I am creating an asp.net web application with "Remember Me" option during Login and it has an Edit Profile module where users can change their passwords. Here is the scenario.
I logged into the website from Machine A clicking "Remember Me". So I am logged in and since a persistent cookie is created I dont need to login the next time
until my forms authentication times out.
I logged into the website from Machine B using the same account details I used above and from this machine, I changed my password. In this case How can I make the user in Machine A to login again? (Since my credentials have changed). The same scenario can happen if someone gets any user's credential and uses the application.
Thanks
You have to save the last credentials modification date in your database.
When a user try to consult a page of your website, you have to check the date specified in the cookie.
You can also make an AJAX system that verify each minute if any changes are done and, in that case, verify the validity of the credentials.
If the latest date is the "last credentials modification", then delete the cookie and ask the user to log by himself.
Related
When I login to to my firebase webapp using email and password then I still remain logged in even when I open the application the next day.
It seems to me that when we login to the firebase webapp using email and password based authentication the user will remain logged in until and unless he explicitly logouts.
Is it possible to timeout the login sessions so that if someone comes to use the same workstation after some time and the previous user has not logged out then the new user needs to reenter the credentials?
I'm setting up Forms Authentication for the first time.
I am validating the username and password(hashed) against a local SQL database.
All of this is working fine in my logon.aspx file in a ValidateUser() function.
I am also allowing the logon criteria to be persistent so the user does not have to re-enter their credentials when they return to the page.
The problem is, when the previously logged in user returns to my site and the cookie/ticket is used my ValidateUser() function is not called, SO... if I have deactivated the user or changed the user's password the user still gets logged in.
I've considered doing this in Application_AuthorizeRequest or Application_PostAuthorizeRequest in Global.asax, but I would also like to set some session variables at the time I re-verify the credentials against the database and the session is not yet created when these are called for the first time when a user logs in.
Any advise would be greatly appreciated.
For first time when user authorized at that time create session for that user e.g Session["Username"] check session whenever he enters in any page if session is not present redirect him to login page, after that when he log out abandon that session.
So whenever he want to access next time he wants to login again.
Scenario: I am working on website in which user login and do some tasks and logout. When user login in website I put a true value in database so other user is not logged in with the same username and password.
Problem: Above scenario was working fine. But I a face problem when unexpectedly PC was shutdown and that true value is there which I put in database on the first time when user login in my website. And the first user is unable to again logged in from same PC.
What I want: I need a mechanism in asp.net in which When unexpectedly PC was restarted / shutdown server automatically update my column in sql.
You can't use server code to monitor client machine behavior.
I suggest you re-design the database with a expiring time session, which will handle the login event when "true" value is on but user try to login again.
Another the way could be allowing users to "unlock" themselves, by email-reset token, or by secret password.
When user login in website I put a true value in database so other
user is not logged in with the same username and password.
It is not a good design, because internet is not reliable. You are very closed; instead of Boolean value in database, you want to store a token.
Solution
You need to redesign the system based on cookie (or you can also use bearer token).
When a user login, create a new token and store it in both database and cookie.
When a user request a page, validate submitted cookie with the one in database. If they are not same, ask the user to re-login again.
I need a mechanism in asp.net in which When unexpectedly PC was restarted / shutdown server automatically update my column in sql.
SignalR can help. On your website you have a HUB, that hub can detect when users connect or disconnect. Just map when disconnect is called and set that user in the database to false.
I agree with previous comments that it's a poor design. But SignalR can work around that for you.
http://www.asp.net/signalr
When the user checks on "Log me automatically" in the login page, I have a problem that the user is logged-in on my asp.net application but the login info has not been read from database.
In the normal case (manual login) when the user attemps to login, if the login operation has been succeeded then the user info (id, privileges) is read and is saved in a session variable.
The question is: How to save the userID with the session cookie and how to login in the database when auto login.
Thanks in advance.
I suspect you're using the login control but implementing your own code to authenticate the user. To make life really easy, have a look at How To: Use Membership in ASP.NET 2.0 which will automate the "log me in automatically" feature (and many more).
If you're doing this another way, it would help to provide some sample code.
We have a FluorineFx / ASP.Net application which uses forms authentication to identify the current user. To use these credentials in FluorineFx, we use FluorineContext.Current.User.Identity. When I log in the first time, the current context neatly reflects the right identity.
When I log out, I perform a FormsAuthentication.SignOut() and a Session.Abandon to invalidate both the user credentials and the session. But when I log in again as another user, FluorineContext.Current.User.Identity contains the credentials of the previous user, while the ASP.Net application has the right user credentials. When I rebuild my application, the FluorineFx credentials are reset to reflect the right credentials again.
Does anyone have an explanation for this, and/or how to fix this?
Because the Session reset works, and the user's identity doesn't, it's not an authentication cookie problem. I still haven't found a good solution for this problem, and decided to store the current user's identity in session. The session variables are encrypted and are updated on each call to make sure the right credentials are passed along.