ASP.NET ajax authentication service problem - asp.net

Although I've set isPersistent to false, the authorization cookie is persisted between sessions. This only happens with IE8. With other browsers it works as supposed.
Sys.Services.AuthenticationService.login(username, pw, false, null, null, null, null, "User Context")

This is because IE8 treats sessions differently.
For instance, if you open 2 IE8 windows at the same time and go to web site, login as user A, then visit the same site in the other window, it will have shared your session. Then if you logout and the login as user B in the other window, then go back to first window and refresh, you will be logged in as user B there too.
You can't force the browser (IE8) to behave differently by code, you can, however force IE8 to open up with a new session by opening up a new window then go to File - New Session. Alternatively, you could start IE8 from the command line using:
iexplore.exe -nomerge
for more information on the new Process model of IE8, see this article

Related

Oracle's WDB_GATEWAY_LOGOUT does not work in mozilla browser

I have a PL/SQL application which has a log out button with following code being executed when log out button is clicked:
-- Open the HTTP header
owa_util.mime_header('text/html', FALSE, NULL);
-- Send a cookie to logout
owa_cookie.send('WDB_GATEWAY_LOGOUT', 'YES', path=>'/');
-- Close the HTTP header
owa_util.http_header_close;
-- Generate the page
htp.p('You have been logged off from the WEBSITE');
htp.p('click here to log in');
htp.p('<BR>bye');
It works perfect when using internet explorer, however when I use mozzila when I log back in I am still logged in as previous user. Has anyone else been in this situation? How can I make this work for mozilla as well?
I got this code from oracle documentation page:
https://docs.oracle.com/cd/B13789_01/server.101/b12303/secure.htm
Thanks in advance!
I've found it best to set and unset your own session cookie. Then use owa_custom to verify the cookie.
In the dad.config file add:
PlsqlAuthenticationMode CustomOwa
Then create a package in your schema: called owa_custom and add one function inside: owa_custom.authorize
owa_custom.authorize will be called before each web invocation. You can check your session cookie and if you want to allow the web call return true. To block, return false and the user will get a 403 forbidden.
Then if you like you can write a custom 403 forbidden page and redirect to your login page.
Just know that in 12C, mod_plsql is going away and you'll need to use the Oracle Rest Listener. The same functionality exists there. Things just have different names.

Single sign out with WSO2 Identity Server - WS-Federation

I got single sign in working but I don't know how to configure single sign out.
Here is what I've tried so far (without any success):
[My Service provider] -> Inbound Authentication Configuration -> [my issuer] -> Enable Single Logout is Checked (custom URL is not given)
What I try is to simply redirect the browser to the URL where login is configured with the following parameter:
https://localhost:9443/passivests?wa=wsignout1.0
So the login works perfectly with this URL: https://localhost:9443/passivests
As I understand there is nothing else I should do but WSO2IS does not remove the cookie and when I try with my other webapp it logs me in as if nothing happened.
I omitted wreply (as it is optional) so I expect that the browser is not redirected back to my application or login screen. This is the reason I try it with a different application. Also the other app is opened FIRST after logout and it still gets the claims. (I always test with a new incognito mode chrome window to avoid false negatives because of leftover cookies)
So is there anything else I should do or is it perhaps a known bug?
This is a known bug. I can't find the particular class right now but the logout function called when using WS-Fed is an auto-generated //TODO stub.
https://svn.wso2.org/repos/wso2/carbon/platform/branches/turing/components/identity/org.wso2.carbon.identity.sts.passive/4.2.0/src/main/java/org/wso2/carbon/identity/sts/passive/processors/SignoutRequestProcessor.java

How to implement Remember me automation in Firefox with web driver?

How to implement "Rememeber me" automation in Firefox with web driver? I am using web driver 2.20, Eclipse IDE, Firefox 9.0
The reason you are experiencing that is because every time you start firefox, webdriver creates a new anonymous profile with no cookies. You can make it use a particular profile, which should retain cookies.
File profileDir = new File("path/to/profile");
FirefoxProfile profile = new FirefoxProfile(profileDir);
WebDriver driver = new FirefoxDriver(profile);
FirefoxProfile has many other options, like adding extensions and all.
I understand you need a solution for firefox, but I have the below working version for Chrome. You can refer this link for a firefox solution: How to start Selenium RemoteWebDriver or WebDriver without clearing cookies or cache?
For Chrome (config): You have to set the path to user-dir which will save all the login info after you login for the first time. The next time you login again, login info from the user-dir will be taken.
System.setProperty("webdriver.chrome.driver", "res/chromedriver.exe");
DesiredCapabilities capabilities = DesiredCapabilities.chrome();
ChromeOptions options = new ChromeOptions();
options.addArguments("test-type");
options.addArguments("start-maximized");
options.addArguments("user-data-dir=D:/temp/");
capabilities.setCapability("chrome.binary","res/chromedriver.exe");
capabilities.setCapability(ChromeOptions.CAPABILITY,options);
WebDriver driver = new ChromeDriver(capabilities);
Login for the first time:
driver.get("https://gmail.com");
//Your login script typing username password, check 'keep me signed in' and so on
Close the driver (do NOT quit):
driver.close();
Re-initialize the driver and navigate to the site. You should not be asked for username and password again:
driver = new ChromeDriver(capabilities);
driver.get("http://gmail.com");
The above can be implemented for firefox using a firefox profile.

