I am trying to set up Matrix to auto-login a user after they complete a form. This form is submitted via an external php form using curl. However, I can't do the same thing for auto-login as they login page generates a random key on load (I guess to prevent bots from doing this).
So my question is, what other method can I use to have a user automatically logged in? I couldn't find a trigger to make it work either… so I'm open to suggestions.
[quote]I am trying to set up Matrix to auto-login a user after they complete a form. This form is submitted via an external php form using curl. However, I can't do the same thing for auto-login as they login page generates a random key on load (I guess to prevent bots from doing this).
So my question is, what other method can I use to have a user automatically logged in? I couldn't find a trigger to make it work either… so I'm open to suggestions.[/quote]
Are they already Matrix users?
Yes I have a generic Matrix user set up and I just need it to be automatically logged in via a form submission or maybe a post keyword.
I kind of have a feeling that Matrix security was built so that something like this couldn't be done, for security reasons. But, I could be totally wrong. I am sure Greg can give us a good answer.
I've done this before, but I no longer own the code so I can't post it here.
Basically in php, you'll need to set CURLOPT_COOKIEJAR, CURLOPT_COOKIEFILE, and obviously CURLOPT_URL. You'll also need to set post variables for SQ_LOGIN_REFERER, SQ_LOGIN_USERNAME, SQ_LOGIN_PASSWORD.
The trickiest part is you need to first curl the page and grep for the "SQ_LOGIN_KEY", then use this when submitting the form to "url?SQ_ACTION=login&".
Good luck!
Thanks Daniel, that hits the spot and I will give it a try tomorrow.
hint, i give you the regex to grab the sq_login_key, but i probably should not post the curl login code to avoid exploits
$pattern = '/name="SQ_LOGIN_KEY"\s+value=("[^"]*")?/';
You can log in users with http auth instead. It is difficult to mix auth methods in apache though. Depends on exactly what you are trying to achieve.
Here is exactly what I am trying to do. We are going to stream videos from our site, but they are restricted to only be viewable by our local residents. So what they want to do is have them fill out a form asking for some generic information and where they live. I have a custom php script that takes the form submission and checks it against our zipcode db to see if they are a valid local resident. If they are, it uses cURL (successfully) to post the submission back to the matrix custom form.
Now in order to prevent the user from having to submit this little survey every time they want to watch a video, I figure my custom php script can also auto-log them in as a generic user account that has read access to the videos. I could not think of any other way to avoid the same person submitting this survey form every time they want to watch a video.
The problem I am still having though is that the login form for Matrix is being evil and preventing me from auto-submitting a form to it that would log a user in. I have used Daniel's suggestion and can get it to successfully log me in when I hit the page, but now I can't get the log in to carry over to any other page. This seems like it's a cookie issue now as the login page generates a random (seeming) id and cookie onload, which I can't get to pass through to any other page after the initial page result. Since I can't get them to stay logged in, I can't think of any other way to verify that the user has already submitted the form (unless someone else here can?) and therefore bypass the survey.
Help me… you are my only hope! :blink:
You can declare a cookie file name as such
$cookie_filename = SQ_TEMP_PATH.'/cookie_curl.txt';
and then initilize curl with a number of options
function &initializeCURLInfo($cookie_filename, $url, $post=TRUE, $post_data=Array())
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_COOKIEFILE, $cookie_filename); // /tmp/
curl_setopt($curl, CURLOPT_COOKIEJAR, $cookie_filename);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curl, CURLOPT_POST, $post ? 1 : 0);
if (!empty($post_data)) {
curl_setopt($curl, CURLOPT_POSTFIELDS, $post_data);
}//end if
return $curl;
}//end initializeCURLInfo()</pre><br />
then you can use this function to login as well as to post data after you already logged in, using the same cookie file name.
[quote]Here is exactly what I am trying to do. We are going to stream videos from our site, but they are restricted to only be viewable by our local residents. So what they want to do is have them fill out a form asking for some generic information and where they live. I have a custom php script that takes the form submission and checks it against our zipcode db to see if they are a valid local resident. If they are, it uses cURL (successfully) to post the submission back to the matrix custom form.
Now in order to prevent the user from having to submit this little survey every time they want to watch a video, I figure my custom php script can also auto-log them in as a generic user account that has read access to the videos. I could not think of any other way to avoid the same person submitting this survey form every time they want to watch a video.
The problem I am still having though is that the login form for Matrix is being evil and preventing me from auto-submitting a form to it that would log a user in. I have used Daniel's suggestion and can get it to successfully log me in when I hit the page, but now I can't get the log in to carry over to any other page. This seems like it's a cookie issue now as the login page generates a random (seeming) id and cookie onload, which I can't get to pass through to any other page after the initial page result. Since I can't get them to stay logged in, I can't think of any other way to verify that the user has already submitted the form (unless someone else here can?) and therefore bypass the survey.
Help me… you are my only hope! :blink:[/quote]
Yes I see.
Other than fixing the auto login (which is made as difficult as possible)…
We did do something rather like this for a client recently. It is not in core yet as the method was a bit specific to their requirements, but the general method is robust and useful, allowing per-session groups to be set by a trigger. Drop me a mail if you want to talk about this.
Right that is pretty much exactly what I was doing before. On the first load, the user is logged in and everything looks fine and dandy. However, once they navigate to another page, the user is no longer logged in. 
I've seen two hacks which achieve something similar, but they are very much hacks. The first, uses the submitted bodycopy of a Custom Form or Online Poll to show the restricted content. The second, used a Search Page to "search" for a result, only showing the restricted content on the results page (ie. if the search term was correct).
If you still want to go down the curl path, you could look at passing the session of the user as a get variable. PHP should recognise this, and maintain the session (assuming the session is the problem).
Another alternative would be to set a Paint Layout or Design once the user successfully acknowledges their location. Only this particular Design/Paint Layout would have access to the restricted content.
I sent you an email about this Justin as I am interested in this solution.
[quote]If you still want to go down the curl path, you could look at passing the session of the user as a get variable. PHP should recognise this, and maintain the session (assuming the session is the problem).[/quote]
I haven't been able to maintain the session for this to work for me.
[quote]Another alternative would be to set a Paint Layout or Design once the user successfully acknowledges their location. Only this particular Design/Paint Layout would have access to the restricted content.[/quote]
This works to an extent. Sure they are able to see the page, but I am aiming to prevent them from having to submit the form again, which is why I really need them to be logged in after submission is my thought.
If you use ?SQ_DESIGN_NAME=secret_design&SQ_ACTION=set_design_name, the design should be maintained through that session. It's certainly not a perfect solution, just a potential option for you.
Yes, I have had a quick look through the code again, it is a bit tied into the kind of authentication method the client used, trying to work out the best way of disentangling it...