Michael Posted July 9, 2013 Report Posted July 9, 2013 Thank you both Scott Horsley, MemoryX2 and Paul for the support and help as I had a few mistakes. Please make sure you remember the link to your customer area for this. Please be careful, this step is very important go to /config/blesta.php find the following line just at the bottom of the page: Configure::set("Blesta.csrf_bypass", array()); and replace it with: Configure::set("Blesta.csrf_bypass", array('client_login::index')); The link below must be the link to your client area we've edited the link ourselves by editing the file (/config/routes.php): <form method="post" action="http://billing.licensecart.com/customers/login/"> Then after the custom code edits and the hard bit for a few people, simply copy the rest of the code below: sername: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn" /> </form> You can use the "class=btn" if you are using the bootstrap framework on your website. So the final code should look something like: <form method="post" action="http://billing.licensecart.com/customers/login/"> Username: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" /> </form> That will now allow users to log straight into your billing system. You can use target="_blank" on the form to open into a new tab. Using Bootstrap and wish to use the posh Modal just edit the code below: <!-- Button to trigger modal --> <li><a href="#login"role="button" data-toggle="modal">Login</a> <!-- Modal --> <div id="login" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal" aria-hidden="true"><i class="icon-remove text-error"></i></button> <h3 id="myModalLabel">Billing Area Login</h3> </div> <div class="modal-body"> <p><form method="post" action="http://billing.licensecart.com/customers/login/" target="_blank" style="width: 200px;margin: 0 auto 0 auto;"> Username: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" /> </form></p> </div> <div class="modal-footer"> <button class="btn btn-danger" data-dismiss="modal" aria-hidden="true">Close</button> </div> </div> Good luck with your great layout and the best billing system. MemoryX2 1 Quote
Paul Posted July 9, 2013 Report Posted July 9, 2013 I'm pretty sure you will need to disable csrf tokens for the login page in the config file. Quote
iAlex Posted July 9, 2013 Report Posted July 9, 2013 I'm pretty sure you will need to disable csrf tokens for the login page in the config file. I thought this, as surely the point of the token is that it changes? Quote
Michael Posted July 9, 2013 Author Report Posted July 9, 2013 I thought this, as surely the point of the token is that it changes? I'm pretty sure you will need to disable csrf tokens for the login page in the config file. I'm not sure haha It lets me log in via that token Quote
Paul Posted July 9, 2013 Report Posted July 9, 2013 I'm not sure haha It lets me log in via that token It changes with each new session. In config/blesta.php look for this line: Configure::set("Blesta.csrf_bypass", array()); You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work: Configure::set("Blesta.csrf_bypass", array('client_login::index')); Michael 1 Quote
Michael Posted July 9, 2013 Author Report Posted July 9, 2013 It changes with each new session. In config/blesta.php look for this line: Configure::set("Blesta.csrf_bypass", array()); You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work: Configure::set("Blesta.csrf_bypass", array('client_login::index')); Thank you Quote
Kenneth Posted July 19, 2013 Report Posted July 19, 2013 Do you have a code for using the modal login from a image button? I think its a stupid question but i am not a webdesigner Quote
Michael Posted July 19, 2013 Author Report Posted July 19, 2013 Do you have a code for using the modal login from a image button? I think its a stupid question but i am not a webdesigner Try this mate: <!-- Button to trigger modal --> <a href="#login" role="button" class="btn" data-toggle="modal">Login</a> <!-- Modal --> <div id="login" class="modal hide fade" tabindex="-1" role="dialog" aria-labelledby="myModalLabel" aria-hidden="true"> <div class="modal-header"> <button type="button" class="close" data-dismiss="modal" aria-hidden="true"><i class="icon-remove text-error"></i></button> <h3 id="myModalLabel">Billing Area Login</h3> </div> <div class="modal-body"> <p><form method="post" action="http://billing.licensecart.com/customers/login/" target="_blank" style="width: 200px;margin: 0 auto 0 auto;"> Username: <input type="text" name="username" value="" id="login_username" /><br /> Password: <input type="password" name="password" value="" id="login_password" /><br /> <input type="submit" name="login" value="Login" class="btn hide_submit" hidefocus="true" /> </form></p> </div> <div class="modal-footer"> <button class="btn btn-danger" data-dismiss="modal" aria-hidden="true">Close</button> </div> </div> Quote
Bit Bayou Posted July 20, 2013 Report Posted July 20, 2013 It changes with each new session. In config/blesta.php look for this line: Configure::set("Blesta.csrf_bypass", array()); You can add controllers and actions to this array to bypass CSRF checks, for the client login it should be array('client_login::index') so the following should work: Configure::set("Blesta.csrf_bypass", array('client_login::index')); So this turns it off all together for client login? Not sure I'd like that idea? Quote
