User_LoggingIn Server Event for LDAP authentication

danilo.macri · February 2, 2025, 2:38pm

in phpmaker 2025 if i use LDAP authentication as if the event function User_LoggingIn(string $userName, string &$password): bool does not work.
i have a table with all the users who can access. i want to verify before logging in that the user is actually enabled otherwise the message is returned that informs the user that he is not enabled. i tried to assign the username to a session and then print it but the session, after the login, remains null while in the previous version it is populated with what is written in the username.
You can reproduce the problem using ldap authentication, you will notice that the values are not passed to the User_LoggingIn function

function User_LoggingIn(string $userName, string &$password): bool
{
    // Enter your code here
    // To cancel, set return value to false
    $userName = trim(strtolower($userName));
    $a = $userName;
    $_SESSION["prova"] = $a;
    if ($a == "administrator") {
        return true;
    } else {
        $_SESSION["mess"] = "unauthorized user";
        $myCount2 = ExecuteScalar(
            "SELECT COUNT(*) FROM autorizzazioneutente WHERE utenza='$a' and disabilita=false"
        );
        if ($myCount2 > 0) {
            $_SESSION["user"] = $userName;
            $_SESSION["pass"] = $password;
            $_SESSION["OK"] = 0;
            $_SESSION["OKPEC"] = 0;
            $_SESSION["annorapp"] = 0;
            return true;
        } else {
            $this->setFailureMessage($_SESSION["mess"]);
            return false;
        }
    }
}

mobhar · February 3, 2025, 12:33am

Please note that according to v2025 Documentation, you should avoid the usage of $_SESSION and session_*, since v2025 uses Symfony sessions which are designed to replace the usage of the $_SESSION super global and native PHP functions related to manipulating the session like session_start() , session_regenerate_id() , session_id() , session_name() , and session_destroy() . Sessions are only started if you read or write from it.

For more info and example of usage, please read Migrating to v2025 → Working with Sessions.

arbei · February 3, 2025, 3:53am

From your other post, the LDAP authentication was not successfully. If the user is not authenticated yet, the User_LoggingIn server event will not be called (because you are not logging in).

danilo.macri · February 14, 2025, 10:32pm

In PHPMaker 2024, I used the following code (with the old session system) to check whether the username entered was present in the database. If the user was not found, an error was returned stating that the user was not authorized.

Now, in PHPMaker 2025, it seems that this event is triggered after LDAP validation.
As a result, when I enter a username that does not exist in the database, I get the error “Invalid credentials”, which is expected because the user is not present in LDAP.

However, I need to check if the user is authorized before LDAP authentication takes place—this is how it worked in PHPMaker 2024.

Additionally, even when I enter a valid LDAP user, I can successfully log in, but the session does not store the password.

The username is correctly retrieved,
but the session does not retain the password after login.

function User_LoggingIn(string $userName, string &$password): bool
    {
$session = Session(); 
$userName = trim(strtolower($userName));
if ($userName === 'administrator') {
    return true;
}

$myCount2 = ExecuteScalar("SELECT COUNT(*) FROM autorizzazioneutente WHERE utenza = '$userName' AND disabilita = false");
if ($myCount2 > 0) {
    $session->set('user', $userName);
    $session->set('pass', $password);
    $session->set('OK', 0);
    $session->set('OKPEC', 0);
    $session->set('annorapp', 0);

    return true;
} else {
    $message = "<p align=center>not enabled</p>";
    $session->set('mess', $message);
    $this->setFailureMessage($message);
    return false;
}

    }

mobhar · February 15, 2025, 6:01pm

Did you get the session after you set that session? If so, how did you get the session after logged in? You may post your code for discussion.

danilo.macri · February 15, 2025, 7:49pm

When a user logs in using LDAP authentication, I want to save both the username and password entered in the login form within the session. To do this, I use the User_LoggingIn function in PHPMaker.
Inside the function, I store the username and password in the session, so that I can use them later for other operations that require the user’s credentials again.

function User_LoggingIn(string $userName, string &$password): bool
    {
$session = Session(); 
 $session->set('user', $userName);
 $session->set('pass', $password);
  return true;
}

In version 2024 everything works, both username and password are saved in their respective sessions while in 2025 the username is saved while the password is not.

mobhar · February 16, 2025, 10:04am

How did you know the password is not saved into that session. Where is your code that get that session value? In which server event did you get the password from that session value?

danilo.macri · February 16, 2025, 1:46pm

maybe I’m not understanding. I’ll explain better what I need:
my login credentials are

username= danilo.macri
password= 12345

I use the function below to save the value of username and password in the two respective session variables

in v.2025

function User_LoggingIn(string $userName, string &$password): bool
{
$session = Session();
$session->set('user', $userName);
$session->set('pass', $password);
return true;
}

in v. 2024

function User_LoggingIn($usr, &$pwd)
{
$_SESSION["user"]=$usr;
$_SESSION["pass"]=$pwd;
}

(this is just an example). hypothetically in the default page where I am directed after the login with the event

in v.2024 both with table authentication and with ldap with the

function Page_DataRendering(&$header)
{
$header = ' My username is: '.$_SESSION["user"].' - My password is: '.$_SESSION["pass"].
}

I get
My username is: danilo.macri - My password is: 123456

in v.2025

function Page_DataRendering(string &$header): void
{
$session = Session();
$header = " My username is: ".$session->get('user')." - My username is: ".$session->get('pass');
}

With table authentication everything is ok, I get
My username is: danilo.macri - My password is: 123456

With LDAP authentication the password is empty
My username is: danilo.macri - My password is:

as you can see in v.2025, LDAP authentication, in the User_LoggingIn event the password is not passed with $password.

this only happens with ldap authentication v.2025, as if User_LoggingIn did not pass the $password variable.5

arbei · February 17, 2025, 2:05am

You should never store plain password in session variable or anywhere. This will defeat the hashed passwords and compromise security of your site.

If you must use the plain password (e.g. to login other system with the same username and password), there are quite a few ways, the security system is highly flexible. For example, you may add a Custom Authenticator to get the username and password from the request but always returns false from the supports() method to let the request continue as normal.

e.g.

class CustomAuthenticator extends AbstractAuthenticator
{
    public function supports(Request $request): ?bool
    {
        $username = $request->get("username");
        $password = $request->get("password");

        if ($username && $password) {
            // Do your own stuff
        }

        return false; // Return false so it will not affect the original authentication
    }

    // Other blank methods to fulfil AuthenticatorInterface
    // ...
}

However, make sure you remove the password as soon as you have done using it, you should not persist it in any way.

Also remember to register your custom authenticator as a service by Services_Config server event, e.g.

// Services Config event
function Services_Config(ServicesConfigurator $services): void
{
    $services->set(CustomAuthenticator::class);
}

danilo.macri · February 17, 2025, 7:34pm

thank you very much