Product Support

Participant Login

Provides username/password access to edit a Participants Database record.

Product Setup

To configure the plugin for use, start by making sure your “Participant Record Page” is correctly configured by visiting the “Record Form” tab in the main Participants Database settings. This tells the login form which page to go to when the login is accepted.

Setting up the Participant Record Page

Configure the Login Form

On the Participant Login settings page, you can configure the form to show one or two fields that the user will need to fill in to access their editable record. The first field is called the “Username” field, and it is used as the primary identifier. This can be an email address, an ID number of some kind, or really anything that can be used to uniquely identify the user.

The second field is called the “Password” field, but it can also be anything you want. It is usually used to verify the user, especially if the Username field is something that would be generally known, such as an email address. It is also possible to set up the form to use only a single input field by unchecking the “Require Password” checkbox. When this is unchecked, only the Username field will be shown in the form. You might do this if your username field was something only the user would know, such as an ID number.

When selecting the field to use for the password field, it is important understand that “password” type fields store the password in encrypted form, which means an administrator cannot know what the password is. If you need to be able to tell people what their password is, use a text-line field for your password field, then you will be able to look up their password because it will be stored in plaintext.

Create Your Login Page

Once you have configured the login form, you should create a page that will be the login page. On that page, place the


shortcode to show the login form. It is possible to use a custom template for the login form if you need.

Persistent Login

When using the “Extended Access” preference, the user is automatically forwarded to the record edit page from the login page for 24 hours after successfully logging in. This period can be changed using a code filter.

Logout

To end the persistent login before it expires, you can use a logout link. You may need to use this if you have users that must have access to more than one record. The logout URL is simply the login URL with “?pdb-logout” appended to it. For example, if your Participants Database login page is at /pdb-login, your logout link would look like this:

/pdb-login?pdb-logout

If you are not using pretty permalinks, you need to do it slightly differently. For example, if your login page is on a page with an ID of 2034, your logout link would look like this:

/?p=2034&pdb-logout

Product Settings

Login Form Settings

Username Field

SelectsĀ the field that holds the username. This could be an email address, a made-up username, or even a member ID number.Ā If the password is not required, this will be the only field shown. This field should hold a value that uniquely identifies the record. If more than one record matches the value, the first record found will be used.

Username Not Found Feedback Message

Message to show if the username does not match any record.

Require Password

If this is checked, both the username and the password must match an existing record for the login to be accepted. If unchecked, no password will be required, and a correct entry into the username field will take the user to the record edit screen. Be careful with this, it could allow data to be changed by unauthorized persons.

Password Field

This is where you set the field that is used for your”password.” If “Encrypt Passwords” is set (this is the default) only “password” type fields can be selected here. If you deselect the encryption preference, you can use any text field here, but not password fields. If you set this field to “required” (on the Manage Database Fields page) the user will be forced to type in their password when they edit their record. If the field is set to “not required” it will still be required in the login form.

Use Encrypted Password

You have the option to save the passwords as encrypted or unencrypted. If the passwords are encrypted, nobody will be able to know what the actual password is. This is to keep them secure in case of a breach. If you are using encrypted passwords, only a “password” type field may be used as the password field. If this is deselected, you may us any “text” type field for your password field. This may be preferable in situations where keeping the password encrypted is not needed, or if you want to use a regular text field for your password field, such as a member ID or other identifying field value. When deselected, the passwords are stored in plaintext and so will be visible. This would allow an admin to tell a user what their password is, for instance. Important: when changing this setting, you must save the settings twice: once to change this setting, then again to save theĀ “password field” selection.

Login Button Text

This is where you can set the text that is shown on the login form submit button.

Bad Password Feedback Message

Message shown if the password doesn’t match the value in the database.

If checked, a cookie is stored on the user’s browser when they successfully log in, so tha when they are directed to the record edit page, the URL does not show the private ID of the record. This can also be used to allow the user to bypass the login for a while if the setting below is set.

Extended Access

This sets the cookie to stay valid for 24 hours, allowing them to bypass the login for that period of time. This requires the the “Use Cookie” setting be selected as well. When a user with such a cookie visits the Participant Login page, they will be immediately redirected to their record edit screen. The 24-hour period can be changed to another value by using a code filter.

Password Recovery Settings

Provides a way to send the direct link to the user’s record so their password can be changed or recovered. This requires the the “Resend Private Link” functionality in Participants Database be correctly configured. This does not send the password or set a new password, it functions in the normal way for Participants Database: it provides the recipient with a private link to edit their record. They may use that link to change their password if they wish.

Lost Password Form Shortcode

This shortcode is used to generate the lost password form. This setting allows you to customize the shortcode, primarily so that a custom template may be used. the default value here isĀ 

Request your Private Link

.

Password recovery works by emailingĀ the user a “private link” which can be used to access their record edit page, bypassing the login form. When checked, this setting will change the private ID every time it is used to access the record edit page. This keeps the private link secure because it can only be used once. Don’t use this if your users need to be able to use a static URL to access their record edit page.Ā This setting has the effect of changing the private ID code every time the record is saved.

F.A.Q.

How does the "brute-force" protection work?

Every time the form is tried, the attempt is recorded with a timestamp and and the user’s IP. If there are over 10 attempts in a hour from a single IP, that IP is not allowed any more attempts for an hour.

Can I change the number of login attempts are allowed before the IP is shut out?

Yes, it quires the use of a filter callback. The number of attempts allowed is filtered by ‘pdb-login_max_attempts’ and defaults to 10. The time within which this number of attempts is allowed is filtered by ‘pdb-login_attempt_timeframe’ and defaults to 1 hour in seconds, or 3600.

What if someone loses or forgets their password?

The plugin uses the “Resend Private Link” function that Participants Database uses. There is a setting to include the link in the login form. If someone doesn’t know their password, when they click the link and enter their identifying information (usually an email) a “private link” is sent to them that they can use to access their record. They can change their password at that time if they wish.

Is there any way to find out what someone's password is?

If you are using encrypted passwords, there is no way to know what the password is. In that case, the user must set a new password. If you are using plaintext passwords, then yes, no problem, the password will be visible to an administrator. The password will also be visible to the user when they edit their record.

How secure is the login form?

The login form provides a reasonable amount of security for non-critical applications. While security is very important to the design and operation of Participants Database, the plugin is not recommended for storing high-value information such as credit card numbers, social security numbers, passwords, etc.

The level of security when using this plugin is largely determined by it’s configuration by the administrator. Security is always a trade-off between convenience and how hard it is to break in. If you opt for convenience, it will be at the expense of security, that’s just how it works.

This plugin is designed to be useful in low-security situations where things link single-field logins and plaintext passwords are desirable. The security can be enhanced by using encrypted strong passwords, and hard-to-guess usernames that are not publicly viewable.

How can I prevent the private ID from being seen in the URL after they log in?

In the Participant Login settings enable theĀ “Use Cookie” setting. Now, when someone uses the login form, they will be directed to the record edit form without any indication of the record ID or private ID in the URL.

Is it possible to direct the user to a different page depending on a value in their record?

Yes, there is a filter that is used to get the URL of the page the user goes to after they successfully log in. The filter is ‘pdb-login_after_validate_submission’ and it passes in the user’s record and whether it was validated or not. (This means this can also be used to change where they go if the login wasn’t valid.)

I have created a simple plugin that demonstrates how this can be done:

Redirect PDB Login

You can download this demo plugin and make the changes needed to work for your situation.

How can I add a CAPTCHA to the login form?

It is possible to add reCAPTCHA protection to the login form if you have the PDb reCAPTCHA add-on installed and working. You need to use a custom template, I have provided an example of the template you can use for this.

pdb-login-recaptcha.php

You will need to understand a bit about how custom templates are set up, ready this article for the details:

Using Participants Database Custom Templates

Once you have the template in the correct location, you can use that template in the login form with this shortcode:


Support Discussions for Participant Login

  • Hi!

    My team got your pdb login but when we try to log in with the created password, we get the password incorrect message. Could you tell us what we are doing wrong?

    • Hard to say with the little info you’ve provided. If you are using encrypted passwords, make sure that the record has a password defined and that you know what it is. If you are using other types of fields in your login form, make sure that the information provided uniquely identifies a single record. If the login info matches multiple records, it will fail.

      If this doesn’t help, post your question describing the way you have it configured in more detail, also whether it fails in all cases, or only in some cases, etc.

  • Hi Roland,

    Is it possible to deactivate the private link? We want to give a members only 1 month every year to edit.

    Cheers,

    AJ

    • Not as such, however, it may be better to do something to the page where the [pdb_record] shortcode is: delete the shortcode and you can explain to your users why they can’t edit their record.

    • This isn’t possible as such, however, you may find it’s a better user experience to edit the page with the pdb_record shortcode on it with a message as to why they can’t edit their record. When you want to open it up for editing, just put the shortcode back in.

  • I found what was causing the problem. A cache plugin that installed my server. Sorry!

    Now another problem arose, which when I created the page was working correctly:
    On a page I have several groups with the code [pdb_record groups = "name of each group"], when in frontend I change some data in one of the groups and save it, the contents of all the groups disappear except the first one. If I refresh the page they reappear. Why?

    • You will need to look at the HTML source when you see the problem to find out if the HTML for the not-visible group fields is missing or if it is being hidden with CSS.

      Make sure you are not using page caching on any page that has a Participants Database shortcode.

      • Thanks for answering me Roland!
        It is not that all the contents of the group disappear, but it shows the text that appears when there are no records.

        • I’m sorry, I really don’t understand…can you be more specific? What exactly do you see?

