Turning complexity into clarity.

qed42.com: Securing Cookie for 3rd Party Identity Management in Drupal

News from Planet Drupal - Mon, 10/30/2017 - 08:15
Securing Cookie for 3rd Party Identity Management in Drupal Body

We are in an era where we see a lots of third party integrations being done in projects. In Drupal based projects, cookie management is done via Drupal itself to maintain session, whether it be a pure Drupal project or decoupled Drupal project,.

But what when we have a scenario where user’s information is being managed by a third party service and no user information is being saved on Drupal? And when the authentication is done via some other third party services? How can we manage cookie in this case to run our site session and also keep it secure?

One is way is to set and maintain cookie on our own. In this case, our user’s will be anonymous to Drupal. So, we keep session running based on cookies! The user information will be stored in cookie itself, which then can be validated when a request is made to Drupal.

We have a php function to set cookie called setCookie() , which we can use to create and destroy cookie. So, the flow will be that a user login request which is made to website is verified via a third party service and then we call setCookie function which sets the cookie containing user information. But, securing the cookie is must, so how do we do that?

For this, let’s refer to Bakery module to see how it does it. It contains functions for encrypting cookie, setting it and validating it.

To achieve this in Drupal 8, we will write a helper class let’s say “UserCookie.php” and place it in ‘{modulename}/src/Helper/’. Our cookie helper class will contain static methods for setting cookie and validating cookie. Static methods so that we will be able to call them from anywhere.

We will have to encrypt cookie before setting it so we will use openssl_encrypt() php function in following manner:

/** * Encrypts given cookie data. * * @param string $cookieData * Serialized Cookie data for encryption. * * @return string * Encrypted cookie. */ private static function encryptCookie($cookieData) { // Create a key using a string data. $key = openssl_digest(Settings::get('SOME_COOKIE_KEY'), 'sha256'); // Create an initialization vector to be used for encryption. $iv = openssl_random_pseudo_bytes(16); // Encrypt cookie data along with initialization vector so that initialization // vector can be used for decryption of this cookie. $encryptedCookie = openssl_encrypt($iv . $cookieData, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); // Add a signature to cookie. $signature = hash_hmac('sha256', $encryptedCookie, $key); // Encode signature and cookie. return base64_encode($signature . $encryptedCookie); }
  1. String parameter in openssl_digest can be replaced with any string you feel like that can be used as key. You can keep simple keyword too.
  2. Key used should be same while decryption of data.
  3. Same initialization vector will be needed while decrypting the data, so to retrieve it back we append this along with cookie data string.
  4. We also add a signature which is generate used the same key used above. We will verify this key while validating cookie.
  5. Finally, we encode both signature and encrypted cookie data together.

For setting cookie:
 

/** * Set cookie using user data. * * @param string $name * Name of cookie to store. * @param mixed $data * Data to store in cookie. */ public static function setCookie($name, $data) { $data = (is_array($data)) ? json_encode($data) : $data; $data = self::encrypt($data); setcookie($name, $cookieData,Settings::get('SOME_DEFAULT_COOKIE_EXPIRE_TIME'), '/'); }

Note: You can keep 'SOME_COOKIE_KEY' and 'SOME_DEFAULT_COOKIE_EXPIRE_TIME' in your settings.php. Settings::get() will fetch that for you.
Tip: You can also append and save expiration time of cookie in encrypted data itself so that you can also verify that at time of decryption. This will stop anyone from extending the session by setting cookie timing manually.

Congrats! We have successfully encrypted the user data and set it into a cookie.

Now let’s see how we can decrypt and validate the same cookie.

