Support ⇒ Dragonfly CMS v10 ⇒ New login system ⇒ Community Forums ⇒ CPG Dragonfly™ CMS
Forum IndexDragonfly CMS v10

New login system Reply to topic


As announced, more then a year ago, there is a new login system.
Currently i've added the new login module and it should support:
  • Database password login
  • OpenID / XRI login (i-name, Google, Yahoo, etc.)
  • Facebook Connect

In the future it can be made possible to mount multiple logins to 1 user account.
For now you can "hack" the auth_identities table and modify the identity_id to another user to have several logins to 1 account.

Please report anything related to login in this thread.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


DJ Maze wrote
As announced, more then a year ago, there is a new login system.
Currently i've added the new login module and it should support:
  • Database password login
  • OpenID / XRI login (i-name, Google, Yahoo, etc.)
  • Facebook Connect

In the future it can be made possible to mount multiple logins to 1 user account.
For now you can "hack" the auth_identities table and modify the identity_id to another user to have several logins to 1 account.

Please report anything related to login in this thread.


Very good.

I don't know if this is the OK thread.
One question: refuse cookies whe you change IP I think that its not a good idea. Many people use movile device at the same time than desktops. They must login each time that they changes of device or Ip....

This is not nice, specially for mobile.

At least, we must have a admin option for activate this feature or not. It's my opinion.

Aforo - Google Earth - WebNaranja - DFcms.es

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Centos 5/Apache 2.2.3/MySQL:5.0.45/PHP:5.2.10 /9.2


Yes, Aforo.
Nanocaiordo is already heaving this same issue on this website and we are seeking a solution to this problem.

It's not that simple though as we want to prevent cookie hijacking.
Say, you use an external JavaScript.
That script has access to document.cookie and sends your cookies to his server. Now he can "take over" your login remotely and change your password.

With IPv6 this can be partially solved by checking the MAC address unless you use RFC 3041
blog.superuser.com/201...o-stop-it/

If someone knows the right solution we will implement it immediately!

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


If the session is still alive seems that changing IP doesn't invalidate the cookie, so its not that bad for mobile users.

Initially annoying but eventually you get used to it.

It should be a must for admins, but not that trivial for users.
Instead of a main option, the option should be moved to the user account so each user can decide the security level he needs (normal user vs. moderators).

How does it sounds?

.:: I met php the 03 December 2003 :: Unforgettable day! ::.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
CloudLinux / Apache 2.4 LSAPI / MySQLi 5.6 / PHP 5.6 / DCVS


I was thinking in myself, always connected. Rolling Eyes In a day I'm travelling from home (desktop) - train (phone and tablet) - office (desktop, again) and viceversa. Some of the most active users in a forum can have the same behaviour.

I think that it's most important for admin (and it must be choice controlled by the admin for all the users in a site), than for a normal user. 95% of users has no idea about what's means that option...

It not very profitable hijacking a account of a normal user with less than 10 messages... and in the forum most of the users has few messages (but if you use this option you are putting then in a problem).

I think that in most of the case, the only interesting account is the "admin" account. Very Happy

Perhaps can be good if the admin can choice de policy about cookies by level (normal users, mod, admin). Of this way we have all options.

By the way, congratulations for your job. Two Thumbs Up

Aforo - Google Earth - WebNaranja - DFcms.es

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Centos 5/Apache 2.2.3/MySQL:5.0.45/PHP:5.2.10 /9.2


I don't know if it is too complicated to detect/set/inscribe/track a device, ala Google/Facebook/Steam they detect logins from new devices and lets you add it to the trusted devices list.

www.greenday2k.net

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):


good idea greenday2k, have a log in your account to show all logins from IP's and user agents

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


DJ Maze wrote
good idea greenday2k, have a log in your account to show all logins from IP's and user agents


Great. 🙏

Aforo - Google Earth - WebNaranja - DFcms.es

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Centos 5/Apache 2.2.3/MySQL:5.0.45/PHP:5.2.10 /9.2


I'm trying OpenID login system and I found that Google has deprecated OpenID 2.0 and will shut it down date April 20, 2015 and recomends migrate to OpenID Connect

You are working on it, to migrate or add OpenID Connect?

until the next (Bye),

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Dragonfly 9.2 (PHP5.2)


Not yet, but thanks for the update!
It need to be written then.

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


The first OpenID Connect bug already found 😡
'id_token_signing_alg_values_supported' is missing in accounts.google.com/.well-known/openid-configuration
But is required according to openid.net/specs/openi....section.3

I will keep going on for an implementation 😉

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Added Google OpenID Connect to SCM.
It's a bit tricky to setup but it should work.
Access to Google+ API is required.
  1. https://console.developers.google.com/
    1. create project
    2. APIs & auth => APIs => Set 'Google+ API' on
    3. APIs & auth => Credentials => Create Client ID
  2. Dragonfly Admin => Members => Authentication => Google > Fill in Client ID and Secret
Note: "redirect" and "remember me" don't work yet.
This is a design flaw of me and must be fixed in the Authentication core

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial

Last edited by DJ Maze on Sun Mar 01, 2015 11:33 pm; edited 5 times in total


Redirect should be fixed now

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Fedora 25 / Apache 2.4.27 / MariaDB 10.1.26 / PHP 7.1.10 / Mercurial


Login on the right column panel when on the Forums page still drops me at the Home page, not on the Forums page as it used to.

Pro_News CM™ - Content Management for Dragonfly CMS™

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):
Linux / 1.3.39 - 2.4.9 / 5.5.42 - 5.6.16 / 5.4.37 - 5.5.11 / 9.4


If the users ip address changes, does this still invalidate their cookie, or has this been fixed?

Server specs (Server OS / Apache / MySQL / PHP / DragonflyCMS):

All times are UTC


Jump to: