By rodrigo.pssilva on

Hi guys!

which hook I need to use when the user submit de login form?

I need the hook that runs before the user is logged in, ie when the form is submitted, and the user isn't logged yet.

I tried hook_user_login but it just works after login
and
I tried hook_user_load too but it just works with a valid username

Can somebody help?

Categories: Drupal 7.x

Comments

shadcn’s picture

shadcn commented

You can use a hook_form_alter on the login form and add your submit handler before the actual form submit handler. If this doesn't make sense I can post some codes.

rodrigo.pssilva’s picture

rodrigo.pssilva commented

Hi Arshad Chummun!
Thanks for reply!
Can you post some codes please?

Hi nevets!
I'm tying to login in another site using cURL.
First I need to login in my site, after it the user will be logged on Drupal.
I'm writing a module to do it.

Thanks!

shadcn’s picture

shadcn commented 

/**
 * Implements hook_form_alter().
 */
function MYMODULE_form_alter(&$form, $form_state, $form_id) {
  switch ($form_id) {
    case 'user_login_block':
    case 'user_login' :
      array_unshift($form['#submit'], 'custom_login_submit');
      break;
  }
}

/**
 * Custom submit handler
 */
function custom_login_submit($form, &$form_state) {
  //code here
}
rodrigo.pssilva’s picture

rodrigo.pssilva commented

Hello again Arshad!
Does hook_form_alter works on Drupal 7?

I'm trying to use mymodule_form_alter function but dont work...
This hook just work when I call it inside template.php

ie mytemplate_form_alter works!

Thanks

nevets’s picture

nevets commented

I believe you want to replace the validation function with your own.

pelach’s picture

pelach commented

hook_form_alter works in drupal 7.
make sure you wrote your module name correct.

it's always a good idea to clear cache.

aldebaran’s picture

aldebaran commented

We have a website where the admin username isn't "admin" however we do get an uncomfortable number of "admin" login attempts. We now perform a pre login validate based on arshadcn's post. If the username is "admin" we log the attempt, sleep for an annoyingly long time then return a WSOD.

function MYMODULE_form_alter(&$form, $form_state, $form_id) {
  switch ($form_id) {
    case 'user_login_block':
    case 'user_login' :
      array_unshift($form['#validate'], 'custom_login_validate');
      break;
  }
}

function custom_login_validate($form, &$form_state) {
    if (isset($form_state['values']['name'])) {
        if (in_array($form_state['values']['name'], array('admin'))) {
            watchdog('user', 'Suspect login attempt to !name', array('!name' => $form_state['values']['name']));
            sleep(60);
            die;
        }
    }
}
?>
Jaypan’s picture

Jaypan commented

Nice :)

diamondsea’s picture

diamondsea
he/him/his
Primary language English
commented

NOTE: If you are doing something that requires that the login actually be valid, you would have to manually confirm the login is correct before executing it in form_alter or form_validate functions, otherwise you could end up performing something on an account that didn't actually get logged in.

nevets’s picture

nevets commented

What are you trying to achieve (ie why before the user logs in)?

zkent’s picture

zkent commented

Here is an example of why someone would want this:

We are using a host (pantheon) where all incoming traffic, for security apparently, uses the same IP. Someone is trying to brute force login on accounts that don't exist and once the IP is blocked, no one in the entire site can log in. I'd normally start blocking IP addresses but I can't. So, instead I'd like to check if the username even exists before attempting a login to avoid this continual locking issue.

Codeblind’s picture

Codeblind commented

On a side note, have you contacted Pantheon about this? That sounds more like a misconfigured load balancer. Pantheon's own documentation claims the IP address should be easy to get with $_SERVER['REMOTE_ADDR'] or Drupal's ip_address() function (see https://pantheon.io/docs/articles/drupal/getting-the-client-ip-address/). If all requests come from the same IP address on a production site, it's very likely the flood table will start blocking out all users routinely.