To decrypt cookie:

/** * Decrypts the given cookie data. * * @param string $cookieData * Encrypted cookie data. * * @return bool|mixed * False if retrieved signature doesn't matches * or data. */ public static function decryptCookie($cookieData) { // Create a key using a string data used while encryption. $key = openssl_digest(Settings::get('SOME_COOKIE_KEY'), 'sha256'); // Reverse base64 encryption of $cookieData. $cookieData = base64_decode($cookieData); // Extract signature from cookie data. $signature = substr($cookieData, 0, 64); // Extract data without signature. $encryptedData = substr($cookieData, 64); // Signature should match for verification of data. if ($signature !== hash_hmac('sha256', $encryptedData, $key)) { return FALSE; } // Extract initialization vector from data appended while encryption. $iv = substr($string, 64, 16); // Extract main encrypted string data which contains profile details. $encrypted = substr($string, 80); // Decrypt the data using key and // initialization vector extracted above. return openssl_decrypt($encrypted, 'aes-256-cbc', $key, OPENSSL_RAW_DATA, $iv); }
  1. We generate the same key using same string parameter given while encryption.
  2. Then we reverse base64 encoding as we need extract signature to verify it.
  3. We generate same signature again as we have used the same key which was used to creating signature while encryption. If doesn’t signatures doesn’t matches, validation fails!
  4. Else, we extract initialization vector from the encrypted data and use to decrypt the data return to be utilized.
/** * Validates cookie. * * @param string $cookie * Name of cookie. * * @return boolean * True or False based on cookie validation. */ public static function validateCookie($cookie) { if (self::decryptCookie($cookieData)) { return TRUE; } return FALSE; }

We can verify cookie on requests made to website to maintain our session. You can implement function for expiring cookie for simulating user logout. We can also use decrypted user data out of cookie for serving user related pages.

navneet.singh Mon, 10/30/2017 - 13:45
Categories: Drupal

[FREEMIUM] Chatbot for Messenger, 85% Open Rate and 56% CTR! Give it a shot :) (self.WordpressPlugins)

Talk about plugins - 4 hours 48 min ago

We just released newsBooster plugin for Wordpress websites. It lets you deliver news to subscribed users via Messenger. We would appreciate your feedback and development ideas! :)

After few initial installations we observed ~85% Open Rate and ~56% CTR. It's way more than old-fashioned email newsletter.

Details: https://wordpress.chatbooster.pl Download for free from Wordpress repository: https://wordpress.org/plugins/newsbooster-for-messenger/

submitted by /u/zewlak
[link] [comments]
Categories: WordPress Maintenance

[REQUEST] Wanna join a nice project? Our plugin need some help to evolve!

Talk about plugins - 10 hours 23 min ago

Hi! Some months ago, I start developping a very interesting plugin for music lovers.
The idea is to scrape data from various websites to build playlists on-the-fly (radio stations websites, Last.FM, Spotify, Radionomy, Deezer, Soundcloud, Soundsgood, Hype Machine, Reddit...); and then to search for online sources (Youtube, Soundcloud...) to play its tracks. Almost any website where a playlist is displayed can be used; and playlists do automatically refresh every X minutes!

There is a lot of potential there and it is already working quite well; but it is too much work to do it all by myself.

Are you interested in developping Wordpress plugins; do you love music?

I would be glad to get some help here. The plugin is free and will remain free :)

Thanks!

submitted by /u/grosbouff
[link] [comments]
Categories: WordPress Maintenance

Acro Media: Video: Checkout in Drupal Commerce 2.x is Configurable for any Order Type

News from Planet Drupal - 13 hours 47 min ago

A checkout is a pretty fundamental part of a commerce system. So the fact that Commerce 2.x has a checkout is not really news. But it’s what you can do with the checkout that makes 2.x special.

You can now configure the checkout workflow. You can opt to ask for billing information, shipping information, certificates, registration details, etc. There’s lots of different data that can change depending on the type of product you sell. If you sell digital products, for instance, you don’t need shipping information. If you sell course registrations, you might require pre-existing certificates. Maybe you do both, so you need to configure multiple types of checkouts.

And that’s easy to do. For the most part, it’s a matter of dragging and dropping options. You can add or remove pieces pretty easily. If you need something really custom, like if you need to validate a safety certificate against a third party, you might need a developer to build that functionality. But otherwise it’s a fairly simple process.

You can also integrate into any part of the checkout. Maybe you do something when you add to cart, or when you complete the order. Maybe you even go off-site to pay through PayPal or register through Eventbrite and then come back. You can hook into any step you need in order to get those things done.

