page. Disabling the CSRF check on the login page is simple, see http://docs.blesta.com/display/user/Logging+In#LoggingIn-LogginginFromAnotherPageasaClient

[dieselb0y]

I want to use CSRF check with my form .. I don't want to disable it ... how can I generate the token from my login form ?

[Michael]

I want to use CSRF check with my form .. I don't want to disable it ... how can I generate the token from my login form ?

 

Sounds like you can't and I see why: CSRF ==> Cross-Site Request Forgery

 

Cross-Site Request Forgery:

Cross-Site Request Forgery (CSRF) is a type of attack that occurs when a malicious Web site, email, blog, instant message, or program causes a user's Web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.

[dieselb0y]

ok thanks , but how this guy http://www.blesta.co.../?hl=login form did for acheive the same thing I'M tying to do ?

[dieselb0y]

I want to do the same thing that you did on your web site licensecart:

 

 

<form method="post" action="https://licensecart.com/billing/customers/login/" target="_blank">

                        <div class="form-group">

                          <div class="input-group">

                            <div class="input-group-addon"><i class="fa fa-user"></i></div>

                            <input type="text" name="username" class="form-control" id="login_username" placeholder="Username" autocomplete="off">

                          </div>

                        </div>

                        <div class="form-group">

                          <div class="input-group">

                            <div class="input-group-addon"><i class="fa fa-lock"></i></div>

                            <input type="password" name="password" class="form-control" id="login_password" placeholder="Password" autocomplete="off">

                          </div>

                        </div>

                        <div class="form-group">

                          <button type="submit" class="btn btn-success btn-block">Login to Client Area</button>

                        </div>

                      </form>

[Michael]

 

I want to do the same thing that you did on your web site licensecart:

 

 

<form method="post" action="https://licensecart.com/billing/customers/login/" target="_blank">

                        <div class="form-group">

                          <div class="input-group">

                            <div class="input-group-addon"><i class="fa fa-user"></i></div>

                            <input type="text" name="username" class="form-control" id="login_username" placeholder="Username" autocomplete="off">

                          </div>

                        </div>

                        <div class="form-group">

                          <div class="input-group">

                            <div class="input-group-addon"><i class="fa fa-lock"></i></div>

                            <input type="password" name="password" class="form-control" id="login_password" placeholder="Password" autocomplete="off">

                          </div>

                        </div>

                        <div class="form-group">

                          <button type="submit" class="btn btn-success btn-block">Login to Client Area</button>

                        </div>

                      </form>

 

 

We did what's in this tutorial  http://www.blesta.com/forums/index.php?/topic/510-login-form-outside-blesta/

[dieselb0y]

Ok ... but is this a big security hole if we disable CSRF?

[Michael]

Ok ... but is this a big security hole if we disable CSRF?

 

Nope Blesta is securer than any other billing system, and it's only effecting the login form. If you are worried just redirect them to the Blesta login page.

[dieselb0y]

Perfect!

 

Thanks a lot for your help

[Blesta Addons]

I want to use CSRF check with my form .. I don't want to disable it ... how can I generate the token from my login form ?

You can look to the form components . And see the code for forms . I have not tested but you can have the basic idea .