Signal R for notifying the single authenticated user - asp.net

Following is the scenario I want to achieve using signal R.
If sending of email is going on then message will get display
Example: "Sending Email.."
Once email sending is done will show the another message to the same user stating
Example: "Email Sent successfully."
How I will achieve this with Signal R and sending the notification to the one user only.
Read the post which are saying use Connection Id but that will be changing not a fix
I want to do this for the Authorized user only or we can say with static userid.

I see two different approaches to the problem, with two different solutions. Either the server keeps track on which connectionId(s) that belong to a particular user. Or the client lets the server know which connectionId to use.
Option 1: Server knows how to map user to connectionId(s)
Firstly you need to map each user to the connectionId(s) they have. Bear in mind that the user could have several connectionIds as he/she could be logged on in multiple tabs or browsers. On the server it is difficult to distinguish between connections so when the user sends an email, it is easiest to notify on all connections that belong to that user.
There are several ways to keep track of users connectionIds. Here is a good walk through. In your case I think the UserID provider option would be a good fit, as it's easy to implement and sufficient if you only want to send updates to the current user.
Option 2: Client notifies server on connectionId to use
Another approach could be to include the connectionId in the call to the server. That way the server knows which connection to report back to. You can get the connectionId in Javascript (as described in this answer) using:
var c_id = $.connection.hub.id
Hope this helps!

Related

Sharing user ID's as a way to find people

Is it safe to share a user's ID that Firebase creates when a new user is created? I'd like to use it as an easy way to find other people on my platform.
I don't see why it should not be safe, so if it is. Please enlighten me :)
I am not too familiar with your system or how Nintendo does this (not really a gamer) but you can build something like this:
You can display the list of users (using uid, displayName and photoURL which can be obtained using the Admin SDK or by a list you maintain in the Firebase Database, Firestore, etc) to an authenticated user.
Let's say that user wants to add a connection or friend, you can get that user's ID token, the friend's uid and then add that user's uid to that authenticated user's pending connection list after you verify their ID token.
On the other end, you want the other user to accept the connection request (assuming this how your people finder feature works in your app). You would show the list of pending requests. When the user accepts the request, they would send their ID token and once that's verified, you can consider the connection completed.
To summarize, you still need an ID token to confirm the user sending the request and the one confirming it. Otherwise, if you just solely rely on uids, any user can get the uid of other users and try to add them to each other's friends list, etc.
Hopefully this points you in the right direction.

Symfony 2 track anonymous user actions in database

I would like to track anonymous user actions as if the user would be authenticated. The goal is to let users perform actions(normally reserved to authenticated users), save it in Database with a special status (not visible until user will log into the application).
For example,
an anonymous user reply to a comment.
The system detect that the user is not logged in, save the comment with special status 'waiting for authentication'.
The system ask user to log in, in order to complete the registration of the comment.
User log into the application.
The system check for 'waiting for authentication' status and update/associate entries to the user authenticated.
Have you any suggestions / experiences to implement this type of functionality? Maybe Symfony has already in feature/bundle for that?
What you are trying to do is simillar to Lazy Registration, which is a proven concept. It is well implemented here at stackoverflow. It allows you to post messages after providing an email address. It works similar to this one:
http://www.90percentofeverything.com/2009/03/16/signup-forms-must-die-heres-how-we-killed-ours/
However, if you really want to go your way, without asking user for an email address, I would recommend storing data at browser local storage. It would save you a lot of work on backend side. Data would be transferred to the backend only when user registers. This way you will also prevent database pollution with users who never registered. http://blog.teamtreehouse.com/storing-data-on-the-client-with-localstorage
You could use ip address but it won't be very effective because one user can access your website from many ip addresses (wifi, 3g/4g connection ...).
You can rely on cookies but once he logs in from another device you can't do anything about it.
IMO, you should save actions and link them to a uniq token that you send to the anonymous user, once he's authenticated he can provide the generated token and then you save actions for that user. Becareful to not forget removing saved anonymous-actions once they are "identified".

