i need to sign out an authenticated user in ASP.NET reliably when a browser tab gets closed. What is the recommended solution?
Thanks
Typically you would do your sign-out logic when the session has ended. But if you had to detect when page is closed, use this:
<body onunload="performMyLogoutLogic();">
...
...
</body>
You could use a generic handler to kill session and call this beforeunload like this:
function CloseSession( )
{
location.href = 'KillSession.ashx?task=1';
}
window.onbeforeunload = CloseSession;
And in your KillSession.ashx do this
public void ProcessRequest(HttpContext context)
{
if(!String.IsNullOrWhiteSpace(Request.QueryString["task"].toString()))
{
if(Request.QueryString["task"].toString()=="1")
{
Session["User"]==null;
context.Response.ContentType = "text/plain";
context.Response.Write("Good Bye!");
}
}
}
Related
I'm trying to check which page should load my app at the beginning, first of all I check a database table if I find the login information stored I want to push the once named StartPage(), as I'm working with the database the method includes an await if there isn't any data stored I want to push the LoginPage(). I have tried following this example Xamarin.Forms Async Task On Startup . My code is :
public App()
{
int result;
InitializeComponent();
ThreadHelper.Init(SynchronizationContext.Current);
ThreadHelper.RunOnUIThread(async () => {
MainPage = new ActivityIndicatorPage();
result = await InitializeAppAsync();
if (result == 0)
{
PushLoginPage();
}
else
{
PushStartPage();
}
});
}
public void PushStartPage()
{
NavigationPage nav = new NavigationPage(new StartPage());
nav.SetValue(NavigationPage.BarBackgroundColorProperty, Color.FromHex("#D60000"));
MainPage = nav;
}
public void PushLoginPage()
{
MainPage = new Login();
}
public void PushLoginPage(string email, string password)
{
MainPage = new Login(email, password);
}
private async Task<int> InitializeAppAsync()
{
if (ViewModel == null)
ViewModel = new MainViewModel(this);
return await ViewModel.LoginViewModel.PushInitialPage();
}
But throws the following exception and as the author of the article says, is not recommended to do it.
Exception
Another option tried was overriding the OnStart() method but didn't work either.
protected override async void OnStart()
{
Task.Run(async ()=> { await InitializeAppAsync(); });
}
The PushInitialPage method:
public async Task PushInitialPage()
{
if (_app.Properties.ContainsKey("isLogged"))
{
var user = await UserDataBase.GetUserDataAsync();
var result = await Login(user.Email, user.Password);
if (result.StatusCode != 200)
{
return 0;
///PushLoginPage();
}
else
{
return 1;
//PushStartPage();
}
}
else
{
return 0;
}
}
When the OS asks your app to show a page, it must show a page. It can't say "hold on a minute or two while I talk to this remote server over an iffy network connection." It has to show a page Right Now.
So, I recommend bringing up a splash page - your company or app logo, for example. When the splash page shows, then call InitializeAppAsync, and based on the result, switch to the login or start page or nice user-friendly offline error page.
In Xamarin.Forms we have properties called 'Application.Current.Properties'. By using this we can able to save the any data type. So once user login in to the application you can set one flag and set it is true. Then after every time when user login in to the application you can check this flag and navigate your respective page.
Sample Code :
App.cs :
public App()
{
if (Current.Properties.ContainsKey("isLogged"))
{
if((bool)Application.Current.Properties["isLogged"])
{
// navigate to your required page.
}
else
{
// naviate to login page.
}
}
else
{
// naviate to login page.
}
}
At first time application open it checks the 'isLogged' property is presented or not, if not it will move to the login page. When user login into the application by using his credentials, we need to create 'isLoggin' property and set as true. Then after if user try to login it checks the condition and navigates to the respective page.
Saving Property SampleCode :
Application.Current.Properties["isLogged"] = true;
await Application.Current.SavePropertiesAsync();
write above code for after login into the application. If a user log out from the app you need to set 'isLogged' flag is false.
I have a button click event which on successful login calls a private method, which in turn redirects the user to a page depending on the user's role. I am testing if a user of a particular role is redirected properly to the page. Please help me test this.
public void LogonUser(object sender, EventArgs e)
{
bool expired;
String userName;
UserAuthentication userAuth = new UserAuthentication();
userAuth.GetUserLoginInfo(UserID.Value, out userName, out expired);
string returnUrl = Request.QueryString[PhysicianProfileAppConstants.QueryStringKeys.ReturnUrl];
if (SuperUserControllerAttribute.IsSuperUserController(returnUrl)
&& !this.currentUserService.GetCurrentUser().IsSuperUser)
{
this.MissingSuperUserDiv.Visible = true;
return;
}
if (!CheckForceChangeFormVisibility(expired))
{
OnSuccessfullLogin();
}
}
private void OnSuccessfullLogin()
{
var userInfo = this.userEntityService.GetUserByLoginId(userId);
if (userInfo.IsSelfService == true)
{
if (userInfo.Physicians.Count() == 1)
{
var url = "/" + userInfo.Physicians.First().Id;
Response.Redirect(url);
}
}
Response.Redirect(Request.QueryString["ReturnUrl"] ?? FormsAuthentication.DefaultUrl);
}
Separate your domain logic from your UI - see e.g. http://martinfowler.com/eaaDev/uiArchs.html and http://msdn.microsoft.com/en-us/magazine/cc188690.aspx for a detailed discussion. With this approach, your button click will just call a method in another class, a "presenter", that's isolated from the UI details, that you can then easily unit test. To make sure your UI is wired up correctly to your presenter, you can use an automated integration test using something like Selenium, or use a manual smoke test, since this approach makes the UI code so simple it's unlikely to be broken once you have it working.