Categories: Drupal

1-page website to introduce and market a brand and product - Upwork

WordPress Work From UpWork - 15 hours 45 min ago
I have the content and most assets. I'm looking for someone with a great eye who really wants to do a project building a cool brand from a single page.


Posted On: October 18, 2017 07:49 UTC
Category: Web, Mobile & Software Dev > Web & Mobile Design
Skills: Graphic Design, Web Design, Website Development, WordPress
Country: United States
click to apply
Categories: WordPress Maintenance

Drupal.org blog: What's new on Drupal.org - September 2017

News from Planet Drupal - Tue, 10/17/2017 - 22:27

Read our Roadmap to understand how this work falls into priorities set by the Drupal Association with direction and collaboration from the Board and community.

We're back from DrupalCon Vienna, with updates on what's new from the month of our European event.

Announcement TLS 1.0 and 1.1 deprecated

Drupal.org uses the Fastly CDN service for content delivery, and Fastly has depreciated support for TLS 1.1, 1.0, and 3DES on the cert we use for Drupal.org, per the mandate by the PCI Security Standards Council. This change took place on 9 Aug 2017. This means that browsers and API clients using the older TLS 1.1 or 1.0 protocols will no longer be supported. Older versions of curl or wget may be affected as well.

Drupal.org updates DrupalCon Calendar syncing

In our last update, we teased a new feature for DrupalCon attendees - the ability to sync your personal schedule to a calendar program. We're pleased to report that this feature made it in time for the event, and was used by attendees throughout the week. If you've already synced your calendar for DrupalCon Vienna, you're already set up to use the same feed for DrupalCon Nashville next April!

Keynote simulcast to Youtube

This year at DrupalCon, in addition to live streaming on Events.Drupal.org itself, we simulcast the keynotes to YouTube. We also embedded the keynote on the Drupal.org homepage - to spread the latest news about Drupal beyond DrupalCon attendees.

In fact, if you couldn't attend DrupalCon or just missed the keynotes, you can watch Dries' update on the Drupal project here:

Industry Pages promoted in the front page Call-to-Action

We've also made some updates to how the industry pages are promoted. In addition to the dedicated block with icons linking to each industry, we now also promote the industry solutions landing page in the main CTA under the homepage header.

We hope to further encourage users evaluating Drupal to explore some of the tremendous solutions that are already out there, and take inspiration from their success.

First-in/First-out issue sorting

To make sure that issues are reviewed by maintainers in the order they are received, it is now possible to sort the issue queues by when the issue status last changed. This means RTBC issues can be reviewed on a first-in/first-out basis!

This 'status changed' date field is available on the advanced search view for any issue queue. Here's what it looks like for Drupal core:

Project creation analysis

About six months ago we opened up project creation on Drupal.org to allow any confirmed user to create a full project. We've put together a blog post outlining the impact these changes have had on the contrib landscape. In short, we've seen a tremendous increase in the rate of project creation, and the rate of applications for security advisory coverage, and a modest increase in projects receiving stable releases without yet opting in coverage. We're continuing to monitor project creation and work with the Security Working Group and others on next steps.

Displaying orphan dev releases

In last month's update we talked about a variety of changes we made to project pages, to provide better signals about project quality to evaluators. In response to feedback, we've restored the visibility of dev releases, even when they aren't associated with a tagged release.

This is particularly helpful for project maintainers trying to bring visibility to the next major development version of their modules, such as their Drupal 8 module port efforts.

———

As always, we’d like to say thanks to all the volunteers who work with us, and to the Drupal Association Supporters, who made it possible for us to work on these projects. In particular we want to thank:

If you would like to support our work as an individual or an organization, consider becoming a member of the Drupal Association.

Follow us on Twitter for regular updates: @drupal_org, @drupal_infra

Categories: Drupal

Drupal core announcements: Coding Standards Change Proposals 10/17

News from Planet Drupal - Tue, 10/17/2017 - 18:59

The TWG coding standards committee is announcing two issues for final discussion. Feedback will be reviewed on 10/31/2017.

New issues for discussion: Pending ratification Provisionally approved issues Interested in helping out?

