Provides username/password access to edit a Participants Database record.
Product Setup
To configure the plugin for use, start by making sure your “Participant Record Page” is correctly configured by visiting the “Record Form” tab in the main Participants Database settings. This tells the login form which page to go to when the login is accepted.
Configure the Login Form
On the Participant Login settings page, you can configure the form to show one or two fields that the user will need to fill in to access their editable record. The first field is called the “Username” field, and it is used as the primary identifier. This can be an email address, an ID number of some kind, or really anything that can be used to uniquely identify the user.
The second field is called the “Password” field, but it can also be anything you want. It is usually used to verify the user, especially if the Username field is something that would be generally known, such as an email address. It is also possible to set up the form to use only a single input field by unchecking the “Require Password” checkbox. When this is unchecked, only the Username field will be shown in the form. You might do this if your username field was something only the user would know, such as an ID number.
When selecting the field to use for the password field, it is important understand that “password” type fields store the password in encrypted form, which means an administrator cannot know what the password is. If you need to be able to tell people what their password is, use a text-line field for your password field, then you will be able to look up their password because it will be stored in plaintext.
Create Your Login Page
Once you have configured the login form, you should create a page that will be the login page. On that page, place the [pdb_login] shortcode to show the login form. It is possible to use a custom template for the login form if you need.
This shortcode will accept the following attributes to configure how it looks and works:
- template for using a custom template
- record_page to set the page (use the page name or ID) that the user goes to after successfully logging in; that page must have the
[pdb_record]shortcode. - login_button_text to set the text on the submit button for the login form
Persistent Login
When using the “Extended Access” preference, the user is automatically forwarded to the record edit page from the login page for 24 hours after successfully logging in. This period can be changed using a code filter.
Logout
To end the persistent login before it expires, you can use a logout link. You may need to use this if you have users that must have access to more than one record. The logout URL is simply the login URL with “?pdb-logout” appended to it. For example, if your Participants Database login page is at /pdb-login, your logout link would look like this:
/pdb-login?pdb-logout
If you are not using pretty permalinks, you need to do it slightly differently. For example, if your login page is on a page with an ID of 2034, your logout link would look like this:
/?p=2034&pdb-logout
It’s a good idea to put the logout link in a menu somewhere where the user can find it.
Product Settings
Login Form Settings
Username Field
Selects the field that holds the username. This could be an email address, a made-up username, or even a member ID number. If the password is not required, this will be the only field shown. This field should hold a value that uniquely identifies the record. If more than one record matches the value, the first record found will be used.
Username Not Found Feedback Message
Message to show if the username does not match any record.
Username Field Extra Attributes
This setting provides a way to add attributes to the username input element. This can be used to add client-side validation to the input, which can be helpful to users typing in the correct thing for the input. It can also be used to add simple javascript interactivity to the input.
This setting uses the same format as the “attributes” setting in the field definition: name::value,name::value etc. Because the comma is used to separate attributes, you must use the HTML entity , to represent the comma if it is in the value.
To set up a client-side validation, use the required and pattern attributes. The link provides the details on using the pattern attribute. Here is a simple example setting:
pattern::[a-z]{3,20},required,title::username must be all lowercase letters between 3 and 20 characters
That pattern will only accept lowercase letters and the length of the input must be at least 3 characters and no more than 20. You can use the “title” attribute to add a message to the pop-up that is seen when the validation fails.
Require Password
If this is checked, both the username and the password must match an existing record for the login to be accepted. If unchecked, no password will be required, and a correct entry into the username field will take the user to the record edit screen. Be careful with this, it could allow data to be changed by unauthorized persons.
Password Field
This is where you set the field that is used for your”password.” This field can be a “Text Line” type or a “Password” type field. If the field you want to use does not appear in the selector, you should either create it if it doesn’t exist or change its form element type to one that is valid for this setting.
If you select a text-line field for this, it will be stored in the database as plaintext. This will often be the case if you are using something like a customer ID for this field. If you use a “password” type field, the password will be encrypted in the database when the user saves their password.
It is important to understand that you cannot switch from or to a password field after the record data has been entered. Changing the field type cannot encrypt or decrypt passwords, so if there is data in this field, it will become incompatible with the field type. If the password field is empty, that is OK, the password will be saved in the correct format when the user enters it.
Login Button Text
This is where you can set the text that is shown on the login form submit button.
Bad Password Feedback Message
Message shown if the password doesn’t match the value in the database.