Once the user logs in, i am displaying an alert to user based on a check on page load method. Now when the user navigates to other aspx pages and clicks on home again, I don’t want him to see the alert again. I want to achieve this with jquery and session variable. In a way I want to check first page load by jquery using a session variable.
I could do this with Session and RegisterStartupScript
User Login code
public void doLogin(string userName, string pwd)
{
// validate user
// check to see whether need to show alert
Session["ShowAlert"]=true;
Response.Redirect("Home.aspx");
}
in Home.aspx
Option 1
protected void Page_Load(object sender, EventArgs e)
{
if(Session["ShowAlert"]!=null)
{
String scriptName = "PopupScript";
if (!IsClientScriptBlockRegistered(csname1))
{
StringBuilder cstext = new StringBuilder();
cstext.Append("<script type=\"text/javascript\"> function showUserAlert() {");
cstext.Append("alert('message');} ");
cstext.Append("</script>");
RegisterStartupScript(cstext, cstext.ToString());
Session.Remove("ShowAlert");
}
}
}
Option 2:
Just define a javascript variable var in the page and use it in $(function(){...})
protected void Page_Load(object sender, EventArgs e)
{
if(Session["ShowAlert"]!=null)
{
String scriptName = "PopupScript";
if (!IsClientScriptBlockRegistered(csname1))
{
StringBuilder cstext = new StringBuilder();
cstext.Append("<script type=\"text/javascript\">");
cstext.Append("var showAlert=true;");
cstext.Append("</script>");
RegisterClientScriptBlock(cstext, cstext.ToString());
Session.Remove("ShowAlert");
}
}
}
JS
$(document).ready(function(){
if(showAlert)
{
alert('ShowMessage');
}
});
I made this exact feature a couple of weeks ago, but used a mySQL database instead of using sessions. If you are wanting to display the alert to the user only once EVER (or as close to forever as possible) or just once a week etc, then you should use cookies instead of sessions.
Otherwise, you can detect when the page has loaded simply with jQuery:
$().ready(function(){
if(!$.session.get("viewed_page")){
alert("some message");
$.session.set("viewed_page", true);
}
});
No need for session here.
You can use the session cookie itself.
$(function (){
if (document.cookie.indexOf("yourToken")>-1)
{}
else
{
// show the window , and set a cookie
}
});
I am using post like this in http://www.mywebsite.com/hello.aspx page:
$.post("handler.ashx", {}, function (x) { alert(x); });
How to check the address from which the handler is running?
public void ProcessRequest (HttpContext context)
{
// check if request is from http://mywebsite/hello.aspx
context.Response.ContentType = "text/plain";
context.Response.Write("test");
}
or... how to disable request handler from different domain?
You can use the UrlReferrer to check if the call is comming from your site. One very simple working example:
if( !context.Request.UrlReferrer.Contains("site.com/")) )
{
context.Response.End();
return;
}
In some rare cases that users overwrite the Referrer, this fails.
How do you handle ajax requests when user is not authenticated?
Someone enters the page, leaves room for an hour, returns, adds comment on the page that goes throuh ajax using jQuery ($.post). Since he is not authenticated, method return RedirectToRoute result (redirects to login page). What do you do with it? How do you handle it on client side and how do you handle it in controller?
EDIT:
I wrote above answer a long time ago and now I believe that sending 403 is not proper way to go. 403 has slightly different meaning and it just shouldn't be used. This is corrected attribute using 401. It differs only with additional context.HttpContext.Response.End() in Http401Result and different HTTP code:
public class OptionalAuthorizeAttribute : AuthorizeAttribute
{
private class Http401Result : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
// Set the response code to 401.
context.HttpContext.Response.StatusCode = 401;
context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue);
context.HttpContext.Response.End();
}
}
private readonly bool _authorize;
public OptionalAuthorizeAttribute()
{
_authorize = true;
}
//OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller.