You can get started quickly by helping us to update an issue summary or two or dive in and check out the full list of open proposals and see if there's anything you'd like to champion!

Categories: Drupal

[HELP] Plugin to get text balloon to appear?

Talk about plugins - Tue, 10/17/2017 - 17:39

Is there a way I can get pop up balloons of brief descriptions in text to appear when you hover the cursor over a word? I've seen text pop up when you hover the cursor over question marks on some websites. Is there a plugin or something that does this?

submitted by /u/rkim777
[link] [comments]
Categories: WordPress Maintenance

[DISCUSSION] Do you use page builders if yes which one and why ?

Talk about plugins - Tue, 10/17/2017 - 17:26

Page builder plugins are everywhere these days, If you are using one please share some information about it and the reason for using it. thanks

submitted by /u/umarba
[link] [comments]
Categories: WordPress Maintenance

Elevated Third: Elevated 3 Takeaways: Drupal 8

News from Planet Drupal - Tue, 10/17/2017 - 16:35
Elevated 3 Takeaways: Drupal 8 Elevated 3 Takeaways: Drupal 8 Nelson Harris Tue, 10/17/2017 - 10:35

In this edition of 3 Takeaways, our Business Development Strategist, Nelson Harris, reviews Drupal 8 and how the latest improvements help get more out of the box, leverage mobile, and upgrade smoothly.

 

 

Hi, I’m Nelson Harris, Business Development Strategist at Elevated Third. A question I get a lot from people is “what’s new and interesting about Drupal 8, and why might I upgrade.” There are a lot of reasons why you might want to upgrade to Drupal 8 but I’m just going to list three of them.

Takeaways #1: First, you get more out of the box.

There are a lot of useful modules in Drupal 8 core that have been built in. Things like views, multilingual, a WYSIWYG editor, and more types of fields. This means you can spend less time configuring and installing modules, and more time working on your site.

Takeaway #2: Second of all, mobile is in it’s DNA.

Built-in themes are all responsive and adapt well to different screen sizes. Tables will scale, and the new admin toolbar is really good on mobile devices. Chances are, you’re probably watching this video on the screen of your mobile device right now, so you can imagine why mobile might be important.

Takeaway #3: Finally, it’s built to be more future proof.

Where an upgrade from 7 to 8 or 6 to 7 requires scraping your codebase and starting all over from scratch, Drupal 8 is designed to go from 8 to 9 and 9 to 10 more seamlessly and more like an update patch as opposed to starting over. An investment in Drupal 8 really means that you're investing in your website because it's going to be easier to upgrade in the future.

Categories: Drupal

Drupal Modules: The One Percent: Drupal Modules: The One Percent —Timelogin (video tutorial)

News from Planet Drupal - Tue, 10/17/2017 - 13:47
Drupal Modules: The One Percent —Timelogin (video tutorial) NonProfit Tue, 10/17/2017 - 08:47 Episode 40

Here is where we seek to bring awareness to Drupal modules running on less than 1% of reporting sites. Today we'll look at Timelogin, a module which restricts users, based on role, from logging in during certain times of the day.

Categories: Drupal

[HELP] why my website lost "css or styling" after activating w3 total cache plugin

Talk about plugins - Tue, 10/17/2017 - 13:16

Hey, redditors Today i have purchased Maxcdn to enhance my website speed.

Currently my website is on wordpress hosted under hostgator. I am using "activello" theme.

For setting up maxcdn with the w3 total cache plugin I activated the "w3 total cache plugin" on my wordpress site but unfortunately, it was not loding with css. It was just an ugly HTML page without having any styling.

Please help me out ..what could the reason and how can i revert back to my original website with styling.

submitted by /u/shaileshshakya
[link] [comments]
Categories: WordPress Maintenance

Skin a WordPress site - Upwork

WordPress Work From UpWork - Tue, 10/17/2017 - 12:03
I need someone to work with who's experienced at responsive design and skinning WordPress sites. I'm no artist and I need help developing original graphic assets and placing them in a simple site. Ideally, we can work together for a couple of sessions and I can tell you what does and doesn't work artistically. I have content and pages set up, but there's no unified theme and look/feel for the site.


