check session_id on custom plugin?
-
toninom
-
Topic Author
-
Offline
-
New Member
-
Less
More
-
Posts: 3
-
Thank you received: 0
-
-
9 years 2 weeks ago #4867
by toninom
Hi, I'm writing my own plugin, as security improvements but, not only, I want to permit to use it only to logged user, so I need to check the sessiond_id. Do I have to manage it by myself on my own plugin or it's done by jbackend before to call the plugin?
In "user" plugin there is a function "onCheckSession", I must copy/paste this on my plugin?
Please Log in or Create an account to join the conversation.
Less
More
-
Posts: 3194
-
Thank you received: 441
-
-
9 years 2 weeks ago - 9 years 2 weeks ago #4869
by admin
Hi,
you have some options. The simplest one is to create an endpoint with "user access" and publish only this plugin on it (eventually the user plugin if you have only this endpoint, to allow authentication). In this way only logged users can consume the service.
If you want to implement the check in your plugin just do it in the joomla way:
$user = JFactory::getUser();
if (!$user->guest) {
echo 'You are logged in as:<br />';
echo 'User name: ' . $user->username . '<br />';
echo 'Real name: ' . $user->name . '<br />';
echo 'User ID : ' . $user->id . '<br />';
}
jBackend works with the standard joomla authentication, and the session id is "ready" when it execute your code.
Kind regards,
Luigi
Last edit: 9 years 2 weeks ago by admin.
Please Log in or Create an account to join the conversation.
-
toninom
-
Topic Author
-
Offline
-
New Member
-
Less
More
-
Posts: 3
-
Thank you received: 0
-
-
9 years 2 weeks ago #4870
by toninom
Really thanks, but I'm a bit confused. I need it to work like user plugin do, e.g. to use the logout action I need to pass the session_id so the plugin can understand which session has to logout, It's just a simple android app, I login on the app so I can request some data about my account once logged in, is it wrong to let the endpoint free to use o I'm right and it's better to permit access only with session_id ?
Maybe for security reason I have to check the match session_id user_id on every request?
Please Log in or Create an account to join the conversation.
Less
More
-
Posts: 3194
-
Thank you received: 441
-
-
9 years 2 weeks ago #4871
by admin
You can leave the endpoint with free access. In this case for each request of your custom plugin that must be restricted to authenticated users, you must check if the user is logged id and also you could do your own checks with session id. What I told you is you can do this exactly as the user plugin, using the standard Joomla functions.
jBackend is able to accept login and logout requests, and to create user sessions in the standard Joomla way. So when your plugin code is executed you can check the user status (e.g. isGuest?).
Hope it is clear now, otherwise let me know.
Please Log in or Create an account to join the conversation.
Time to create page: 0.176 seconds