//That is why parameter is introduced.
public OptionalAuthorizeAttribute(bool authorize)
{
_authorize = authorize;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
//When authorize parameter is set to false, not authorization should be performed.
if (!_authorize)
return true;
var result = base.AuthorizeCore(httpContext);
return result;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
{
//Ajax request doesn't return to login page, it just returns 401 error.
filterContext.Result = new Http401Result();
}
else
base.HandleUnauthorizedRequest(filterContext);
}
}
OLD ANSWER:
While I like the ideas posted in other answers (which I had an idea about earlier), I needed code samples. Here they are:
Modified Authorize attribute:
public class OptionalAuthorizeAttribute : AuthorizeAttribute
{
private class Http403Result : ActionResult
{
public override void ExecuteResult(ControllerContext context)
{
// Set the response code to 403.
context.HttpContext.Response.StatusCode = 403;
context.HttpContext.Response.Write(CTRes.AuthorizationLostPleaseLogOutAndLogInAgainToContinue);
}
}
private readonly bool _authorize;
public OptionalAuthorizeAttribute()
{
_authorize = true;
}
//OptionalAuthorize is turned on on base controller class, so it has to be turned off on some controller.
//That is why parameter is introduced.
public OptionalAuthorizeAttribute(bool authorize)
{
_authorize = authorize;
}
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
//When authorize parameter is set to false, not authorization should be performed.
if (!_authorize)
return true;
var result = base.AuthorizeCore(httpContext);
return result;
}
protected override void HandleUnauthorizedRequest(AuthorizationContext filterContext)
{
if (filterContext.RequestContext.HttpContext.Request.IsAjaxRequest())
{
//Ajax request doesn't return to login page, it just returns 403 error.
filterContext.Result = new Http403Result();
}
else
base.HandleUnauthorizedRequest(filterContext);
}
}
HandleUnauthorizedRequest is overridden, so it returns Http403Result when using Ajax. Http403Result changes StatusCode to 403 and returns message to the user in response. There is some additional logic in attribute (authorize parameter), because I turn on [Authorize] in the base controller and disable it in some pages.
The other important part is global handling of this response on client side. This is what I placed in Site.Master:
<script type="text/javascript">
$(document).ready(
function() {
$("body").ajaxError(
function(e,request) {
if (request.status == 403) {
alert(request.responseText);
window.location = '/Logout';
}
}
);
}
);
</script>
I place a GLOBAL ajax error handler and when ever $.post fails with a 403 error, the response message is alerted and the user is redirected to logout page. Now I don't have to handle the error in every $.post request, because it is handled globally.
Why 403, and not 401? 401 is handled internally by MVC framework (that is why redirection to login page is done after failed authorization).
What do you think about it?
The idea I came up with when a coworker asked about how to handle it was this - make an AuthorizeAjax attribute. It can interrogate and verify that Request.IsAjaxRequest() and, if the request isn't authenticated, return a specific JSON error object. It's possible you could simply override the default AuthorizeAttribute and have it call the base unless it's an unauthorized AJAX request so you don't have to worry about whether to tag controller actions with [Authorize] or [AuthorizeAjax].
On the client-side, all your pages would have to be equipped to deal with the returned error, but that logic can likely be shared.
I would propose creating your own AuthorizeAttribute and if the request is an Ajax request, throw an HttpException(401/403). And also switch to use jQuery's Ajax Method instead.
Assuming you've implemented error pages and they return the correct status code, the error callback will be executed instead of the success callback. This will be happen because of the response code.
The simplest and cleanest solution I've found for this is to register a callback with the jQuery.ajaxSuccess() event and check for the "X-AspNetMvc-Version" response header.
Every jQuery Ajax request in my app is handled by Mvc so if the header is missing I know my request has been redirected to the login page, and I simply reload the page for a top-level redirect:
$(document).ajaxSuccess(function(event, XMLHttpRequest, ajaxOptions) {
// if request returns non MVC page reload because this means the user
// session has expired
var mvcHeaderName = "X-AspNetMvc-Version";
var mvcHeaderValue = XMLHttpRequest.getResponseHeader(mvcHeaderName);
if (!mvcHeaderValue) {
location.reload();
}
});
The page reload may cause some Javascript errors (depending on what you're doing with the Ajax response) but in most cases where debugging is off the user will never see these.
If you don't want to use the built-in header I'm sure you could easily add a custom one and follow the same pattern.
Here's a solution I use. It is dead simple, if a bit brute-force. I like it because I'm lazy and I don't want to think about special attributes on action methods and I don't want to write ajax error handlers if I don't have to (although there's no reason client script couldn't detect the 403 status code and do something user friendly).
Putting this in Global.axax detects any unauthenticated ajax request and simply returns 403, with no content. This prevents unauthenticated ajax calls getting redirected to the login form when forms authentication is in use.
protected void Application_AuthenticateRequest(object sender, EventArgs e)
{
// Prevent Ajax requests from being returned the login form when not authenticated
// (eg. after authentication timeout).
if ((Request.Headers["X-Requested-With"] != null && Request.Headers["X-Requested-With"] == "XMLHttpRequest")
||
(Request["X-Requested-With"] != null && Request["X-Requested-With"] == "XMLHttpRequest"))
{
if (!Request.IsAuthenticated)
{
Response.Clear();
Response.StatusCode = 403;
Response.Flush();
Response.End();
}
}
}
You can detect ajax request and send 401, and on client side you can even show an ajax dialog with login prompt, after which you can "continue" your failed ajax request and make your application work and user feel like session timeout never happened. See this answer for details.