Greetings,
In ASP.NET, is there a way to lockout the members for 30 minutes (or given period) if they enter the password for 5 times?
This asswordAnswerAttemptLockoutDuration, won't work for me. I'm after actual invalid password entry.
Thanks Heaps.
This property is only valid for an ActiveDirectoryMembershipProvider.
You could set the MaxInvalidPasswordAttempts- and the PasswordAttempWindow properties. Then f.e. after 5 invalid passwords the user will be locked by setting the IsLockedOut property to true and can be unlocked by the UnlockUser method.
You could compare the FailedPasswordAttemptWindowStart value with DateTime.Now to check if the user could be unlocked and logged in again.
I think you shouldn't implement this feature. Although it may look like a good security idea, it actually isn't. Because with this, I can easily lock any user I want, I just need to know his login name.
We've implemented a feature similar to this a while back, and works pretty well. I haven't got the code on me, but it went something like this.
On the login page, have a function that determines if the user trying to login is locked out of the system and if that user has been locked out for less than x amount of minutes display an error message, else unlock them and proceed with the login.
Hope that makes sense, I'll try and dig the code out on Monday when I'm back in the office if you need it.
Related
Do anybody knows, how I can get all logged in users in TYPO3 8.7 with extbase? Shure, I can get the fe_users sessions, but isnt there an more extbase like way?
UPDATE:
I need to get the uid's of all currently logged in users. It seems
that the is_online field holds only the timestamp from the last login.
If the user is logged out, this filed has still the timestamp. maybe
is reading the fe_sessions really the better way?
You can evalute two fields every fe_users record holds: is_online and lastlogin.
The field lastlogin is refreshed on each server access.
AFAIK the field is_online is evaluated in the form now - lastlogin > n.
So in general you have another problem, as you can not clearly detect which users are active. You only have the information when a user last time contacted the server.
The interval n is necessary as an user has no continous connection to the server. He can just read some text before he clicks to another page, but he also could close the browser window every time. And even then, if the session cookie is stored, he might use the website again and can be online immediately. Was he online the whole time?
On contrast to this a user is not even marked offline (is_online = 0) if he does an explicit logout.
I am using Drupal 7 and a custom CCK content in order to allow users to submit information to our website. I'd like to be able to only allow submissions between a set of user definable dates. Once the dates expire, i'd like for the user to receive a message of some sort stating that the deadline for submissions is now expired when they click the link to open the form.
I currently manually go in and turn off permissions to the content type once the deadline expires, but that is clunky and requires a little too much management (I have 15 forms I need to do this for). I've searched stack overflow and google and have not come up with anything that fit my needs, most likely because I'm not using the right keywords.
Does anyone know an easy way to do this with a module or do I need to try to write my own in order to accomplish this goal? Thanks in advance for any help.
I think you have to write some custom module to achieve this. You would use hook_node_access() to control node creation page access and and put your error message and/or redirection.
https://api.drupal.org/api/drupal/modules%21node%21node.api.php/function/hook_node_access/7
Another solution is to use Webform module.
https://www.drupal.org/project/webform
Download version 7.x-4.x
Create a form and in the settings there is an option to control total submissions limit, and set time frames for limitations.
Hope this helps.
You can achieve this by:
Create a column in user table in mysql called "expDate", assign the expDate values(mm-dd-yyyy) to each user
In drupal, on the page where users summit message, write php code to grab the expDate from database, and compare it to Current Date, date('mm-dd-yyyy'). Just copy can paste the php codes in each page where you have the form.
You can also pass the expDate from php to js, then do some fancy job instead of simple alert.
I have a scenario where I would like to display a message to the users of my application alerting them that his session will expire soon and that he should save his work to avoid the loss of his work.
This would be a typical scenario where a user is typing information on a textbox and then leaves his computer unattended for a while. Then when he presses a submit button to save his work, he is redirected to login page because his session expired, thus having to type all his information again in the textbox.
How can an alert message be displayed on the screen using ASP.NET 2.0/3.5?
Thanks in advance for your guidance.
G.
Reminders are not going to be much use if the user has left their computer for any period of time over 20 mins. The session will still time out. You'd be better off keeping the session alive:
AH, Ah, ah, ah…Staying Alive…Staying Alive
To answer my own question, looks like the best way to accomplish this is to use a setTimeout javascript function to alert a reminder X mins before the session timeout.
One way to do this is by registing ClientScript.