        • When I save, it shows a message that there are no records. But if I refresh the page, it shows all the records again.
          If you can try it yourself, enter: https://bit.ly/2UrGmiu
          It is in Spanish language but if you open it in Chrome it will translate it for you.

        • I don’t understand what you are trying to do, can you describe how you want it to work?

        • Ok I’ll explain you:

          Each user, after logging in, go to a page with their data (name, email, etc.). This data is made in several groups, and each group has its button to save. If the user changes any data in any of the groups and clicks the save button, the page refreshes and the contents of all the groups except the first disappear. In the groups that disappear, it shows the message that there is no record there, but if I refresh the page manually, the contents of all the groups will reappear.
          When I created the page about six months ago, it was working fine, and when I saved changes, I could see all the fields in all groups.
          What could have happened?

        • OK, there is no login, what you have there is a signup form, so every time someone uses it they may be creating a new record (depending on how you have it configured). This is to help you understand what’s going on.

          What is the exact shortcode you have on the page they go to after submitting the signup form?

        • As you are not logged in, a registration form appears but if you are already registered, there is a link below to log in. You can also log into the menu
          Once registered or logged in, it sends you to the page with the data of each user where what I explained above occurs.

        • I’m beginning to understand now…what is the exact shortcode you are using on the page that shows the person their record?

          Also, if you can, send me a login I can use to test it. support@xnau.com

  • Sorry Roland but this plugin does weird things. Now I added a link to log out. Apparently it closes it and sends you to the login page, but if I go to the profile in the menu (without having logged in again), the data appears as if I were logged in. I don’t understand how it works.

  • Hi Roland

    Long ago I configured this plugin and everything was working correctly. The website has been unused for some time and now, when I log in, it does not take me to the corresponding page. It doesn’t really do anything.
    I leave you a link to the site for you to try it, to see what happens.

    https://voluntariado.asdegal.org/iniciar-sesion/

    Thank you

  • Hi Roland

    Will this redirect user after login to his own private page on the website?

    Best regards
    Jan

    • No, you don’t need any special code for that, this is what the Participant Login does normally. The code example I gave you was for redirecting after a signup…I thought that’s what you were asking about.

      • Hi Roland

        I am a bit confused how do I use the redirect PDB login?

        Do you have a step by step instruction?

        I have downloaded the plugin, installed it, but I can not figure out how it works.

        Best regards
        Jan

        • I don’t know what to add to the instructions I have provided, but there is really very little to it. It’s important to have set up your Participant Record Page. This happens in the PDB settings under the Record Form tab. This tells the PDB Login plugin where to send the user after they successfully fill in the login form. All users go to the same page, and then the shortcode on that page will show the user their record.

  • Is it possible to send each participant to different site instead of edit record page?
    Something like this: User 1234 login and after login redirected to site 1234
    user 345 is send to site 345

    • No, this is not possible due to security restrictions on sending users to other websites. You need to present the user with a link to the other site so they can click it.

      • Hi Roland
        Thank you for your reply, but what i ment was redirect to a private page om the same website.
        Best regards
        Jan

        • OK, this is possible, you need to set up a filter that changes the thanks page according to a value in the submitted data. Here is an example of a filter that works like that:

          <?php 
          /**
           * redirect after signup depending on a submitted value
           * 
           * @param array $post the submission data
           * @return  array the altered post array
           */
          add_filter( 'pdb-before_submit_signup', 'xnau_alter_redirect');
          function xnau_alter_redirect( $post )
          {
            if ( $post['zip'] == '98133' ) {
              // set this value to the slug name of the page you want the user to go to
              $post['thanks_page'] = 'seattle-thanks';
            }
          
            return $post;
          }

          That will probably need to go into a custom plugin, although it might work in your theme functions.php file, but that might be too late.

  • Thank you for the help….after I went through the two-save cycle on the login setup page, as you recommended, it worked correctly. On a slightly different topic……

    We have setup the database and preloaded it with about 1000 participants. I would like to send a mass emailing that sends everyone a private link they can use to go and update their record as necessary. Is it possible to do a mass sending of private links as a startup step in implementing/cleaning the new database?

  • I did do that and my second field is set to the password field…..yet when I open the login page of the website the second field has a heading of Last Name and I am unable to login even though I have edited the record within the dashboard and added a password.

    • Do you have page caching on that page? What is the exact shortcode you are using for the login form?

    • Also, make sure you save the Participant Login settings, don’t just check it. It actually takes two saves to set it up: one to set the encrypted PW and one to save the password field setting.

  • I have setup the login page to use email for the username and to require a password. I used the short code to create a page on our website. When I preview the page (have not yet published) the second field is titled “Last Name” shouldn’t this be Password if I have configured for it?

    • If your “password” field is a password-type field, you need to have “Use Encrypted Password” enabled, then you can change the second field to a password field.

Got a Support Question?

You have to agree to the comment policy.

Would you like to be notified of followup comments via e-mail? You can also subscribe without commenting.