When I login to to my firebase webapp using email and password then I still remain logged in even when I open the application the next day.
It seems to me that when we login to the firebase webapp using email and password based authentication the user will remain logged in until and unless he explicitly logouts.
Is it possible to timeout the login sessions so that if someone comes to use the same workstation after some time and the previous user has not logged out then the new user needs to reenter the credentials?
Related
As per firebase documentation changing a password—require that the user has recently signed in.
But in my case user has signed with same login credentials on multiple devices(e.g. 50) and when he reset password for his account user get logout from all devices.
I don't want them to logout from all devices, is there any way to achieve this ?
There is no way to configure what you want in Firebase's built in email+password provider. You could build your own provider that works the way you describe, but I'd recommend against it.
The main reason for changing the password of an account is to counter the risk that the account/password was compromised. If you allow the user to change the password on one device, but to continue using the account on other devices without entering the new password, a malicious user can continue to use the compromised credentials on those other devices.
The scenario is, we have a website which for some web notification we're using web push and after user login into the website we check that if he/she granted notification permission to us we don't ask it ,if not we ask to enable notification, The generated Token is per browser I mean if the user log-out and another user login to our website previous Token available for the new logged in user, So if we want to notify the previous user, the new user got our notification.
The simple solution is on Logout delete the token and after each login we should ask user to grant permission again to us but it's bothering user, I have an idea when user login to the site, we check that previous user was herself/ himself, we do nothing , but if there is another user, without asking to grant permission again(while we asked them before) we refresh the token , I mean regenerate another Token for him/her and save that Token in our backend, My question is How can we regenerate the Token without asking again to grant Notification permission in the Browser?
You can't regenerate the token without revoking permission.
However you can use the same strategy that we have used for Pushpad:
each token (i.e. browser) in your database is present only once
each token has at most one user ID associated to it
when the user logs out you remove the user ID from the token
when the user logs in you add the user ID to the current token
when you need to send notifications you target specific user IDs
I have an Android app with use Firebase authentication using email and password. Recently added Google provider now my users can sign in wih his Google account, the problem is the following
There's an existing user example#gmail.com registered on my app, later the user sign in with his Google account Firebase automatically change the provider of the account from email to Google, the problem the user sign out and try to login with his email/password and got a message
The password is invalid or the user does not have a password
I understand why happens, but users (you know they are users) get frustrated because can't login with his email/password
There's some way to tell Firebase to keep the user password or when a user login with Google and this convertion happens in order to notify to user
Note My app only allow one account per email
I found there's a method fetchProvidersForEmail I asume I can build a flow over that method that check which provider have the user and allow the user chose if want to keep if old password by asking and linking account or just continue
I want to use the Windows Live Id Authenticaiton in my Asp.Net/MVC web application, but I do not want to use the Login screen provided by Microsoft.
I want to have my custom page for login, take username and password from User and then send these credentials to the Windows Live ID, to Authenticate, and I get back the response if the user is authenticated or not.
Is this possible?
I want to have my custom page for login, take username and password from User and then send these credentials to the Windows Live ID, to Authenticate, and I get back the response if the user is authenticated or not.
You missed the point of single sign-on authentication. Using that, the user does not provide their credentials to your site, but to the SSO provider. That provider gives you a token which lets you act on behalf of the authenticated user.
The user's credentials are never received by your site.
So no, you cannot, nor should you want to, do this.
I am creating an asp.net web application with "Remember Me" option during Login and it has an Edit Profile module where users can change their passwords. Here is the scenario.
I logged into the website from Machine A clicking "Remember Me". So I am logged in and since a persistent cookie is created I dont need to login the next time
until my forms authentication times out.
I logged into the website from Machine B using the same account details I used above and from this machine, I changed my password. In this case How can I make the user in Machine A to login again? (Since my credentials have changed). The same scenario can happen if someone gets any user's credential and uses the application.
Thanks
You have to save the last credentials modification date in your database.
When a user try to consult a page of your website, you have to check the date specified in the cookie.
You can also make an AJAX system that verify each minute if any changes are done and, in that case, verify the validity of the credentials.
If the latest date is the "last credentials modification", then delete the cookie and ask the user to log by himself.