Since my 2 post about the LDAP Authentication (first post, second post), we created our own custom authentication scheme and function to connect to the application using our Active Directory credentials.
We can successfully log in the application. However, we have a second function which retrieves the group of the user in the AD. Here's the code when I'm trying to retrieve the group into a Text Field (P1_GROUP) :
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => 'thepassword')
As you can see, this is working, because the password is in static text. This leads me to my main question :
How to retrieve the user's password in Oracle Apex, and what is the most secure way ?
I tried to set a Branch or a Process in the Log-In page while redirecting the user's the the home page, and Set Value of the :P9999_PASSWORD field to the home page text field P1_PWD.
So, I tried to adapt my code with the text field
ourschema.ldap_get_group_apex_from_user(
p_username => v('APP_USER'),
p_password => :P1_PWD)
Unfortunately, this doesn't seems secure because the password would be visible in the HTML code of the page (right click + inspect and there it is. Moreover, sometimes it gives me an error
Error computing item source value for page item P1_GROUP
It seems like the application cannot execute the function because the password is still not initialized.
Is there a way to retrieve :P9999_PASSWORD or to transfer it from the login page to a global variable/global page or a text field ? Or is there a function to retrieve the current user's password ?
Thank you again for your time, do not hesitate to ask for more details as this is a very specific case,
Thomas
I don't think your approach is correct. Ideally, even an administrator of your system should not be able to decrypt a user's passwords; they should be stored as hashes.
You're trying to look up the user's group memberships? You don't need the user's own credentials to do that. Use a dedicated account that has access to your Active Directory system and store that password encrypted in your database. Use that account to search for and look up the user's group memberships. That way, even if your system is compromised, only that account is exposed.
Thank you all for your answers and your advices on my case, and for taking the time to help.
We found a solution that we think is reliable, here's what we did if that could help other people.
We created a global variable G_GROUP, which will receive the group of the user
On the login page, we created a process before the login process.
Set the Source of the Process to PL/SQL Code :
:G_GROUP := pdbadmin.ldap_get_group_apex_from_user( --our custom function to retrieve groups
p_username => :P9999_USERNAME,
p_password => :P9999_PASSWORD); -- the function get the username and password in the fields
If i want to display the group of the user in the main page, let's create a Text Field P1_GROUP which as for Source the PL/SQL Expression :G_GROUP
Our group is initialized, and the password is not shown in any field.
Let me know what you think about it, and if you guys think this could be improved.
Related
I would like to make an auth page to my website with only a Key field.
Example : I give an Key like 'A5DP7123OAC' to my customer for the login.
And if the code is correct he can access to his panel. Actually I just create a Cookie :
withCookie(cookie()->forever('access', 'true'));
But it's not a good way I think.
Do you have solution to Auth an user only with a Key ?
Thank's
You could pass your key to the session and then check to see if the key the user provides matches the key in the session. If so you can log the user in manually using one of the methods found here: https://laravel.com/docs/5.2/authentication#other-authentication-methods
If you don't want to use the session, you could also create a DB table and store your keys there optionally giving them expirations so that the keys are only valid for a period of time. You could also make it so that keys are only valid for one IP address. Plenty of options.
I am using Oracle apex 5,oracle database 12c
I have successfully configured oracle apex 5 with oracle DB 12c.
My requirement is to accessing username and password from url and use it as login credentials.
But I am not able to get username and password from url in apex processes.
I am tried below stuff:
URL : f?p=136:1:::::PX_USER,PX_PWD:shree,itdev
I accessing like :PX_USER and :PX_PWD
but that's not working for me.If any other method is there for accessing parameters in prcessing then please suggest me
Let's hope this is just for educational purposes only. Showing username and password in a URL is not very safe...
If you call an Apex page like this:
URL : f?p=136:1:::::PX_USER,PX_PWD:shree,itdev
This means that the value "shree" is assigned to page item PX_USER and the value "itdev" is assigned to PX_PWD.
The standard way to name items in Apex is to use the page number. So, create hidden page items P136_USER and P136_PWD and call the page like this:
URL : f?p=136:1:::::P136_USER,P136_PWD:shree,itdev
The values should be accessible now.
Are you using them in SQL/PL/SQL? If you are trying to just set values with them on the page (such as giving another value it as the default value or output them in an html-region), then you have to reference the values such as &PX_USER.
The ending dot is sometimes very important.
And as Rene wrote, make sure they are decalred page-items. If they are, your naming convention is unorthodox. Do adopt the P_name style.
What is the best way to securely login in a user and keep the user signed in with cookies and sessions?
For example:
Check if password and email are valid for a specific user
Set a cookie with arbitrary string
Create a session with the same arbitrary string
Validate each request by the user by making sure the arbitrary strings of the cookie and session are the same
What is the best way to securly login in a user and keep the user signed in with cookies and sessions?
Using an established library.
It depends on how you define "create a session". For our purposes here let's define this as "create a server-side data store with an id and set a cookie with that id"; i.e. what the default session_start() does. Then:
Ensure the connection is HTTPS.
Check login credentials.
If valid, create a session (see above) with a large, (pseudo-)random id and an expiration time as short as possible but as long as necessary. Security here comes from the fact that it's infeasible to guess suitably random session ids, so the longer they are and the shorter their window of validity is the better.
Store the id of the logged in user in the session.
On each page request, see if the session with the id from the cookie exists; if so, use the user id stored in it to get your logged in user.
Optionally storing and checking the user agent is not a bad idea; you should not check the IP address though, as that may change legitimately.
Apart from storing it in sessions , you can also follow this method for keeping an user logged in , even after he closes the browser ->
1) Create a cookie storing user details and an unique hash
2) Create a sessions table (in a mysql db or any other db of your choice) where the unique hash is stored against the user-id, and the user agent of the browser,and the ip address .
3) Next time when the user logs in check that when the user logs in , is it from the same ip,same user agent .. If not , then delete the database entry , and repeat steps 1 and 2.
Apart from keeping an user logged in , it also gives you better security than just storing in sessions.
In my struts2 application, in the login action I am placing the user and role in the session.
I want to keep track of all the users who logged in so as to do stuff like following :
Avoid multiple login of same user-id.
Check wheather a user is looged in or not ! Or any body with role Admin is logged in or not !
and in some other actions !
How to do it any suggestion!
And also how to maintain the issues like
User close browser without loggin ! etc
Any material with more information of session can also realy help !
You can have a column in you user table called logged_in_time (timestamp type) and update it with the time when user logs in and make it null when user logs out.
Avoid multiple login of same user-id: : check if this columns alreadt has some value or not.
Check whether a user is looged in or not : check if that column is null or not.
User close browser without logging out : A schduler job may be, that runs at fixed interval of time to check the session(using sessionid may be) of the user and update this field accordingly.
Take a look at this discussion for further information. And another one.
I'm creating a VBS to create a user from our HR-systems.
Most of it worked; but I noticed the domain field stays blank (the field on the right of the logon name in the dsa.msc tool; the second part of the User Principal Name).
you can see it in this screenshot as "#Entcert2.com"
I can't find any information on this on the internet.
There is basically only one value possible, but it's blank after the user creation.
The NETBIOS-domain name is filled in correctly.
What's the correct fieldname for this to fill in the value using vbs?
You just forget to fill the userPrincipalName attribute.