Symphony.

A new Extension, “Front End Authentication” is now available for download. Comments and feedback can be left here but if you discover any issues, please post it on the issue tracker.

The idea of this extension is to add simple page protection functionality. It is not a full featured member system although it could be adapted for that use.

To obtain a copy, download or clone from the Git repository found here: http://github.com/pointybeard/frontend_authentication/tree/master

The documentation should be sufficient, but if you have any queries, post here and I'll try to help out.

Requires Latest Symphony 2 Beta code (http://github.com/symphony/symphony-2/tree)

Zip file not found and couldnt unpack the tar file.

Keep trying. Github is funky sometimes with the downloads.

You may need to clone a copy instead. I've noticed, as czheng mentioned, that the download option at github is pretty flaky.

I've noticed that once you login with one set of credentials, log out and then try to log in again with another set of credentials the first set are still there. Also logging out takes 2 page loads.

I'd like to see a registration template for sending an e-mail aswell.

Finally gave this one a go. Thank you very much, Alistair! The basic functionality seems to be good.

I realize that you gave a strong warning that this is not a full featured member system. However, I still think it may need a few things before this front end authentication extension might be really useful.

• Redirect to a specified page (other than the default redirect to the home page) on successful authentication
• Attach authentication information to a page without causing a redirect to a login form
• Use the hash field type for passwords, so the passwords are not saved as plain text in the database
• Prevent logout from affecting Symphony admin author authentication

At the moment, I'm wondering how to determine whether a user has authenticated on every page of the site so I can add logic for displaying either a login button or a logout button. However, this extension requires that a page type be set for each Front End Authentication page. These pages will redirect to the login page when not authenticated. But only these pages include the event XML data for front end authentication:

<events>
    <front-end-authentication status="authenticated" />
</events>

For the logic to display a logout button, I'm thinking that if this extension is enabled, the authentication status XML should be available on every page.

Then, to enable this to be used for a full featured member system:

• Access additional metadata from the section containing usernames and passwords
• Login Info event or data source to configure information to display for authenticated user

Any thoughts?

I've uploaded the ensemble that I was using to test the features of the Front End Authentication extension. The ensemble is a slightly modified Symphony 2.0 github install, using the default theme.

Hay,

I installed the “Front End Authentication” extension and as a result every front-end page is displayed by the browser as text (Content-type text/plain) and not as HTML. When I disable the extension the pages are displayed in HTML (Content-type text/html) again. Does someone know how I can fix this problem?

Thanks, Peter

@Peter: The extension does not work with Symphony 2.0. You will need to use the latest Symphony code from Github.

Thanks michael-e, works like a charm

Bauhouse's members ensemble is a great proof of concept for this extension. As far as I can see, there is only one thing that he missed in his comment (no wonder: he was not able to send email from his dev installation):

The password retrieval function should not simply send the password in clear text. Today I'd say it should probably use the "password reset" mechanism which is found in Symphony 2.0.1.

Developing the extension to meet Bauhouse's ideas would be a big step for Symphony, enabling the system to power community websites. I am really bad in PHP, so I hope someone (maybe ahwayakchih???) will hear the call...

Is it correct that the pagetype has effect on all url param invoked pages too, meaning that on each link to new content within a page, you have to login again? I found that this could be circumvented by not using cookies but sessions.

Also, since upon succesfull login no urlparams are added, I asume that you can safely use the cachelite extension withotu the risk of it caching and showing to all visitors 'protected' pages?

When using this with the cachelite exttension, mind to exclude the login page! (hopefully you can use $root in the list (independant of installlocation) though I doubt it, otherwise you get this;

Sometimes filling out the correct login and password has no effect. when this happens and you fill out the lost pasword email (which is my login) it does kinda work and redirects you to the root page (index) (without sending or confirming the lost pw email)

when logged in (system) and not authenticated (extension) all works fine

when logged out (system) and not authenticated (extension) the above happens

also adding '?front-end-authentication-logout=true' to an url logs me out of the system

I have been trying this out today, I have a client who needs a simple member only download area. Now the content on the page and assigning it to each member is not a problem.

What is though is that I can’t redirect the successful login back to the member only page. I only have 1 page, so can I not hardcode it?

if($bOnLoginPage) redirect(URL);

I believe that is the line of code, although it is repeated 3 times, once for Sessions and twice for Cookies.

Out of interest though, why does it redirect to the root?

Also this code in the xslt:

<input name="redirect" type="hidden" value="{$root}/login/success/" />

What does that do? If I create a page called Success - I am presuming it will go there?

Am I unable to redirect this to a specific page? I don’t really see the value of it being re-directed to the home page.

Is it an error in the code?

<input name="redirect" type="hidden" value="{$root}/login/success/" />

How does that actually work? Because from what I have seen it has no bearing on the extension whatsoever.

Also, how come when you logout of the member page, it logs you out of Symphony too?

Is there anybody interested in working with me on this?

Nobody?

Well it seems this extension is broke then because I can’t figure out a way to make it useful.

@NickToye: I’m using this extension on a site at the moment without problem. I have an administration section under /admin/ and a number of pages underneath that in the heirarchy that are protected as well—I’ve simply set the Page Type in the preference to ‘front-admin’ and added that type to any of the pages I want to protect.

You shouldn’t really need to set the redirect manually in the login form as the extension will autoload the form page if the user is logged in and then redirect them to the same page once logged in. That is, if I go to: http://blah.com/admin/hidden-page/ I’ll be shown the http://blah.com/admin/login/ page and once I successfully login I’ll be returned to http://blah.com/admin/hidden-page/.

What exactly are you trying to achieve?

Well I am trying to achieve what you have their but when I login it returns me to the index page.

Can you explain the setup (pages, etc) and post your form code?