prerequisite to registration
56 views
Skip to first unread message
Rob Stocker
Sep 11, 2012, 1:57:11 PM9/11/12
to joomla-dev-general
Hi All,
I've got an unusual registration procedure, and I'm not sure where to begin.
The client requires that before one can register with his site , the customer should first supply a confirmation code. Once this code is accepted they are directed to a standard joomla registration.
But my thought is that anyone (or a script) could simply bypass this by inputting the registration url.
Anyone got any ideas as to how this might be done. I'm thinking something along the lines of using $_session , but I'm still not sure what to do.
--
Rob & Lisa - EMC23
083 416 0618
in...@emc23.com
www.emc23.com
I've got an unusual registration procedure, and I'm not sure where to begin.
The client requires that before one can register with his site , the customer should first supply a confirmation code. Once this code is accepted they are directed to a standard joomla registration.
But my thought is that anyone (or a script) could simply bypass this by inputting the registration url.
Anyone got any ideas as to how this might be done. I'm thinking something along the lines of using $_session , but I'm still not sure what to do.
--
Rob & Lisa - EMC23
083 416 0618
in...@emc23.com
www.emc23.com
Nick Savov
Sep 11, 2012, 2:24:45 PM9/11/12
to joomla-de...@googlegroups.com
Hi Rob,
How is the person getting that confirmation code? Is the confirmation
code the same for everyone?
Kind regards,
Nick
> <http://goog_1827821969>in...@emc23.com
> www.emc23.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! General Development" group.
> To post to this group, send an email to
> joomla-de...@googlegroups.com.
> To unsubscribe from this group, send email to
> joomla-dev-gene...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-general?hl=en-GB.
>
>
How is the person getting that confirmation code? Is the confirmation
code the same for everyone?
Kind regards,
Nick
> www.emc23.com
>
> --
> You received this message because you are subscribed to the Google Groups
> "Joomla! General Development" group.
> To post to this group, send an email to
> joomla-de...@googlegroups.com.
> To unsubscribe from this group, send email to
> joomla-dev-gene...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/joomla-dev-general?hl=en-GB.
>
>
Rob Stocker
Sep 11, 2012, 2:40:18 PM9/11/12
to joomla-de...@googlegroups.com
Hi Nick,
Each person will already have been issued their own code. I will then be supplied with the list of codes that I import into joomla (the table will contain the codes only- not the owner of each code). So the system is meant to check merely for the existence of the code and if correct move to the registration process.
my issue with this two step process
(step1) code validation --> ( step2 )joomla registration
is that anybody can simply bypass step one unless there is some kind of lockdown. This would then mean hacking the joomla registration process to not be visible unless step one is complete.
I'm inclined to push to the client, that instead of a two step process, the code is input during registration as an extra field , allowing for a plugin to validate the code during the add new user event, but at present the client is not amenable to change so I'll only push for this, if I am certain his preferred way is not feasible.
Robin...@emc23.com
www.emc23.com
Each person will already have been issued their own code. I will then be supplied with the list of codes that I import into joomla (the table will contain the codes only- not the owner of each code). So the system is meant to check merely for the existence of the code and if correct move to the registration process.
my issue with this two step process
(step1) code validation --> ( step2 )joomla registration
is that anybody can simply bypass step one unless there is some kind of lockdown. This would then mean hacking the joomla registration process to not be visible unless step one is complete.
I'm inclined to push to the client, that instead of a two step process, the code is input during registration as an extra field , allowing for a plugin to validate the code during the add new user event, but at present the client is not amenable to change so I'll only push for this, if I am certain his preferred way is not feasible.
Rob
www.emc23.com
Nick Savov
Sep 11, 2012, 2:42:32 PM9/11/12
to joomla-de...@googlegroups.com
Do you need to keep track of which codes have been used? If not, just
password protect the registration page with those "passwords" (i.e.
codes).
Kind regards,
Nick
> Hi Nick,
>
> Each person will already have been issued their own code. I will then be
> supplied with the list of codes that I import into joomla (the table will
> contain the codes only- not the owner of each code). So the system is
> meant
> to check merely for the existence of the code and if correct move to the
> registration process.
>
> my issue with this two step process
>
> (step1) code validation --> ( step2 )joomla registration
>
> is that anybody can simply bypass step one unless there is some kind of
> lockdown. This would then mean hacking the joomla registration process to
> not be visible unless step one is complete.
>
> I'm inclined to push to the client, that instead of a two step process,
> the code is input* during* registration as an extra field , allowing for a
password protect the registration page with those "passwords" (i.e.
codes).
Kind regards,
Nick
> Hi Nick,
>
> Each person will already have been issued their own code. I will then be
> supplied with the list of codes that I import into joomla (the table will
> contain the codes only- not the owner of each code). So the system is
> meant
> to check merely for the existence of the code and if correct move to the
> registration process.
