I know I can't logout an HTTP authentication.
Overwriting through the Location: http://logout:byebye#yourserver.example.com/ way seems to work on most browsers, except IE.
I was wondering however if I could let the users overwrite the Authentication data.
So say the user has some auth data in its browser, now they go to my /logout page, and it sends back the 401 headers so that the authentication window pops up and they can overwrite it.
However, when they click OK (auth data is now overwritten in the browser) the /logout page reloads, and there's no way for me to validate the new data because the page will reload after I clicked OK and it will run the Auth headers again and it will show the popup again.
So basically, how do I validate HTTP auth data if there's already some data set in the browser?
when they click OK (auth data is now overwritten in the browser) the /logout page reloads, and there's no way for me to validate the new data
You just have to reverse-validate the submitted data: if the user supplies proper auth, return the 401 response; if the user supplies bad auth or no auth, return a 200 or 302 to signal that the new bad/no auth has been accepted. The browser will then continue to use the bad/no auth for future requests.
Add directions something like “Click here and then enter no username or password and click OK” and you've got yourself a workable, if slightly shonky logout feature for HTTP Basic Auth.
(This is easy assuming you're spitting out the auth headers yourself from a script; it's not generally possible to pull off if you're using your web server's Authentication handling features.)
Related
I've recently started developing e-commerce app with multiple types of users, and currently I am experiencing some issues with browsers Page Cache. Here is one example for user authentication
Authentication Token is generated
Authentication Token is written into the database
Authentication Token and its expiry is saved into the user session
I wrote middleware that checks if user is authenticated and if its authorized (checks the token and access level) as well as expiry - tested it, it works. On "Log Out" I am destroying a session and renewing the token with Session.Destroy(r.Context()) and Session.RenewToken(r.Context())
Here is the problem:
I log in as "Admin" and go to DASHBOARD page for which only admin users are authorized to access.
I logout
I login as regular user and click "BACK' on browser it takes me to Dashboard page when it should not. But, when I refresh the page it does say "UNAUTHORIZED" which is what I was expecting when clicking "back" or something.
I was searching through the internet and found a "solution" where I set the headers in the following manner:
w.Header().Set("Cache-Control", "no-cache, private, max-age=0")
w.Header().Set("Expires", time.Unix(0, 0).Format(http.TimeFormat))
w.Header().Set("Pragma", "no-cache")
w.Header().Set("X-Accel-Expires", "0")
This however, does not work for me. I do see these headers in the NETWORK card when I open my Web Developer Tools, but problem remains.
What am I doing wrong?
I have a web app and I am using firebase authentication to login/signup our users.
In the past I have used Passport for login in my app which works but you have to maintain your own database and security blah blah... but I can control when my user can visit a page after logging via Passport using middleware like this -
// isAuthentcated is my middleware on server side.
app.get('/home', isAuthenticated,(req,res)=>{
res.render('home');
});
How can I do the same using firebase because there isn't any mechanism to do that. I have read different answers on stackoverflow and most of the pople are suggesting something like below which obviously isn't secure. Anybody can just type home.html and get to the page.
firebase.auth().onAuthStateChanged(user => {
if(user) {
window.location = 'home.html'; //After successful login, user will be redirected to home.html
}
});
Although, I have thought of using firebase-admin sdk token verification and try to follow the suggestion here but I don't know how it can be useful to do that on server side. Do you guys have any suggestions? How do you redirect user to a new page. An ajax post/get request from a client to a route '/home' with a header containing 'Bearer token' just validate the token but doesn't redirect user because it is a ajax call which is meant for updating a portion of a page.
Now, the question really is, Is it even possible to do that with firebase authentication?
If you host your site on App Engine you can send the ID token of the client with the request for the HTML. This could take the form of a cookie, a parameter, or whatever you choose to securely transfer the token from client to server.
Then the server can use the Firebase Admin SDK to verify the ID token, and use whatever logic you need to determine whether the request is authorized.
I successfully authenticated my user with my firebase app in the browser. Now I want my custom backend to know that the user is authenticated.
How do I go about this? Can I tell the client to include the firebase JWT in every request to my backend, so that the backend knows the user is logged in? (This is necessary so that the backend will not redirect a logged-in user to the login page, for example.)
Background Research:
The firebase authentication docs explain how to get the firebase token, send it to your custom backend, and then do something on the backend with the user data. That's fine for an XHR request, where you can tell the browser to include the token as a header. I don't understand how to get the browser to include the token in a normal HTTP request to the server, like when the user opens a new tab and navigates to the admin panel at https://example.com/admin.
This is a related question, but I didn't understand the answer (or at least how I could apply it to my use case).
Here's how the good guys at jwt.io explain it:
Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:
Authorization: Bearer <token>
This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.
How can I force basic http authentication instead of cookie authentication for one url / browser view and not to switch complete site away from cookie thing.
We do not want to allow login parameters in url anymore.:
/foren/RSS?__ac_name=meinloginname&__ac_password=meinpassword
So feed readers need basic http authentication to access the feed.
Basic authentication is always supported; if a basic auth header is present the cookie-based login form redirect will not be shown.
Presumably you want to disable the redirect for the RSS feed instead, so when basic auth headers are not present a 401 auth-required response is sent instead of a redirect?
If so, then you'll need to provide PluggableAuthService plugin, implementing the IChallengePlugin interface to intercept the challenge() call and make sure unathorized is raised before the CookieAuthHelper plugin can redirect.
I have this scenario.
RP with passive federation to 2.
Custom STS for user/password authentication
Everything is working fine. So far the user would press login link, which would go to a restricted area, thus the federation security was triggered, and login screen appeared. It would prompt him to write the credentials, the request was then processed, etc.
Now I'm required to create login (user/password) text-boxes on the same page (default page). How can I achieve federation sign-in operation without redirecting to a login page? Should (or can) I use FederatedPassiveSignIn control? If so, how?
You could show the login boxes on the unprotected landing page if IsAutheticated is false and then send a message to the custom STS login page with the credentials encrypted or whatever which then logs in behind the scenes and redirects back to your app. with the token in the normal manner.
However, if the user is not authenticated and bookmarks a page behind the landing page, they'll be redirected to the STS.
For anyone interested (I doubt someone actually is), I've solved it through - basically - simulating what login page does.
// makes credentials validation, and creates IClaimsPrincipal with the acquired claims
IClaimsPrincipal principal = LoginHelper.SignIn(editEmail.Value, editPassword.Value);
// retrieves the instance of the STS (in this case my custom STS)
TrustedSecurityTokenService service = (TrustedSecurityTokenService) TrustedSecurityTokenServiceConfiguration.Current.CreateSecurityTokenService();
// creates the request manually to point to my original page (or whatever page you desire)
SignInRequestMessage request = FederatedAuthentication.WSFederationAuthenticationModule.CreateSignInRequest(Guid.NewGuid().ToString(), "http://page/i/want/to/go/after/the/validation.aspx", true);
// processes first the request...
SignInResponseMessage response = FederatedPassiveSecurityTokenServiceOperations.ProcessSignInRequest(request, principal, service);
// ...then the response is processed, and redirected to URL above
FederatedPassiveSecurityTokenServiceOperations.ProcessSignInResponse(response, Response);
This created cookies, and principal is not IsAuthenticated. As if it were process by login page (at least it seems to work so far as expected).