Strange behavior on cookie domain

Background:
AspNet web app / C# 3.5
IIS7
VS 2010
Windows 7
When user is authenticated, we create a cookie, this way:
var cookieASP = FormsAuthentication.GetAuthCookie(user.Id, true);
cookieASP.Domain = "x.y.local";
Yes, domain is hard coded for this example.
Using cookies viewer extensions in Firefox 11, I can see that domain of cookie is : .x.y.local, with a leading .. I know that it allows shared cookie between w.x.y.local and q.x.y.local. Ok.
But, when user clicks on disconnect, he is not kicked out...
var cookieAsp = System.Web.Security.FormsAuthentication.GetAuthCookie(u.Identifiant, true);
cookieAsp.Expires = DateTime.Now.AddDays(-10);
Response.Cookies.Set(cookieAsp);
FormsAuthentication.SignOut();
And with debugger we can see that cookieAsp.Domain is null. And cookie is not removed from browser's cookies.
If I edit cookie domain (directly from browser), and set its domain to x.y.local without the leading ., cookie is deleted and user disconnected.
I don't understand why this . is added, and why it is not well understand by the browser.
EDIT (major importance I guess): we are doing such way because if we don't set domain, then IE8 (only 8) can't understand our cookie...
When you want to remove a cookie, you have to specify the cookie with the exact domain of the cookie you want to remove. The cookies domain is not sent by the browser on a request, so you will always get a null value when you try to inspect it within a debugger session.
So before Response.Cookies.Set(cookieAsp); add cookieASP.Domain = "x.y.local";.

Active Directory Query ASP VB .Net only works in Trusted Sites

I have a ASP .Net web appliaction written in Visual Basic .Net running on Windows Server 2003 (IIS 6) that works like the one described in How to grab AD credentials from client machine in a web application?
A user access our Intranet page and it uses Windows Authentication to identify the user. The application then looks up that user in Active Directory and grabs the attribute value for that user's IpPhone. This number is what we use for Employee ID's.
In IE8 I can access the site and Windows Auth prompts me and it appears to work but the application is unable to get my Active Directory user "IP Phone" value (AKA my Employee Number). If I add the URL to Trusted Sites, the application works grabs my Employee ID successfully.
That wouldn't be a big deal except it does this in every browser (FireFox, Safari, and Chrome). I found a workaround for Firefox (ntlm-authenticate, google 'about config' for firefox). However this app shouldn't need to be in Trusted Sites, and I believe if I can get this to work without being in Trusted Sites it will work in all browsers.
Does anyone have any idea whats going on? Thanks in advance.
Take a look at the setting in the screenshot below. The automatic logon refers to using your Windows authentication as you access resources via Internet Explorer. In other words, if you access a web page on a server in your directory, the credentials that you logged in on your machine with are automatically passed to the server you're accessing.
The credentials are generally, for some reason unknown to me, passed along to trusted sites as well. I don't know why this is, but I've seen this behavior enough to be confident stating it.
This feature is only available in IE, except for the workaround you found for Firefox, and will not work in other browsers, unless you find similar workarounds.
A better solution would be to specify the username and password in code as shown here:
http://msdn.microsoft.com/en-us/library/wh2h7eed.aspx
This performs a search and passes along a username and password, rather than relying on the Windows Integrated security.
I have a working snippet of code here for getting an email based on username in our domain, that you can modify for your needs:
Public Function GetEmailFromUserName(ByVal UserID As String) As String
Dim ReturnValue As String = ""
Dim myAD As New System.DirectoryServices.DirectoryEntry("LDAP://mydomain", System.Configuration.ConfigurationManager.AppSettings("adsearchname"), System.Configuration.ConfigurationManager.AppSettings("adsearchpwd"))
Dim searcher As New System.DirectoryServices.DirectorySearcher(myAD)
searcher.Filter = ("(anr= " & UserID & ")")
searcher.PropertiesToLoad.Add("mail")
For Each myResult As System.DirectoryServices.SearchResult In searcher.FindAll()
For Each Key As String In myResult.Properties.PropertyNames
If InStr(myResult.Properties.Item(Key).Item(0), "#") Then
ReturnValue = myResult.Properties.Item(Key).Item(0)
End If
Next
Next
Return ReturnValue
End Function

Resources