>
> my issue with this two step process
>
> (step1) code validation --> ( step2 )joomla registration
>
> is that anybody can simply bypass step one unless there is some kind of
> lockdown. This would then mean hacking the joomla registration process to
> not be visible unless step one is complete.
>
> I'm inclined to push to the client, that instead of a two step process,
Rouven Weßling
Sep 11, 2012, 2:46:15 PM9/11/12
to joomla-de...@googlegroups.com
I'd either of these options:
1. Trough a user plug-in extend the registration form with a field for the code and abort the registration if the code is incorrect.
2. Disable user registration and roll your own component to handle user registration.
Best regards
Rouven
Rob Stocker
Sep 11, 2012, 3:03:54 PM9/11/12
to joomla-de...@googlegroups.com
Thanks guys for the input.
1. Trough a user plug-in extend the registration form with a field for the code and abort the registration if the code is incorrect.
This was my original alternative a one step registration process and code confirmation combined. (It's my preferred option)
2. Disable user registration and roll your own component to handle user registration.
This feels like overkill,but I think I could do it, if I'm forced to. It would allow for the two step process and prevent users and scripts going directly to the user registration page. I could simply copy and paste the password encryption from the standard joomla process
*****************************
Do you need to keep track of which codes have been used? If not, just password protect the registration page with those "passwords" (i.e. codes).
Do you mean using htaccess or something similar before joomla to protect the registration page? That would work but might compromise the look and feel which is also non-negotiable at the moment.
Best regardsRouvenHi All,
I've got an unusual registration procedure, and I'm not sure where to begin.
The client requires that before one can register with his site , the customer should first supply a confirmation code. Once this code is accepted they are directed to a standard joomla registration.
But my thought is that anyone (or a script) could simply bypass this by inputting the registration url.
Anyone got any ideas as to how this might be done. I'm thinking something along the lines of using $_session , but I'm still not sure what to do.
--
Rob & Lisa - EMC23
083 416 0618
in...@emc23.com
www.emc23.com
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To post to this group, send an email to joomla-de...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-gene...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.
Nick Savov
Sep 11, 2012, 3:17:29 PM9/11/12
to joomla-de...@googlegroups.com
Yes, I meant using htaccess or a system plugin.
If the look and feel is a concern, then you can create it as a system
plugin similar to:
http://extensions.joomla.org/extensions/access-a-security/site-access/content-restriction/10145
or:
http://extensions.joomla.org/extensions/access-a-security/site-access/content-restriction/3072
Or have it as a nice modal popup above the registration page.
Kind regards,
Nick
If the look and feel is a concern, then you can create it as a system
plugin similar to:
http://extensions.joomla.org/extensions/access-a-security/site-access/content-restriction/10145
or:
http://extensions.joomla.org/extensions/access-a-security/site-access/content-restriction/3072
Or have it as a nice modal popup above the registration page.
Kind regards,
Nick
Youjoomla LLC
Sep 12, 2012, 1:54:30 PM9/12/12
to joomla-de...@googlegroups.com
Use template override for the registration form , check either against your session , or DB for the codes ,
--
Best Regards
Dan Casky
Youjoomla Customer Service
+1727-388-6653
5044 17th street N
Saint Petersburg ,FL
33714
-------------------------------
Youjoomla LLC
www.youjoomla.com
Professional Joomla Web Design Services
if code is in db , display the form , or if session sends it.
All you need is to place com_users/registration/default.php
On youjoomla.com we are redirecting all com_user access to our custom reg form by using
$app->redirect($url); in template overrides.
you could pass new var in link that is sent to the user like index.php?option=com_users&view=registration&Itemid&secretcode=d21521a5454a5 ,, i would use MD5 hash there
so than if
if( JRequest::getCmd('
secretcode ') ==matchfrom db){
show form
}else{
redirect
}
On Wed, Sep 12, 2012 at 4:01 AM, Mathew Lenning <mathew....@gmail.com> wrote:
I don't know if this is relevant, but you could save the code in the session when the user enters it, then create a content plugin that checks for the presence of the code if the request is for the registration page.
This seems like the simplest and least intrusive way to acheive your goal.
--
You received this message because you are subscribed to the Google Groups "Joomla! General Development" group.
To view this discussion on the web, visit https://groups.google.com/d/msg/joomla-dev-general/-/k9SVYZ3YmoIJ.
To post to this group, send an email to joomla-de...@googlegroups.com.
To unsubscribe from this group, send email to joomla-dev-gene...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/joomla-dev-general?hl=en-GB.
Best Regards
Dan Casky
Youjoomla Customer Service
+1727-388-6653
5044 17th street N
Saint Petersburg ,FL
33714
-------------------------------
Youjoomla LLC
www.youjoomla.com
Professional Joomla Web Design Services
Youjoomla LLC
Sep 12, 2012, 1:56:08 PM9/12/12
to joomla-de...@googlegroups.com
All you need is to place com_users/registration/default.php
in your template html folder so that the folder tree looks like
templates/yourtemplate/html/ com_users/registration/default.php
Reply all
Reply to author
Forward
0 new messages