Our ASP.NET website is very consistent internally in using the same URL structure to change pages.
For example: https://mysite.org/page1.aspx to http://mysite.org/page2.aspx.
We use Session variables to keep track of a user's logged in state. Our specific problem is a user setup a shortcut pointing to the login page as https://www.mysite.org/LoginPage.aspx. The Session variable is set to LoggedIn=True.
The login page then sends the user to the Homepage http://mysite.org/homepage.aspx.
The server creates a new session and the logged in session variable is no longer available to the new session. How do we fix this?
You should configure your web server to redirect all requests from www.example.com to example.com (or vice-versa).
This prevents the situation from occurring in the first place.
Related
So I am implementing this single sign on feature using Azure AD as the authentication provider. My question is : is it possible to register just one centralized application for potentially multiple deployments?
doc
single sign out
I also want this single sign out feature. i.e. if a user log out of his/her outlook account, my app will react to it and also perform a logout.
The doc specify that I need to set the LogoutUrl field in AAD and do the implementation. The problem is I can only fill out one LogoutUrl for each registered application. I tried move this logout url to the reply urls but the endpoint will not fire.(only work when filled in the logout url field)
Scenario: I have one core app for potentially multiple deployments, and they all have their unique urls.
abc.com
abc1.com
abc2.com
The list will go longer, so it is painful if I need to set up the application for each one. Can I get around by just setting one centralized app?
For the redirect url I think I can set up multiple reply urls. Or can I?
The difficult part is the logouturl: AAD only allow to set up one value, so I need to set up a centralized endpoint (logout.com/logout) to receive the logout call, and then redirect the call to the associated deployment. ( a user log out from abc.com, logout.com/logout is fired, it will then need to identify that the logout happens in abc.com, then it direct the call to abc.com so abc.com can receive and perform cleanups.)
For Azure Active Directory, you can have reply urls spanning multiple domains. So that works. You can also use these reply urls as part of your logout process. The logout url setting is optional, as far as I know.
https://login.microsoftonline.com/{0}/oauth2/logout?post_logout_redirect_uri={1}
(How to signout from an Azure Application?)
Remark: Azure AD B2C only supports reply urls within a single domain.
Edit: It seems I misunderstood your question. Do you want a redirect to abc.com when the user logs out from abc.com? use the redirect url. Do you want to clear the session in abc.com, abc1.com, abc2.com when the user logs out from abc.com? This is more tricky since AAD opens up your logout url in an hidden iframe (=> "Front-channel signout", a GET to the designated URL). If you want this to actually clean up all your domains, you need to get creative... not sure what the best way ist. You could try returning HTML that in itself has iframes to all the domains.. but i don't know if it will be properly evaluated.
I am working on an application running on IBM Websphere 8.0.
Whenever I append ibm_security_logout?logoutExitPage=<any other website or domain>, the session gets terminated and the user is redirected to the other website.
I am fine with session getting destroyed, but I do not want the user to be redirected to any other website mentioned after the logoutExitPage parameter.
Could anyone help me with this?
Let me know if more information is required.
Make sure you applied the latest fix pack. This was fixed in the 8.0.0.1, which only allowed pages from the same website. If you need to go to external sites you have to configure following paramters:
By default the URL to the logout page should point to the host to which the request was made or its domain. Otherwise, a generic logout page is displayed. If you need to point this URL to a different host, then you need to set the com.ibm.websphere.security.logoutExitPageDomainList property in the security.xml file with a list of URLs that are allowed for the logout page. You can choose to allow any logout exit page to be used by setting the com.ibm.websphere.security.allowAnyLogoutExitPageHost property to a value of true. Setting this property to true might open your systems to a potential URL redirect attacks.
For more details check Customizing web application login
In my app, when a user tries to access a route behind a firewall and gets redirected to login, they are given the opportunity to create an account. After creating the account and successfully logging in, I'd like to redirect them to the initially requested page.
However, I've not been able to work out how to get access to the route they initially requested before the security kicked in. Any help?
I'm not using FOSUserBundle, and I'd like to avoid it if possible, as I'm quite far into development.
By default user redirected to the requested page. This behavior defined in DefaultAuthenticationSuccessHandler.
I'm using plone4.1 and would like to create a cookie for my whole domain (.site.com) when a user logs in on the web site. This cookie will be read by other sites/applications in my domain. Alternatively changing "__ac" to apply to the domain instead of www.site.com.
I've seen from other questions that setCookie(...) would do it. I would like to create the cookie on a successful login. Where would be a good place to do this?
Thanks for your help, I'm new to plone programming.
You can set the domain in the session plugin (controlling the __ac cookie).
Go to the ZMI via the Site Setup control panel:
Find the acl_users folder:
Inside of this folder is a session object:
This in turn has a Properties tab:
On that tab, there is a Cookie domain field:
Here, fill in your .site.com domain and hit Save Changes.
So its a ASP.NET problem where two users using the same machine, same browser.
User 1 logs in the domain.
User 1 changes some data without saving it.
User 2 logs in the domain in a separate tab.
User 1 switches back to his tab and saves the data.
User 1 actually saved the data into User 2!!
This is caused by the following mechanism:
Different tabs in the same browser seems to share the same session id.
We are storing user auth in cookie and the cookie is shared between tabs (same domain)
Therefore, when User 1 request to save, it is recognized as User 2 since the cookie has been updated to User 2.
So I'm wondering if there's any other methods to prevent this from happening, other than:
1. Use cookieless session so the session is embedded in uri.
2. Always include a hidden field in page to indicate which user owns the page.
Regards,
You could add some fields in the database to track that the user is logged in, and grab their IP address, and restrict access that way.
IE8 has a "New Session" command in the file menu that opens a new window, but that's pretty much like using 2 different browsers.
Hiding the login form until the current user is logged out will raise awareness that another user is logged in but won't prevent the above scenario. If the logout process could refresh each page in the browser on the domain then it might work, although user1 would loose all modified data.
I used the trick of opening a new window with a specific name and always make sure that any page will open always use that window.