I have issue about multiple login in asp.net.
Case this happen:
User X login as "user1" in web browser.
Then user Y also login as "user1" also in another web browser.
User Y got error message "Another user log in some account".
That is work as expected.
If X, close their web browser. Then try again to login in as "user1".
X get also get "Another user log in some account".
So i trying debug then i found session is remove when web browser is close, but cache still remaining in web browser.
Anyone have idea about this how to clear cache when user close their browser, (not tab).
Regard.
There is no reliable way to get a notification when the browser is closed.
The best you can do is get notification that it's still open and implement your own timeout. Use an ajax callback on a timer to ping the server "I'm still open". Set it to every 5 or 10 or 30 seconds or whatever you need and when you don't get one on the server for that time, you know the browser was closed.
Related
I am trying to use the Telegram Login Widget.
I have inserted the following script in my login page:
<script async="" src="https://telegram.org/js/telegram-widget.js?4" data-telegram-login="<name of bot>" data-size="large" data-auth-url="http://local.<domain>/tg" data-radius="0" data-request-access="write"></script>
This works insofar that the Login Widget gets displayed.
When I click the "Login with Telegram" button, it correctly asks me to Accept/Decline if I want to login at this website. But then nothing further happens.
By investigating the network requests I found that the telegram servers respond thus:
{"error":"NOT_AUTHORIZED","html":"<button class=\"btn tgme_widget_login_button\" onclick=\"return TWidgetLogin.auth();\"><i class=\"tgme_widget_login_button_icon\"><\/i>Log in with Telegram<\/button>","origin":"http:\/\/local.<domain>"}
Is there anything I am missing that I should have done?
I did have a chat with the #BotFather to set the domain to http://local.<domain>.
When logging in, I also get a message from Telegram in the Client telling me:
You have successfully logged in on local.furry.cafe via #.
The website received your name, username and profile picture.
Things that could be problematic:
local.<domain> is part of my /etc/hosts, but this shouldn't be a problem right?
I don't use HTTPS on my dev machine? But this is not written as a requirement anywhere.
After several hours of more debugging I've found the reason:
You need to have third-party cookies set as allowed.
Since the request seems to be made from the asking window, it didn't have any authentication cookies attached, which in turn gave the NOT_AUTHORIZED response, while at the same time 'logging' you in, in the telegram client.
Since the server has no idea that the cookies was not set, it could not say anything.
TL;DR: Don't disable third party cookies if you want to use Telegram Login as a User.
I'll have to add a small text explanation so that if a user does have them disabled, it is shown to them.
I have a small simple problem, however the following is quite lengthy to explain the issue more.
I have an MVC 4 application using forms authentication. I have it setup using browser session cookies so that they can use the site for as long as they want, but as soon as they close the browser it in essence logs them out.
Now I have added an extra layer of security in the form of an idle timer, so that if they are idle for, say, 5 minutes, an ajax request is sent to the server to delete the forms auth token, return a session expired partial view, and show this session expired view as a modal dialog.
This dialog has a label that shows the users name, and a password input field so they can re-enter their password.
What this means is that if anyone opens up another session they will just go to the login screen as no-one is logged in, and teh same happens if they just refresh teh current screen. But it also means that if the user enters their password on the timeout screen the dialog sends an ajax request to the server to login them in again, and then just removes the dialog.
This all works (mostly) perfectly and they will be on the same screen as they were before, and they will also have everything filled out as they did before for example if they were in the middle of filling out a large form etc.
The issue is, if they have 2 different tabs open in their browser, the first one times out, shows the timeout screen with their name and the password entry box as expected, but the 2nd browser tab when it makes the request for the time-out screen to the mvc method, does not find a logged in user, as no-one is logged in as the person was logged out with the first time-out request. How can I get round this problem? Is there a simple solution? Or is there a better design for how I am doing this?
I've seen this issue in live sites and it's really annoying. It forces users to only have one tab open to avoid getting logged out.
Could you solve it by not logging the user out on the server once the timeout hits, but only delete the session cookie? That way the user will still see the timeout screen on the idle tab, but can still work with the other tab. It can still be an inconvenience, but I think if you really want that timeout screen it might be the way to do it. Unless you want to do it with WebSockets or something similar.
I am using forms authentication with Asp.Net 4. At the moment when the users click on logout link, I clear the session and call FormsAuthentication.SignOut() and this prevents the users from going back to the site without a logging in again.
Now I want to kill the session when the browser or tab is closed. I tried doing this by handling onbeforeunload event, but I ended up killing the session after clicking any internal links.