signalR generating different ID for various instances

I have created web chat application using signalR. When user is logged in, user can open only 3-4 tabs and each time different connection ID is generated. I want that when we open new tab or refresh the page new connection id should not be generated. I want to use the existing connection id. For that I tried to implement the LocalStorage variable to store the hub connection.
But Problem is i am unable to parse the value of localstorage variable.
Can Anyone give me the solution to my problem or can anyone give me any other solution to the problem?
I have already tried this http://kevgriffin.com/maintaining-signalr-connectionids-across-page-instances/ but it dosen't work for me
If user is authenticated you can store different connectionIds in the HashSet. The key for the HashSet will be the user's name.
http://www.asp.net/signalr/overview/signalr-20/hubs-api/mapping-users-to-connections
You can use this method even if you are not authenticated. In this case you can use SessionId instead of username.
EDITED:
I have found another method. In this article Alex Ford advices to limit your connections to 3.

Prevent misuse of ASP.net Handler

When a customer signs up for a site, we want to let them know whether a username/email is available for use.
We have a httphandler that serves the purpose of feeding a jquery script that showsthe customer whether or not their desired username/email is available.
The question is:
The service can clearly be seen being called when you view the request in fiddler.
It shows /emlhandler.asmx?name=xxxxxxxxxxx#yyy.com
From the handler, a simple 0 or 1 is returned to indicate whether or not the name/address is available.
My concern is that this seems like a major security issue that would be very easy for an inexperienced person to exploit to discover all the users on the site.
So friends, how do you protect your site info and still allow the ajax callback to provide a great user experience?
Thanks.
Heath
You are being slightly paranoid here. Every site that allows user registration has to do something similar. One thing you can reasonably do is add a slight delay (maybe 2 or 3 seconds) to the handler's processing in order to reduce the likelihood or ease of a brute-force attack. Frankly, I don't think anyone would bother.
Another option is just to ignore repeated emails and send a verification email before a user's registration actually becomes active. If a new user attempts to use an existing email, the original email owner receives the verification and can cancel or ignore it. But I don't recommend this.
I'd say the vast majority of the sites I've used will just immediately say "this email address is already registered... did you forget your password?" Just knowing an email address is already in use on a given site does not in itself represent a security breach.
One possible solution would be to only enable POST requests for that method.
And since you cannot invoke services from JavaScript from another domain (XSS - Cross-site Scripting) without your authorization, then you would be protected.
However this technique would prevent malicious users from calling your web service to discover user names but this wouldn't prevent the user to automate a process to simulate user entering data in a text box to force a call to the service, in that case, perhaps you could allow just a number of requests per user in an X amount of time.
You could keep track of the number of attempts using the Session object from your web service
Another approac would be to add a re Captcha to your site, however this would decrease the level of responsiveness if you used to allow your users to capture a user name and as soon as they write you call your service. Implementing would require your users to write the auto-generated captcha in order to submit your data

Security design, maintain email but not linked to associated data?

my friend and I were thinking of a Web idea and ran into an issue:
We can't allow the email address to be sitting in a database with its associated data, in the case of a hacker obtaining the database. We'd like to ensure the email address and its associated data can never be linked, but then on the other hand we also need to keep them linked somehow so we can send users email notifications E.T.C
Can anyone think or know of a way around this? (.NET, Umbraco)
Thanks!
Have 2 databases, one with users + data + user id, another with user id + email. Secure them both, if one gets discovered, the other one might not be.
In any case you are asking us to prove falsity. ^^
I can't think of a way to link user data with emails without actually linking user data with emails. However, it would be possible to not have the email address stored and linked in a database if you could live with only having their email address when the user is logged in.
You could require users to log in using their email address and password as many sites do, but you could store a one way hash of the email address (such as sha1(email+password) ) rather than the address itself. When the user logs in successfully, you can store their email address in their session without ever having to get it from the database. You could then send them emails until you destroy their session. This would prevent an attacker from connecting their data to their email without brute forcing the hashes or grabbing the session information from memory or user cookies depending on how you store it.
Unfortunately, this wouldn't allow you to send notification emails.

Resources