Which one is the best practice to use social auth: opening a modal window to take data or same page loading?
Thanks.
A model window is better than the page redirect.
Also when the user is already logged in on social network, you just need to
show a simple ajax loader. See freelancer.com facebook login for reference.
It terms of implementation. It takes the same amount of efforts. But it has
visual benefits for the user.
The url doesn't change in the address bar.
Automatic login with just a simple ajax loader, when the user is already logged in
Symbolizes a third party login for the user.
In case of an error you are still on your site.
Related
In my project, pop-ups are a core part of the system. Is there any way to ask the user to allow pop-ups on the site at first login, as it happens for HTML 5 Notifications?
EDIT: I know pop-ups are a usually a bad practice, but our customer asked us to implement them for a good reason
You could use a url fragment appended to the end of the login redirect url (if when you login it redirects to /home you could make your login route redirect to /home#something_here instead), and have some javascript in your front end to detect when a page is loaded with that fragment and display the popup.
Also, if your popup is just HTML, you could conditionally render it only when rendering the login success page.
I am working on internal website, which is used only within the company. The requirement for one of its pages is to log-in to our vendor sites (which are all on different domains).
For this I open these vendor sites within an iframe of the internal website.
Say,
Internal site: us.com
Vendor sites: foo.com, bar.com
On us.com/openvendor , there are two options: foo and bar. When a user clicks on foo, the iframe within the page opens foo.com in signed in state.
To achieve this, I replicate the login form of foo.com and post all the required parameters like username, password etc. to foo.com's page. I have all the usernames and passwords of different vendors stored in database.
Why do I do this? Because we don't want the users of this site(mostly our CRM team) to know the passwords (lest they use it to do unwanted and untracked transactions) and the activities done through us.com is recorded and saved.
So essentially, we enable users to login to any vendor site, just by clicking on a link.
This was working perfectly fine until one day, when I had to add a new vendor site which doesn't post an html form for authentication. This site (say whattodo.com) makes an ajax call to a url with login credentials, which returns back an authentication cookie. This cookie is then set by the site to make the user logged in.
Now how can I make my end users login to whattodo.com on a click?
I cannot make the ajax call to whattodo.com
Even if I overcome the above problem by storing the auth cookie value in my database and updating it monthly(ya that's when the cookie expires), I cannot set this cookie under whattodo.com domain in the user's browsers.
Please suggest a possible solution.
And please feel free to edit the title. I'm sure there's a better one to summarize the question.
I am successful in implementing Facebook API and Google+ API. I don't haven any issues with login or logout. Even when page is refreshed information is working fine.
But when user logs into Google+ and Facebook in different tabs and he provided access to the app by login with both accounts then I am seeing both images.
How can I avoid this. On page load, I would like to see only either Facebook or Google+ but not both.
If Facebook login then show only Facebook
If Google+ Login then show only Google
If he is logged in to both then show only one of them.
This just out, how to do both:
One of the key parts is the concept of identities vs users. A user represents a human, an identity represents a human logging in with a particular social network. Data security is done on users, showing photos and whatnot is done on identities.
The first code snippet shows some pretty simple logic for deciding which login provider to use if a user is logged in with both.
https://developers.google.com/+/best-practices/facebook#separating_social_and_business_logic
Only allow them to associate their Google+ or Facebook accounts, not both. If one is associated, then do not allow the other.
In my work with a Javascript single page application, i have recently run into a problem.
The whole idea behind this project, is to avoid page reload. When the user comes to my application they won't need to make any reloads. This is done with jQuery and Backbone.js and PHP as service.
I have this static index.html file, where i hide my login container and application container. Then i show the login container, if the user is not recognize by my application, and if they have auth i show the application.
if auth:
application.show()
elif not auth:
login.show() // like Gmail or Facebook etc.: Information + login-form
I wan't to show users who aren't authenticated, both login-form and general info. Very important is also that the site can be found by robots as Google etc.
Can this only be done with 2 different files, giving me reload? A site.com and login.site.com. That solution irritates me, because my login, as it is by now, is quite instant.
Not sure I get the question completely but if you want to check if a user in authenticated, try to do an ajax call. If it fails with "401 unauthorized" the user needs to login...
You can achieve what you want by using ajax calls to authenticate (Although this is not a recommended approach, and people usually prefer the two page solution you have outlined).
What you can do, is have very skinny controllers that just exist to provide data to rich client UI.
Your gateway controller(A separate controller, with no model that acts as an entry point in the application) will just render the basic application structure to the client (without any user specific data, you dont know if the user is logged in, you dont need to know at this point). Then the client will query the UserController for identity of currently logged in user, if user is logged in server returns a json response containing information related to user and if not, server returns a response saying that user is not logged in. Then you can fetch a partial for the login form and then submit it again through ajax. As you see, creating the UI once and communicating with the server with lightweight ajax calls can solve your issue easily.
I'm implementing a plug-in that's embeddable in different sites (a la Meebo, Wibiya), and I want to use Facebook Connect. The plug-in is supposed to be embeddable in sites with different domain names. Problem is, Facebook connect allows only one domain per application you register.
The question is, how can I have multiple domains for a single Facebook application, assuming:
When users "Allow" the application on one site, they won't have to "Allow" it on other sites as well.
Preferably, after the initial log-in, users won't see a pop-up opening on every site they log-in to (i.e. - I'd rather not open a link to my domain and do the log-in process from there).
Is there anyway of doing that?
If not, is my only option is to manage all the log-ins from a single domain and pass the cookies back to the original domains?
And if I pass the cookies between domains, how can I be sure that Facebook won't block this kind of behavior in the future?
I'd appreciate any suggestions, though I'd prefer an official solution over hacks, if at all possible.
Im assuming you are using facebook.php by Naitik Shah? Your widget would need to be on every page of course and include the async script connect-js.
I am currently developing a facebook login based application myself.
I would say the best solution is too login through your own domain and pass the cookie. Your app/widget will be the only one they allow to share information with. Nothing should be different in operation from a single page solution. I envisage a PHP plugin which executes a login from an outside domain and passes through the cookie to the site via the widget. return the cookie securely how you wish (except for something dodgy like storing it in a div and retrieving it..or something a hacker could try to spoof). the site will then use the cookie for account and user id purposes and the widget will control all login actions and session finding using the async script (but routed through a different domain).
Sorry I can't be more help but this is the only solution I can think of, and it seems you have already anyway.
In terms of keeping session control across different domains you only need the 3rd party cookie to be active. Once your page is activated for your domain you will already have the cookie for that domain if you haven't logged out or it hasn't expired. A benefit of using an outside management domain.
It would seem this is also the most reliable way compared to any successful hack for multiple domains, because I would see fb and Oauth2.0 as being ok with an approved party sharing info (cookies) to another party approved by the approved party. But.. It could be problematic if they think the user will have privacy issues, because you could potentially share the cookie on any site without the users permission. So you have to be careful about notifying the user about all the sites they will be auto logged into and treating them with respect.
Good luck with it, hope you let us know how it goes.
There is easy and clean technique -> Single Sign On (SSO). You can search on about it.