Custom login page with Remember me functionality

0
Hello everyone! I'm trying to create a custom login page with a "remember me" option for a mobile app that I'm building. To that effect, I'd like to know if any of you have accomplished this in the past. Specifically, here's the info I'm looking for: What do I need to do in order to customize the login page (where should I look) How can I hook into the default mendix login behavior (for post-processing after a user sucessfully authenticates) What would it take to implement the "remember me" functionality on a mobile app (and not require a user to login everytime they open the app)   I'm assuming that the lack of such rudimentary functionality in the mendix modeler is symptomatic of other (possibly more elegant) approaches? If so, could someone please point me in the right direction. TIA!
asked
3 answers
1

I don't think anybody has developed that yet (at least I haven't seen it). The way to do this is will be by generating a cookie next besides the standard Mendix session cookies.

Theoretically you could establish this by setting the 'sessionTimeout' to a few days. (See custom environment settings)
  I would not recommend this approach since will likely have some side effects.

Overriding the login behavior is possible, the LDAP module and the 'IP Range validator' both do this. They extend or replace the standard authentication method the platform uses. For the simplest example I would recommend taking a look a the IP Range validator the module hasn't been updated to 6 or 7 yet, but the concept and code in the latest releases is mostly the same.
  This option does not give you access to the cookies though.

For remember me functionality on the client side you would have to built a custom cookie. There might be a few gaps in this design, but this is how I would start building this.

  • Add a new attribute to your user account to store the cookie value
  • Enable anonymous users and built a custom login page with a dataview
  • On your dataview have a 'remember me' boolean
  • Have Java action override the standard login,
    • The Java action should validate the user and call the authenticate function (see IP Range Validator module on how to)
    • Retrieve the dataview entity from the anonymous user, and check the boolean.
    • If the remember me is checked, set a (new) attribute on your user. This attributes holds your the value of your cookie.
    • If the remember me is not check make sure the cookie attribute on your user is set to empty
  • After sign in, on your homepage or layout you should have a custom widget
    • The custom widget should read the cookie attribute from the logged in user
    • If there is a value create the cookie, if there is no value remove the cookie

 

To auto-signin a second time

  • On the login page place a custom widget that attempts to read your cookie,
    • if a cookie is found read the value
    • call a microflow that validates the cookie,  I recommend using a signature and hash to guarantee the validity of the cookie  (see more info below)
    • the microflow returns an instruction token to redirect to http://myapp.com/rememberme and posts the cookie token
  • Setup a custom request handler to evaluate a rememberme request
    • The custom request handler receives the cookie info through a post
    • The custom request handler does another validation to make sure the cookie is a valid and signed hash
    • The custom request handler checks if there is a cookie record
    • If the cookie is there and valid, find a user with that cookie (xpath query on the cookie attribute)
    • If the user is present and active create a new session with the function,  Core.authenticate(user)
    • If there is no user, create a guest session,   Core.createGuestSession()
    • Redirect the user back to your home page, and the standard mendix logic will either show the anon homepage or the user's homepage

 

When you do this make sure to use a secure cookie validation. There is a semi working concept here on github, this does securely store and validate cookies. It uses JSON Web Tokens to store in the cookie and validate the response.
The cookie attribute should hold the secret and the token from JWT, that way you can guarantee that users can't mess with the token.

 

I know it sounds pretty abstract but I hope this would be helpful for some people.

answered
0

If you publish your app in the appstore, it will remember the signed in user by default. The user needs to explicitly signoff if necessary. You can add pin security if you want to.

answered
0

@Sid: It's probably not a good idea to attempt to do this yourself. As Jasper correctly points out this requires some work and thorough understanding of the concepts used.

A trial and error approach in development might be fine for some types of features, but defintely not for anything as security critical as user authentication.

answered