Facebook connect database transaction help - mysql

I am trying to implement a simple login system with facebook, but I need users to pick a username. What I was thinking was to get all the information I need from facebook, request permissions, then add the information to the database, redirect to a form asking for a username and then add that to the database, to the same entry.
I think a transaction is needed so I don't end up with any half completed database entries. But I've only ever used them on the same page, so I'm wondering if this is safe? If it fails then there is no point where I would be telling the database to roll back the changes and it would be with a transaction open.
Is this right or will it be ok?

I think you made it more complicated than it should be :)
No need to enter facebook id into database before username as you can always grab it later.
Forward user to login screen (or better just open login popup using javascript FB API)
Once user is logged in forward them to username picking page (or better do javascript popup without page redirect)
When user is entered username request the current user id from facebook on server side (by either using graph api or fql) and then if everything is ok enter this record to database.

Related

Generate an email button to log a user into a web page without API

TLDR: Is it possible to email a login button which will open a web page and enter the appropriate user information into the username/password fields? Is it possible to embed this within an HTML button, or possibly in SQL injection? If so, where should I start my research to make this happen?
OK, so what I am tasked with is generating the billing lists for about 2000 non-technical users. Currently we use a third party billing site which does not have an API or any way to authenticate users from the URL heading. What we have been doing is using mail-merge to email users their username and password along with a link to the billing site. This is great, except that our users are... special. We get dozens of phone calls a day from elderly users who can't copy/paste the given information into the website.
What I am looking for is someone to point me in the right direction for making an email click here button that will open the web page, enter the username and password (from a CSV/XML of usernames/passwords) and click enter.
I'd even settle for opening the webpage with their credentials filled into the appropriate fields. Is there a way to do this? What is the best way to go about this?
Before we get into best practices/security, CC information isn't stored on the site, and the only user info view-able is the invoice, so security isn't a huge concern here since the users can't set their own passwords (username / password generated from static fields in another database silo).
Not looking for someone to do this project for me, but perhaps a few friendly pointers in the right direction for how to do this.
Is it possible to email a login button which will open a web page and enter the appropriate user information into the username/password fields?
Not unless either:
The website is specifically designed to allow that. Since you said it was a third party side, then you would have to ask the people who wrote it.
The site suffered from an XSS security vulerability. (Explaining how to search for one would be too broad for a SO answer, searching for one would be illegal pretty much everywhere).

Integrating multiple user account tables

I have three websites: a.example.com, b.example.com, and c.net. Each was built a couple years after the other and all have their own users table.
I want to integrate these sites together so that I can login with a single username/password combo and have access to all three sites just by clicking links without having to login again.
I've never done an integration like this before, so looking at two angles:
1) Create another website, 'd.net' where new accounts can be created. If you login to one of the original three sites, it asks you for your d.net account. If you dont have one it asks you to make one. In your 'account settings' on d.net, you can 'add sites' to your account by entering your old username and password for them. Sound reasonable?
2) Solving the technical problem of being able to one-click login to another of the three sites if i'm already logged into d.net. Afaik, cookies with a session ID can't be shared across domains. So... maybe generate a token and save it to the database. Send token over GET to another website, which can check the token, log the user in, and then delete the token. Sound about right?
Have you looked at OpenID?
http://en.wikipedia.org/wiki/OpenID
Don't have to re-invent the wheel.

Confirmation email sent to user in vb.net to mysql database

Just want to ask if there is some way to add automatic email confirmation to vb.net website.
I want that user create new account in the website and the website sent the confirmation link to them. Only if the confirmation email is clicked the user will be able to fully register.
I know that there are ways with build in login page from vb. But I'm using my own login. Mainly becouse the database where user connect is MySql.
something like this: http://www.asp.net/web-forms/videos/authentication/implement-the-registration-verification-pattern
Any idea where to look? most of the google search links are with php or to Microsoft Sql.
Thanks in advance for any good link or solution.
Petr
basically, when an user registers the account, you generate a confirmation # (I will use GUID), then send the user an email with the confirmation link. the confirmation link is the url of the confirmation page with the confirmation # as parameter, i.e. www.mysite.com/confirmation.aspx?code={guid} . you save the confirmation code in the database with the user account table (it could be in the same table or a separated table). the user has to click the confirmation url to confirm. when confirm, you just need to check whether the code is the same as the Guid in the database.
Basically, the process is the same and it has no much relation with mySQL or SQL Server.
here is an example, although it is C#, the same process, just a little bit different syntax in code:
http://www.webreference.com/programming/asp_net/registration-confirmation-system/index.html
also
asp.net confirmation mail send link that contains a unique identifier

How should I managed a database for register/log in with Facebook & Twitter

I am creating an iOS App which the user will be able to login to via his account with our website (internal), or via Facebook or Twitter.
What I would like to know is how should I manage the database in order to verify his Facebook / Twitter account with his internal account on my website?
I.e When the user logs in via his internal account, I just run a simple authentication check to see if his username and password are valid. However with Facebook and Twitter, I obviously can't do this as I don't have access to the user's password.
Thanks in advanced.
my suggestion is that you would create a new table for each of the login types and connect it to your users/members table.
for example - for facebook login you would have a facebook_users table to hold the user's data (such as name, pic and most important - fbid)
than add a column named facebook_user_id to your existing members table.
in order to get the logged user from facebook you don't need to access his password... you should use the Facebook JS SDK and specifically the FB.getLoginStatus and FB.login function...
offcourse my suggestion is only one of many applicable ways to accomplish the task
Save fbid instead of fb-login user_name (you can keep both) of the user in your internal login table - A unique mapping exists (I'm sure something similar exists for twitter as well). Why do you need fb password for it?
Moreover, you run the check on internal table to authenticate user account, but when using login from fb or twitter, isn't the user already authenticated?

How to update DB records using a dynamically generated link

I have a requirement to generate an email to administrator whenever a user sign up. Administrator will approve the registration by clicking on a link provided in email and database should get updated, without admin to login to administrator console.
I am looking for best practice to code this scenario with keeping application security intact. I can generate email with dynamic rendom value attached to the link(provided in email) URL, but i am not sure how to keep a track of this on application side?
Any thoughts?
You could generate a random validation number when the user signs up, and store it in the database with the user record. Then generate an email with a link such as
http://foo.bar.com/approveUser.action?userId=<theUserId>&validationToken=<theRandomNumber>
When the approveUser action is invoked, check if the validation token stored in the database for the given user ID matches with the token sent as parameter, and if so, approve the user.