Any ideas how I can do this?
You can't, but you can come close to.
The authentication cookies are session only, that means that delete by browser when the browser close. Maybe you do not close all browsers tabs, but if you close them all the authentication cookies are lost.
About closing a tab, you do not know if the user have other tab opens.
A possible solution maybe is a call every 10 seconds back to the server to keep this authentication active or not, and set the authentication to end up after 20 seconds. So if not any signal come back, the user have gone. This can be done using javascript. From the other hand this can not let the user logout after some minutes of inactivity, so you may need a combination of this logic with something else.
The best you can do is when your user explicitly logs out to also call Session.Abandon() to remove that user's session. But like others have said there is no way of knowing if the tab/window just closes without doing a logout in this fashion. The session will just hang around on the server until it expires.
I answered another question that had a problem with session being killed when the user edited the web.config on a live site. They were tracking users still being logged in with Session variables (dangerous). But came up with a solution (untested solution) that could help people here.
FormsAuthentication allows you to maintain a person being active and logged in indefinitely. But if they become inactive for e.g. 20 mins they will be logged out which is nice. But to have them logged out at the time the close their browser is not possible (wait for it...) as setting the timeout value to 0 would cause them to be constantly logged in then out again.
So solution : at the time you log a person in using FormsAuthentication you could also set a standard session variable cookie that will be deleted when they close their browser. This cookie would have non-identifying non-account related information. Just a simple "loggedIn:yes".
Now all your code would need to have on it's masterpage/materlayout is a high level call in the page cycle or constructor of the page cycle (or even a custom attribute) that would check both cookie and the user identity:
if(!HasLoginCookie() || !System.Web.HttpContext.Current.User.Identity.IsAuthenticated)
{
// redirect user to log in page.
}
Basically if the cookie is removed when the browser is closed, you will redirect the user to the log in page.
Hopefully that helps (and works. As I said untested).
I have an asp.net website using the SQL ASP.net membership system. When users are logged in to the website and are inactive for 20 minutes, they get sent to the login page on the next page request. I would like to show some text on the login page that says "you were logged out due to inactivity" when this happens. Is there a built-in way to do this? Or any other ways I could distinguish why the user has been sent to the login page (for inactivity or some other reason)? I have scoured SO and Google but haven't been able to come up with anything.
The reason we need to do this is because we recently migrated from a previous version of the website that was lax about security and didn't have auto logout, so we're getting lots of feedback from users thinking there's something wrong with the website when they are prompted to login again.
Thanks in advance.
It is better to use javascript for this and be proactive about it, showing the timeout remaining if possible otherwise just alerting the user with a messagebox showing that his session has timed out and then redirecting him to the login page. Have a look here for a simple example.
To redirect him to the login page add the following to the below line as in the example:
alert("Your current Session is over."); window.location = "YourLoginPage.aspx";
For purposes of closure, I'll answer my own question. I couldn't find a clean way of doing what I'd like, so I ended up setting a cookie with the login time after the user logs in. Then on the login form page, I see if the login time in the cookie is greater than 30 minutes old (my auth timeout in asp.net) and display a "logged out due to inactivity" message. Otherwise it doesn't display the message.
Not great, but it seems to work. Satisfies the requirement for the vast majority of our users.
In my Flex application, channelSet is reset on each browser refresh. If you've authenticated and refresh the page and check channelSet.authenticated, it says false, but your remoteObject calls will still work because the server session still exists.
I have a service call that checks for a session on the server and can identify that one exists when a user has already authenticated and not logged out, but how can I bypass login and still set the channelSet.authenticated to true without calling channelSet.login() when they come back to the page(before a timeout occurs, of course)?
UPDATE:
The user session isn't closed if you exit the browser. Currently it does in fact make you log in again. But there is an existing session so blazeds returns a re-authentication error if you're not the user in the session, and it also allows you to login with any password if you are the user because it sees that the session has already been authenticated.
So how can I make it so the session is invalidated upon closing the browser or refreshing? I could do it by automatically logging out when the app starts, but that doesn't seem very elegant.
alternatively I could do something like this:
<body onunload="MyFlexApp.myFlexFunction();">
and call logout automatically when they leave the page.
What's the proper way to handle this?
But they haven't authenticated... how can you be sure that the person using the app now is the same person as before? Closing the browser is supposed to be a good way of breaking a link with an application. If the next person in the internet cafe can get access simply by going to your page, that breaks security somewhat doesn't it?
That's why, even if there's a current session, you should force re-authentication.