Use Cookie
If checked, a cookie is stored on the user’s browser when they successfully log in, so tha when they are directed to the record edit page, the URL does not show the private ID of the record. This can also be used to allow the user to bypass the login for a while if the setting below is set.
Extended Access
This sets the cookie to stay valid for 24 hours, allowing them to bypass the login for that period of time. This requires the the “Use Cookie” setting be selected as well. When a user with such a cookie visits the Participant Login page, they will be immediately redirected to their record edit screen. The 24-hour period can be changed to another value by using a code filter.
Password Recovery Settings
Show Lost Password Link
Provides a way to send the direct link to the user’s record so their password can be changed or recovered. This requires the the “Resend Private Link” functionality in Participants Database be correctly configured. This does not send the password or set a new password, it functions in the normal way for Participants Database: it provides the recipient with a private link to edit their record. They may use that link to change their password if they wish.
Lost Password Form Shortcode
This shortcode is used to generate the lost password form. This setting allows you to customize the shortcode, primarily so that a custom template may be used. the default value here is [pdb_request_link].
One-Time-Use Private Link
Password recovery works by emailing the user a “private link” which can be used to access their record edit page, bypassing the login form. When checked, this setting will change the private ID every time it is used to access the record edit page. This keeps the private link secure because it can only be used once. Don’t use this if your users need to be able to use a static URL to access their record edit page. This setting has the effect of changing the private ID code every time the record is saved.
F.A.Q.
Is it possible to use the login form to show a list of records?
If you want to only show the list of records to people who are registered, you can set the destination of the login form to the page with the list shortcode. You can use the “record_page” attribute in the shortcode to direct the user to any page, for example:
[pdb_login record_page="show-list"]
How does the "brute-force" protection work?
Every time the form is tried, the attempt is recorded with a timestamp and and the user’s IP. If there are over 10 attempts in a hour from a single IP, that IP is not allowed any more attempts for an hour.
Can I change the number of login attempts are allowed before the IP is shut out?
Yes, it quires the use of a filter callback. The number of attempts allowed is filtered by pdb-login_max_attempts and defaults to 10. The time within which this number of attempts is allowed is filtered by pdb-login_attempt_timeframe and defaults to 1 hour in seconds, or 3600.
What if someone loses or forgets their password?
The plugin uses the “Resend Private Link” function that Participants Database uses. There is a setting to include the link in the login form. If someone doesn’t know their password, when they click the link and enter their identifying information (usually an email) a “private link” is sent to them that they can use to access their record. They can change their password at that time if they wish.
How secure is the login form?
The login form provides a reasonable amount of security for non-critical applications. While security is very important to the design and operation of Participants Database, the plugin is not recommended for storing high-value information such as credit card numbers, social security numbers, passwords, etc.
The level of security when using this plugin is largely determined by it’s configuration by the administrator. Security is always a trade-off between convenience and how hard it is to break in. If you opt for convenience, it will be at the expense of security, that’s just how it works.
This plugin is designed to be useful in low-security situations where things link single-field logins and plaintext passwords are desirable. The security can be enhanced by using encrypted strong passwords, and hard-to-guess usernames that are not publicly viewable.
How do I use encrypted passwords?
The first thing to do is to use a “Password” type field for your designated password field in the Participant Login settings.
If you want to use encrypted passwords, you will need to give the user the opportunity to create one. The way this usually works is when the record is created, either by a signup submission or in the backend, the user will receive an email (given that this is properly configured) with their “private link” that takes them to their editable record. They can enter a password at that time, then after that, they can use the PDB login form to access their record.
It is also possible to include the password field in the signup form so that the user can set their password when they sign up.
The use of encrypted passwords is not compatible with the use of plaintext passwords, so if there are records in the database that already have a value for the designated password field, changing the field type to or from a password type field can cause problems. If you do that, the data will become invalid, and cannot be used to validate a login.
If you were using plaintext passwords and decide you need to change to using encrypted passwords, you must have your users go to their record using the private link, then enter a password. After that, they can use the password in the login form.
Is there any way to find out what someone's password is?
If you are using encrypted passwords, there is no way to know what the password is. In that case, the user must set a new password. If you are using plaintext passwords, then yes, no problem, the password will be visible to an administrator. The password will also be visible to the user when they edit their record.
How can I prevent the private ID from being seen in the URL after they log in?
In the Participant Login settings enable the “Use Cookie” setting. Now, when someone uses the login form, they will be directed to the record edit form without any indication of the record ID or private ID in the URL.
Is it possible to direct the user to a different page depending on a value in their record?