MemoryX2 Posted July 21, 2013 Report Posted July 21, 2013 So this turns it off all together for client login? Not sure I'd like that idea? Personally I want to still be able to use csrf.. Quote
Bit Bayou Posted July 21, 2013 Report Posted July 21, 2013 I had made a bot once that would access the page in question to get the csrf token for use elsewhere. pfSense.org uses it, and I made a custom version of their software so my company can manage 100s of hotel guest networks. After installing the first 10 or so, I figured there had to be a better way! While in Blesta's case, this might be overkill, but I had made a script that turned the original pfsense install into my flavor. The script did things like create and manage folders, transfer files over SCP, set CRON tasks for special commands, and make changes in the admin interface <- that's where i had the csrf problem, so the first accesses the page like normal to get the token, then post the form with the specific data and the csrf token it received. It works great, but not sure I like that for this either. Quote
cosname Posted September 25, 2013 Report Posted September 25, 2013 Hi! Also you can get _csrf_token by using plugin and API (with Blesta SDK), so you just fetch the csrf record, and place it anywhere you whant to!I posted details as separate posts here:http://www.blesta.com/forums/index.php?/topic/1107-login-and-redirect-client-user-from-custom-website-to-billing-website/?p=9077 Quote
turner2f Posted November 18, 2016 Report Posted November 18, 2016 Not certain if this modification works anymore since posted from 2013. Looked inside the /config/routes.php file and did not find " form method " . <form method="post" action="http://billing.licensecart.com/customers/login/"> =========== Is there another way for the Blesta version in 2016? Quote
Michael Posted November 18, 2016 Author Report Posted November 18, 2016 12 minutes ago, turner2f said: Not certain if this modification works anymore since posted from 2013. Looked inside the /config/routes.php file and did not find " form method " . <form method="post" action="http://billing.licensecart.com/customers/login/"> =========== Is there another way for the Blesta version in 2016? The bit in the routes.php is only if you changed client to something like I did, I don't use the default client route: client, I use customers. Quote
Stu Posted March 14, 2017 Report Posted March 14, 2017 Thanks for this, just what I needed. I have added a hmtl front page to my blesta install that has a model login. I have made the recommend change in blesta.php... Configure::set("Blesta.csrf_bypass", array('client_login::index')); I have modified the action url for my login form as follows... <form method="post" action="https://mysite.com/client/login"> Everything is now working fine. I have 2 question. 1. Is this safe to do? obviously csrf tokens are there for a reason so is disabling them like this safe? 2. when I logout from the client area I am taken back to /client/login am able to change this behaviour so the client is taken /index on logout? Thanks everyone Paul 1 Quote
Paul Posted March 14, 2017 Report Posted March 14, 2017 24 minutes ago, Stu said: 1. Is this safe to do? obviously csrf tokens are there for a reason so is disabling them like this safe? Most CSRF attacks are to perform actions as an authenticated user. For example, the form that creates a new admin in Blesta would be a good target for a CSRF attack, but you'd have to be logged in and CSRF disabled for it to work. If I had to pick a page to disable CSRF for, it'd be an unauthenticated page, like the login form. 24 minutes ago, Stu said: 2. when I logout from the client area I am taken back to /client/login am able to change this behaviour so the client is taken /index on logout? It might be possible by modifying the code, I don't have an example off the top of my head for you though, and I probably wouldn't recommend changing the core. Might be a good feature request though, to be able to set where the user is directed after a log out. Michael 1 Quote
Stu Posted March 14, 2017 Report Posted March 14, 2017 22 minutes ago, Paul said: If I had to pick a page to disable CSRF for, it'd be an unauthenticated page, like the login form. so in doing this.... Configure::set("Blesta.csrf_bypass", array('client_login::index')); am I just disabling it for the login action? then CSRF is still enabled for the session within the client area for all subsequent actions after? Quote
Paul Posted March 14, 2017 Report Posted March 14, 2017 53 minutes ago, Stu said: am I just disabling it for the login action? then CSRF is still enabled for the session within the client area for all subsequent actions after? Yes, that's correct. CSRF is still enabled everywhere else. Stu 1 Quote
Stu Posted March 14, 2017 Report Posted March 14, 2017 18 minutes ago, Paul said: Yes, that's correct. CSRF is still enabled everywhere else. Ah ok I didn't realise that. Well there's no problem with that at all then. Thanks for the help and advice Paul and Michael 2 Quote
Ziaur Rashid Posted September 27, 2017 Report Posted September 27, 2017 How to setup external sign up & password reset? Need documentation with code Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.