I have a Specflow/Gherkin test to test an Asp.net application that involves logging into to perform an action using Selenium (and FireFox). Above my controller action I have the [Authorize] token and the site performs as I expect when manually testing. My login uses Forms Authentication.
My test goes as follows:
Navigate to Login page
Provide user and password
Click Login
Navigate to Create Product page (must be logged in)
Enter product detail
Save button
Check item is in database
What looks to be happening is steps 1-3 are fine. But when I execute Step 4, it is redirecting to the login page again. So Step 5 fails, as that isn't the page that is expected.
If I Start at Step 3 and login on the redirect, it works fine e.g.:
Navigate to Create Product page
Provide user and password
Click Login
Enter product detail
Save button
Check item is in database
Is there something specific I need to add to Selenium to make it save the session/login token?
When we're writing a BDD test either with Specflow, Cucumber or any other tool, we need to center our focus on what the end user needs to do to get the scenario done, in other words: the "As a user" perspective.
So in your scenario, as a user if he needs to navigate to loginPage, login and then navigate to createProductPage and login again, so be it! If that's true, write steps that would login again.
If not, on the other hand, if the user needs to login one single time, you don't need to store a session or anything else, I think in this case you have a bug in your application.
PS: if that wont work you can store a profile of your browser with the authentication token and use it, because when a browser gets instantiated it gets a clean browser profile.
OK so it transpires that the transition between steps 3 and 4 are happening too quick. So once I Login, i should verify the page title for example (as it redirects back to the Home page) and then proceed to the Create. Step 4 happens too quick to save the cookie/session.
Related
I received results back for an ethical hack assessment for one of my asp.net webforms sites. One of the items was a multi step way the hacker changed the request to display a page he shouldn’t have had access to with his user privileges. Below are the steps he performed to execute the hack:
1) logged in using Admin level rights.
2) navigated to page ‘A’.
3) using his Burp tool, saved a copy of the page headers.
4) he then logged in using a User account which shouldn’t be able to see page ‘A’.
5) goes back to the home page to get a fresh request.
6) using his Burp tool, opens the request headers for the home page and replaces them with the contents he saved from page ‘A’.
7) he continues on with the request and is now able to see the contents of page ‘A’.
I tried to programmatically check the request.url and compare it against what pages the user has access to but the hacker said that didn’t fix it.
Is there a built in way to prevent this in ASP.NET 4.x? Is there some web.config property I can set to stop someone from changing the request headers and performing this kind of hack?
Update: This was happening because the username and usertype was being stored in session variables after authentication. Once the hacker gained access to the session, they replaced the session of the ‘User’ with the session of the ‘Admin’ account and it was just as if the Admin was logged in. The fix was to not store the username and usertype in session variables. I also created a table with the pages that each usertype was able to access and checked that each time a user comes to a page. If the usertype does not have access to the page, they get redirected back to the homepage. Both of these fixed the issue and eventually passed the ethical hack.
I am using Iron router for meteor and want to create android mobile apps. I create login page that look like WhatsApp application. After user successfully login, i want to make sure that when user click back button,user will never go back to that page. Home page after login is the last page user will view if he keep click back button. So if user click two times back button in the homepage, the application will close.
I hope anyone understand my problem.
My problem is, the first time after user register, the android functionality to kill application after two times back click will not occur.Or can i replicate the two times back button function so if i am in my homepage(after login), and i click button two times, the application will close?
Iron:router has the option {replaceState: true} that you can use.
To accomplish this, all that you need to do is to change your Router.go('home') to Router.go('home', {}, {replaceState: true}) in your redirect hook after login.
With this when your use presses the back button, home will have replaced your login route in the history, and the user will not go to the login page.
EDIT: I just realised that's not exactly what you asked for, but it could help you somehow anyway. I'll try to replicate your case and will edit this post if I find a solution for your issue with exiting the application.
You could accomplish that by setting login page to be displayed only if user is not logged in.
Depends on your app structure you can use {{currentUser}} in html or Meteor.userId() in JS. One solution (the easy way) would be evaluating Meteor.userId() (true if user logged in) on login page route. If it turns out that user is already logged in, it redirects to home page for example.
Hi I am using IE7 and IE8 browser for running web appliction. I have login in the web application go on the next page. if have copy the url of the next page, and open new browser and paste url, then open directly next page. I mean my form authentication is not working. please help how to handle this issue.
I don't know enough about asp.net to give exact code, but your login page should create a new session if it isn't already created.
When the logic behind the authentication form verifies the username/password, it should set a session variable to mark the user as logged in.
Pages which require login should then check for that session variable, and redirect to the login page if not set.
Hope that helps!
I am developing a simple email portal as my college assignment and I refer gmail for various features.Now when we sign into a gmail account and then if we hit the back button of the browser we somehow still remain on the inbox page.In my case after login if I press back button I comeback to the login page.Please suggest how can I achieve this.Also I am a newbie to ASP.NET so keep it detailed
Very simple. When loading the login page, check the user's current session state, and if they're already logged in, redirect them to their inbox.
The trick is to use javascript's "history.replace(...)" function:
http://www.hunlock.com/blogs/Mastering_The_Back_Button_With_Javascript
In essence, you remove previous history entries.
I have code examples from some of my previous work that help me to post form values to a web page (login credentials) and retrieve the text from that page. Now I want to pass in form values (login credentials again) but actually open that web page in a browser given those credentials.
How do I do that? I'm not doing anything nefarious. In our CRM app (home-grown as it is), I want to create a link button that opens our web site's protected products page given the user's credentials (based on the user's login credentials). Normally, I'd copy the user's credentials in our login page which then takes me to the products page. I'm trying to do this now by just clicking a link button.
Any suggestions?
How are you launching the browser? Is this an internal network app? If so, I would recommend using Windows Authentication for your ASP.NET app, and then you don't have to worry about passing credentials. If you can't do that, then you'll probably have to pass the credentials on the querystring generated by your CRM app. Obviously, this is a huge security risk. But the next step would be to perform your internal authentication and then call FormsAuthencation.RedirectFromLoginPage or FormsAuthentication.SetAuthCookie().