Yes, there is a filter that is used to get the URL of the page the user goes to after they successfully log in. The filter is ‘pdb-login_after_validate_submission’ and it passes in the user’s record and whether it was validated or not. (This means this can also be used to change where they go if the login wasn’t valid.)
I have created a simple plugin that demonstrates how this can be done:
You can download this demo plugin and make the changes needed to work for your situation.
How can I add a CAPTCHA to the login form?
It is possible to add reCAPTCHA protection to the login form if you have the PDb reCAPTCHA add-on installed and working. You need to use a custom template, I have provided an example of the template you can use for this.
You will need to understand a bit about how custom templates are set up, ready this article for the details:
Using Participants Database Custom Templates
Once you have the template in the correct location, you can use that template in the login form with this shortcode:
[pdb_login template=recaptcha]
Wish list for this plug-in:
Configure to work with Square or Stripe or PayPal for membership payments.
Thanks!
Vena, I have an add-on for this in development, it will be available soon!
This will be awesome Roland! I’m currently having to work in conjunction with other membership plugins to set up payments.
Hi Roland, I bought the login plugin and I’m having issues with it. I put the short code on a blank page as suggested and it’s not working. When a user tries to login after clicking login it takes the user to a blank page. What are we doing wrong? Thanks.
You must have the “Participant Record Page” configured in the Participants Database plugin settings under the Record Form tab.
Hi Roland, on the login page the shortcode is installed correctly however it still hangs after data is entered any idea how I can fix this? Many thanks
So, you fill in the form, hit “submit” and then the page tries to load but it never loads, right?
Of course make sure the “participant record page” setting in the Participants Database settings under the Record Form tab is correct.
If not that, this will need to be debugged. This is not a matter of setting or configuration, probably more like a plugin conflict. Try deactivating other plugins to see if it still has trouble.
Hello
Is it possible to have the field groups tabs displayed once the user has logged in? I am not sure how to do this. At the moment, when my user logs in they get everything in one column.
Thank you
Marc
Hi Marc,
Assuming you have the Field Group Tabs plugin, you just need to enable tabs in the [pdb_record] shortcode that people go to once logged in.
Hi there!
I’d like to implement the next functionality:
The registered participants can only check the participants list if they are logged in. I know that it’s easy to achieve that with WP, but the problem is that a registered participant is not a WP registered user.
Is it possible to achieve that?
Participants Database doesn’t provide any privileges to people who have filled out a signup form, so you do need to have people register as WordPress users in order to control access like that. If you’ve got some coding skills, it is possible to have the signup form create a WP account for people who sign up, but it can be tricky to manage everyone having two accounts.
If you just need controlled access for the one page, it’s possible to use the Participant Login plugin to set up an access portal for the list display. You would use a custom template for the [pdb_record] shortcode that instead of showing the editable record, it shows the list.
Hello. Can I first say what an excellent plugin!
“start by making sure your “Participant Record Page” is correctly configured by visiting the “Record Form” tab in the main Participants Database settings”
I cannot find the Record Form in my field settings. I may have deleted it. Can you tell me please how to get it back?
Thank you
Marc Hawes
Hi Marc,
This instruction refers to the main plugin settings page, where the settings are organized with tabs. When you go to the main plugin (Participants Database/Settings) settings page, do you see a row of tabs at the top?
Sorry – found it!
Thank you
Marc
For some reason the email function suddenly stopped working. This means, that it will not send a welcome email when someone has signed up, nor will it send the lost password link. When I submit the lost password form it does not even display the default message. I have checked the settings, wondering what can be wrong.
Take a look at the “primary email address field” setting under the advanced tab, make sure it’s set to the right field for the person’s contact address.
I have checked that. I re-installed it the whole plugin, and it worked. Now it suddenly does not work again.
I am so grateful for your plugins. I am currently creating my page, and I just purchased the Participant login plugin. I have a problem with the login. I don’t get an error, or manage to login after the user has been created. It just refreshes the page. I can type in anything in the fields, and no unknown user nor password is prompted.
This could be something your theme is doing. Can you share a link to the login page?
Hi, tried to send the link, but since I’m still only on an IP address the message system here does not allow me to send the address for some reason. Do you think it can have to do with the max login attempts, since I have been fiddling with the login a number of times with the wrong password just to test different things. Where can I change the pdb-login_max_attempts, or just reset it for my ip? Also, it seems that the password field does not support certain characters like ” …do you have a list of the characters that it does not support?
Yes, it could definitely be too many attempts. The attempt count will reset in an hour.