Posted On: October 17, 2017 20:11 UTC
Category: Web, Mobile & Software Dev > Web Development
Skills: WordPress
Country: United States
click to apply
Categories: WordPress Maintenance

Appnovation Technologies: Appnovator Spotlight: Paulo Gomes

News from Planet Drupal - Tue, 10/17/2017 - 10:35
Appnovator Spotlight: Paulo Gomes Who are you? What's your story? My name is Paulo Gomes, I am from Portugal and moved to the UK with my wife in 2016 to join Appnovation crew. I am an tech and web enthusiast since the 90's (so not too old and not too young), I graduated in Computers and Management in 2002, after that worked in many places and companies, as freelancer, trainer and t...
Categories: Drupal

Easy Digital Downloads Plugins - Upwork

WordPress Work From UpWork - Tue, 10/17/2017 - 08:53
You will be editing a Wordpress Site, primarily work on Easy Digital Downloads, you need to have EDD experiences or familiar with it. The site will need series of editing, we'll discuss your work content during interview


Posted On: October 17, 2017 10:41 UTC
Category: Web, Mobile & Software Dev > Web Development
Skills: CSS, HTML5, JavaScript, WordPress, Wordpress Plugin
Country: Canada
click to apply
Categories: WordPress Maintenance

QUICK TASK FOR RIGHT WEB ENGINEER/DEVELOPER WITH MORE WORK IN FUTURE - Upwork

WordPress Work From UpWork - Tue, 10/17/2017 - 07:22
We need to copy over production to staging ASAP. Staging is already created!
We are in the process of a website build out and need some extra assistance:

Any help is appreciated.

The design files were sent to XCHOP.com to convert to html and the theme is built out and done. A staging site has been created in Pagely.

I need help:
Copying over the production site to staging
Installing the theme

Additionally, help ensuring the theme matches the design specs, especially on the homepage.

Once installed and the theme is running, I have someone who can help updating/changing copy.

Here is a link for the general spec we have with XCHOP.

You can view your theme preview from our test URL.
http://wp2.upupload.com/blog63950/1avikpj97963950/

You can download the zip files from the link mentioned below.
http://wp2.upupload.com/vieworder/viewweb_new.php?orderid=8f978d1400bdc470dea508e06260fd265796d63a&typ=1

Installation Instructions:
Please extract/upload files and follow the instructions.

1. Upload Theme folder to -
blog > wp-content > themes and activate it from wp-admin

2. Upload plugins to -
blog > wp-content > plugins and activate it from wp-admin

3. Upload "upload folder" to -
blog > wp-content >

4. ‘.XML’ configuration file attached.
-> configure the wp-admin setting and the plugin you need to import xml file to your wp-admin > tools.

5. You need to manage navigation menu from
- wp-admin -> appearances

6. You need to manage the widgets from
- wp-admin -> appearances -> widgets
http://wp2.upupload.com/blog63950/1avikpj97963950/wp-admin/widgets.php
Please let me know if you need further information in order to offer a bid or perhaps a referral.


Posted On: October 17, 2017 10:41 UTC
Category: Web, Mobile & Software Dev > Web Development
Skills: HTML, Website Development, WordPress
Country: United States
click to apply
Categories: WordPress Maintenance

[Premium] I am sell themes and plugins

Talk about plugins - Tue, 10/17/2017 - 03:14

I am selling an auction theme I got for $69 Selling it for $40

I also have a premium plugin for vendors which allows people to sell products on your website! I bought it for $149

Asking $100

I also have follow adder (a software on Instagram that automatically likes pics and comments; it engages for you and grows followers

Pm me!

submitted by /u/DIYCutzie101
[link] [comments]
Categories: WordPress Maintenance

Platform Developer / Engineer - NuData Security - Vancouver, BC

NodeJS jobs - Tue, 10/17/2017 - 01:02
Programming languages like PHP, Python, NodeJs, C, Perl, etc. NuData Security is looking for experienced and passionate Platform Developers / Engineers to join...
From NuData Security - Tue, 17 Oct 2017 01:02:36 GMT - View all Vancouver, BC jobs
Categories: NodeJS