Pass the session expiry value to the client side java script. Which will execute a countdown, and at the end display the Popup.
In ASP.NET MVC, what is a good way (the preferred way??) to time how long a user has been on a specific page? For example, I want the user to select something and then only allow the user to do something for 30 seconds. Good links or a reference to a page of a book would be much appreciated.
Thanks in advance!
You can keep track of when a user went somewhere and how long they have been there (or had the page open while balancing their check book...you get the idea). The problem is that you need some form of client controller to let them see XYZ for 30 seconds...and then redirect them to the next page that they can see. So if you wan the user to see a resource for X amount of time you need to employ a javascript client side timer to take them away from the resource when their time is expired. This can be done with the time statically coded to the client (which could be changed by the client) or it can be done by making an AJAX request to the server to see if the time has expired. Or it could be done with an embeded flash player. The key here is that your server side doesn't have as much power over the client side as what you are requiring. Most testing sites deploy some form of this client side javascript to keep track of what the user is doing, when, and for how long!
One pretty easy way is to store the last time the user was on the page in a database - the table could have, for example, the fields UserID, Page, and TimeStamp. Whenever the user tries to do whatever you only want to allow for 30 secs, you check against the database if the time has passed or not. (For such short periods of time as 30 seconds, a database might be a little too slow, though... Depends on your requirement of precision, I guess...).
You could use JavaScript's setTimeout() function:
var timeOut = function() {
alert('Time is up!');
}
setTimeout (timeOut, 30000);
Or you could use a <meta> tag:
<meta http-equiv="refresh" content="30;url=http://www.example.com/time-is-up.html">
If I have a small microsite and on the first page I want to ensure that the user cannot jump to a non secure page between (e.g. 2 or 3), what would be the best way to implement this? The next page can only be seen if the user sets a certain item in a drop down box.
My first thought is cookies. If the user goes to the second page and the cookie's value is null, then there is a redirect to a failure page. If the user chooses the right value, the cookie's value is set to being a success. Would this approach work if I send a link on the 2nd page to a friend on another PC?
Is there a better way?
Cheap, downa and dirty? The cookie or session value work. Neither are reliable long term.
If you are making it so a user can only see certain info after selecting a drop down, you can hide it in a panel and only show that panel when the drop down is selected. This is the most useful if you do not mind the user having to select from drop down each time. You can use this with a cookie, as well, if you want the user to be able to see the data without selecting the drop down.
Hidden in the same page (drop down in one panel, info in another), you can keep it hidden perpetually.
If this has to be a second page, you can also put the page in another directory, and then put a web.config file in there that requires log in. You can then make it like a "log in" by "logging in" every person that answers. You end up using the Membership bits, but they are not hooked up to anything.
Cookies are not a good idea for this for one specific reason. They are under the control of the user, not you.
If a user has cookies disabled (globally or just for your site), they won't be able to get to page 2 now matter how many times they've read page 1.
In addition, if they know what your cookie contains (i.e., it's not encrypted), they can easily create it themselves or forward the method to a friend to get them to create it.
Regarding your question on whether you could send the page 2 link to someone else, cookies belong to the computer. That means the "someone else" would almost certainly not have the correct cookie for properly viewing page 2: they'd get an error.
We implemented a similar scheme (many years ago so there may be better ways to do it now). It involved storing a special "one-time" key when delivering page 1 to an IP address. The links in that page 1 were modified to include this key as an argument so that, when you requested page 2, the key was sent through as well.
The keys had a 30-minute lifetime (configurable but we ended up at 30 minutes). In order for us to deliver a page 2, the request had to come from the same IP address and have the proper key.
This prevented forwarding of links to other places and ensured the links had limited lifetimes.
Whether that's a viable solution for you is a question only you can answer. I know we got a few complaints from people who bought up page 1, then went out for a coffee. When they got back, their attempt to access page 2 was unsuccessful. We fixed this by simply redirecting them to page 1 with a suitable error message that their key had timed out.
Not perfect but, since the users were educated as to why it was happening, they understood its necessity.
If I understand your question correctly then the link you send to your friend will not work as they will not have the cookie stored in their browser memory or on their machine. This would also be true if you stored the value in Session as they will be creating their own new session when they opened the link.
To get this kind of behaviour when sharing links you will need to pass the value in a querystring i.e. when you select the desired option on page 1 and sublit the form the postback takes the selected option and then redirects to page 2 with option appended to the url as a querystring value.