Yes it was that, thank you. I just added a higher value, and then it worked. I’ll just set it back when I am done testing. Would you be able to tell me what type of characters that the password field does not support?
The password doesn’t have any special character restrictions. How do you see that the characters are not supported?
I tried to make a password including a quotation mark, but when I was going to put in the password it just said that it was the incorrect password. I tried multiple times so I am sure that it would not accept it. When I changed the password and took away the quotation mark, then it worked.
Interesting, I didn’t realize there was any restriction. I’ll have to take a look at that…it’s not anything the plugin is doing.
http://
50.116.64.34
/~bokkunst/min-side/
just had to break up the link in order to make it bypass the spam filter.
I fetched another computer and tried it, and it works. Do you think the security function affects the amount of times the password retrieval is used?
Yes, the password recovery will only allow 3 failed attempts per day per IP, although those limits don’t apply if you’re logged in.
Hi Roland,
You wrote: “Yes, the password recovery will only allow 3 failed attempts per day per IP, although those limits don’t apply if you’re logged in.”
I use your great plugin for an internal website, where all participants have the same IP. Quite unhandy, I can not even test more than 3 times myself. Is there a way to completely remove the limit of 3 failed attempts per IP? There is no safety risk, the site is only available within our internal network.
Thanks,
Walter
Are you asking about failed login attempts or password recovery attempts? If it’s password recovery attempts, it’s not possible to change how this works, other than to change the user role that is exempt from the limit. That can be changed with a filter.
Why would people need more than 3 attempts at this? The recovery info should be something each user knows easily such as their email address. If it’s an internal website, you can give them more information about what they need to know in order to log in.
Hi Roland, thanks and sorry. Actually I ment the request form for a forgotten private ID / link (not a password, it just feels like that). While I am testing this form (to see and finetune the exact mails that are sent), the form already gets blocked after 3 attempts, which is not very handy for my tests. And as I wrote: all users of our site are internal users within our company, probably all with the same IP address (I think), so I am a bit worried that when the site goes live, this form will not work after only three people try the form. I understand that nothing can be done about it, so we will see if it will lead to practical problems.
I do love your Participant plugin, by the way, thanks!!!
Ok, well I did not anticipate this need, so there’s no proper way to do this. You can alter the plugin to skip the check, but this means your alterations will be lost when the plugin is updated.
Here is one way to alter the plugin so it skips the brute force check on the private link recovery:
In the file participant-database.php, on line 2973, you’ll find:
if ( $count > $max_tries ) {change that to:
if ( false ) {and it will never check the number of attempts.
Hey Ronald
I just downloaded (thanks to you) and set up login plugin but when I try to login with it I get no records found error. how can I fix it?
Thanks
In fact even when I click on private ID link in dashboard I get the same error
Make sure the page you are using to show your record edit is using the [pdb_record] shortcode.
It is, and I believe record not found error occurs when you try to use [pdb_record] without proper private ID. I guess something is wrong with private ID itself (because clicking it in dashboard->list participants leads to the same record not found error) but I cant figure it out.
can you share one of those links so I can see it? you can email if you want it private: support@xnau.com
Heres the link: https://out-misalinement.000webhostapp.com/add-info/?pid=GZN0N
I can give you my WP admin credentials if necessary, its just a test version
Nevermind bro my problem is solved. looks like it was because of xampp and first host I uploaded it on. now that I changed the host it works fine
thanks a lot for your patience and commitment :))
happy to help
Hi Roland,
Having two issues with pdb_login
1) how do we configure the login page such that the words “Email” ( this is what we have set as the username field) and “password” appear next to the physical boxes on the login page. I read the answer above about unchecking “Encrypt passwords” to allow for a plain text pass code ( record ID etc.) but we’d like to use an encrypted password and just have the box labelled “password”
2) where would the encrypted passwords be stored in the database?
Hi Marc,
It’s difficult to give advice on how to do formatting like positioning labels, so much of it depends on your WP theme. It is usually necessary to do some CSS tweaking to get things looking the way you want. If you take a look at the HTML generated by the form, you’ll see the labels are in a label tag, and so changing the display mode of those labels (such as to “inline”) will often move them to the desired position. You’ll need to figure out the exact code, however.
The label (or title) for the password field is determined in the Manage Database Fields page. If you want to use encrypted passwords, you’ll need to make sure you have a “password” type field defined for that purpose, and then select that field as your password field in the Participant Login settings.
Passwords are stored in the regular Participants Database table with all other plugin field data.