Full Login Procedure

What was meant to be a quick video as usual was not, but this should give you a good idea of the entire creation of a user login system, encompassing

Login server action - login form - unauthorised error handling - success redirection
Logout server action - logout redirection
Add new user server action - add new user form
Security Provider, Security Restrict, Password Hashing, Security Provider Enforcer, Retrieve logged in user details, Use logged in user details in a Server Connect query, Access the logged in user ID through PHP.

I have tried to cover everything i can without the video being 8 hours long, so I have not used password reset, user roles, and many other parts, but this should get you through most of the login functionality as I use it in Wappler.

Hope some find it useful

7 Likes

Hi @psweb,

Thanks for the great video, it really helped me!

However, since Argon2 Secure Hashes being available, are the hashing methods you use in the video not necessary anymore or is that method still more secure?

Thanks for your reply in advance!

Happy the video helped a little.

As far as I am aware the Argon2 hashing methods would be more secure than SHA hashes, however the usage is still pretty similar regardless of which hashing method you choose.

I am doing some test projects soon so I will change to Argon2 and if I find any major differences in how you work with them I will do an update.

Thanks for the quick reply. I tried the Argon2 and it works good. I was just wondering if you chose the SHA hashes for better security, but I guess Argon2 was not available yet when you shot the video.
Anyways, the video was a great help in finding my way around Wappler and it’s security components, thanks again!

1 Like

Hi @psweb,

This is an excellent video, thank you! You have explained the steps very well, really easy to follow along.

I have been able to add users in the database tables, however, I have hit a snag with the Login step. I am getting this error when logging in:

POST https://abc123.com.au/admin/login.html 405 (Method Not Allowed)

The Server Model is ASP.NET (IIS), so I’m setting up files with html extensions. Could this be causing this error in my case?

Any help in resolving this issue would be greatly appreciated.

I am currently doing a project in ASP.NET and it also has a user section with logins, all is working as expected, however all my extensions are .aspx so I would honestly alter that and see if it resolves the issue, which i imagine it would.

Very happy you managed to get through the video easily enough.

Hi @psweb,

Thanks for the quick reply. This is working now after I changed the file extensions to .aspx.

I wanted to check one more thing about the file extensions; if I rename/setup index.html as index.aspx, does it still get referenced by default as the initial page to load when the website address is entered by users? Or do I need to set up a Redirection rule in the web config file?

I have set up a fully functioning user login system based on the steps in your video. I will now work on adding email, reset and update functionalities to this.

Are there any similar videos I can use as a reference to add these functionalities?

Thank you again for making Wappler videos, these are really helpful in understanding the steps when developing such functionalities :slight_smile:

Hi @guptast

You are correct changing the index.html to index.aspx will require you to add a web.config file to the root directory with the following.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <defaultDocument>
            <files>
                <add value="index.aspx" />
            </files>
        </defaultDocument>
    </system.webServer>
</configuration>

Unfortunately I have not done any videos on the other functions you are wanting to add.
Honestly though it is not very difficult to do, just remember that if you are using password encryption then there is no real way to decrypt the string back into plaintext. What I normally would do with reset functionality is to email the user a temporary password, which also overwrites the password entry in the database.

As an example the user clicks a forgot password link, it takes them to a page asking for only their email they click reset.
This fires a server action that has a
Database Connection
Database Single Query (to get the user ID)
Database Update (Updates the password field to a TIMESTAMP with SHA512 and the sitewide used SALT)
Mail (With the plaintext TIMESTAMP as their new password, and a query parameter set on the clickable link of https://www.example.com/login.aspx?reset=true

On the login script have a condition that looks for reset=true which then opens a modal window or something on successful login that only has a new password and confirm new password field, remove all close buttons from the modal, and in the modal options make sure clicking in the blank space also can not force close it, therefore the only way to close the modal is to enter the new passwords with validation and click the Update Password button.

I hope that makes sense, good luck, let me know how it goes.

Hi @psweb,

Thank you for sending the addition I need to make in the web config; the website is now opening the .aspx web page by default.

I started to add the reset / forgot password functionality, but halfway through the setup I realised that I needed the mailer server action to send email with temporary password and a link to reset password. That is where I hit the roadblock.

I started with a setup of email functionality in the add user step as this is easier to troubleshoot in case there’s any issue with mailer or send mail setup. I have added mailer and send email server actions for sending the form values when a new user is created. I have added SMTP details. However, no email is being sent out and there’s no error in Chrome dev tools either.

It seems the web server is not sending out any SMTP emails. I have checked and no SMTP service is setup / running on the web server.

Is this the reason for no email being sent out through SMTP? Do I need to install any SMTP server/service on the web server to get this working?

I’m using a 3rd Party SMTP service to send out emails. I’m running IIS 10.0 on a Windows Server 2019.

Your assistance is greatly appreciated :slight_smile:

Hi @psweb,

I have got the SMTP Mail server working correctly now.

I was missing the pickupDirectory entry in the Mailer server action. Once I set it up in the server action and created a relevant path/folder on the web server, everything started working as expected (Sending email from Server Connect on an aspx project).

Now I can begin to set up Reset/ForgotPassword functionality. Thank you again for all the help you have provided me so far :slight_smile:

1 Like