Creating a complete login workflow
Last updated
Was this helpful?
Last updated
Was this helpful?
The module provides the logic for a user authentication mechanism, but it's up to you to build a form to ask the user for his credentials, or to implement any kind of interface for a user to authenticate in your web app.
We'll analyze step by step the example provided in the Cherrycake documentation examples , in the module called LoginGuide.
See this complete login workflow working in the site.
First we'll create our module in /src/LoginGuide/LoginGuide.class.php:
See how we've already added the and dependencies.
Now we'll that will show a welcome page when the user visits the /login-guide URL:
Now we'll add another action that will show a login form in the /login-guide/login-page URL:
And we'll add a button right next to the You are not logged in message, that will link to this login page:
So now, when we access the /login-guide page, this appears:
And when we click the Login button, the /login-guide/login-page appears:
Clicking the
Loginbutton does nothing because we haven't yet set theactionproperty of the form HTML element.
Now let's create an action that will be triggered when the Login button is clicked. This action will use the Login module to check the received email and password, and act accordingly afterwards.
We'll call this action loginGuideDoLogin:
Now we need to modify the login form in the loginPage method to make it request this loginGuideDoLogin action URL whenever its posted. We've already seen how to retrieve the URL of an action above. In this case, we'll do it like this: $e->Actions->getAction("loginGuideDoLogin")->request->buildUrl();
And this is how it looks when implemented in the form:
And here's how the doLogin method looks:
Now, when you login with a correct email and password, you'll get redirected to the Login guide home, and the message You are logged in will be shown.
Let's add a logout button now. First, we'll create a new action to perform the logout operation, we'll call it loginGuideLogout, and it will be triggered with the /login-guide/logout URL:
Now, just like we did before, we add a logout button in the home method that will appear along the Your are logged in as ... message. This time, to get the logout URL we use $e->Actions->getAction("loginGuideLogout")->request->buildUrl();
And now we implement the logout method like this:
Notice that the page shows the message You are logged in or You are not logged in. To determine whether the current user is logged in, we use the method.
See how, instead of linking directly to /login-guide/login-page, we've used the and the methods in chain to obtain the URL for the action that triggers the login page, as you've learned in the .
We've set the parameter to true when creating the to improve the resistance of this request to brute force attacks. We've also set the parameter to true when creating the , which adds protection against Cross-Site Request Forgery-type attacks to this request.
Note we've used the method to check the passed email and password. If the login failed, we show a simple error page. If it was successful, we redirect the user to the login home using with a code.
What if we wanted to show the user name there? Something like You are logged in as <user name>. Well, since the module does all the work of retrieving the logged user for you, as long as you have the module as a dependency in your modules, you'll be able to access the logged User object at any time via $e->Login->user. This is how we would modify the home method in our example to include the user name:
This calls the method and then redirects them to the login home page.
You're in charge of adding new users to your database and storing their credentials in the fields you've specified when .
The module uses by default a very secure salted password hashing mechanism which implements a method, a algorithm. This method is compliant with the PBKDF2 test vectors specified in the , and is based on the by from .
To generate a password hash to be stored in the database, use the method, like this:
