Session object Not getting clear after log out when calling through postman - session

I have a page when i login and then do f12 , i copy the request header , cookies and the request url and using post in postman i get the data.
After i logout and refersh the page again i use the same cookie in the postman and post the url data but i still get the data, even if i have done log out i still get the data.
I dont want to get any data after i logged out.i want the cookie to get expire or change when i logout.
If useing postman after logout should not return any data in the response.
Please help me.
Here is my logout code
Dim authCookie As HttpCookie = Request.Cookies(FormsAuthentication.FormsCookieName)
Dim authTicket As FormsAuthenticationTicket = FormsAuthentication.Decrypt(authCookie.Value)
Session.Abandon()
Session.Clear()
FormsAuthentication.SignOut()
End If
Session.Contents.Clear()
Session.Clear()
Session.RemoveAll()
Session.Abandon()
HttpContext.Session.Clear()
FormsAuthentication.SignOut()
Response.Cache.SetCacheability(HttpCacheability.NoCache)
Response.Cache.SetNoStore()
Response.Cache.SetExpires(DateTime.UtcNow.AddMinutes(-1))
Response.Cache.SetNoStore()
Response.Expires = 60
Response.ExpiresAbsolute = Now
Response.CacheControl = "no-cache"
HttpContext.User = New GenericPrincipal(New GenericIdentity(String.Empty), Nothing)
Response.Redirect(System.Configuration.ConfigurationManager.AppSettings("root").ToString() + "logon.aspx")

Related

Spring boot: Requests with an expired Cookie is still available after logging out

In the spring boot project, when the user logouts, we invalidate the cookie with this block of code:
//name = "Token"
//value = "expired"
//age = 0
private void setExpiredCookie(HttpServletResponse response, String name, String value, int age) {
Cookie cookie = new Cookie(name, value);
cookie.setSecure(true); //Send cookie to the server only over an encrypted HTTPS connection
cookie.setHttpOnly(true); //Preventing cross-site scripting attacks
cookie.setPath("/"); //Global cookie accessible every where
cookie.setMaxAge(age); //Deleting a cookie. I Passed the same other cookie properties when you used to set it
response.addCookie(cookie);
}
However, after logout, I tested my website with an application for catching the request and resending it through the repeater, with exact values, such as token and payload.
I resent a request, for example, to change the email address, and this request, despite logging out, is valid for 15 minutes (for the life of the original cookie).
What am I missing? Because I am properly deleting and protecting cookies.
You are just creating new cookie.
You should invalidate cookie with session id, which was given to you when you authenticated. Simply use this:
HttpSession session = httpServletRequest.getSession(false);
session.invalidate();

Is there spring boot jwt logout solution in using Cookie storage?

I stored jwt token in Cookie Storage .
I want to remove or expire this token in logout action . how should I do ? Can somebody give me advice?Thank you. I use this following code :
final String token=jwtTokenUtil.generateToken(userDetials);
Cookie cookie = new Cookie("token",token);
cookie.setHttpOnly(true);`enter code here`
response.addCookie(cookie);
based on Delete cookie from a servlet response
Create a new cookie with a value of null and add it to the response. So you would replace
Cookie cookie = new Cookie("token",token);
with
Cookie cookie = new Cookie("token",null);

How to get session token after successful authentication?

After successful authentication via a form post sign-in, I need to be able to use the same session token within the response to do another post to a protected route, but this time using XMLHttpRequest.
How would I get the session token, considering that the successful authentication response has already passed.
The session token is stored in a laravel_session cookie, assuming default Laravel settings (see config/session.php).
You can read the cookie in javascript using document.cookie. For example:
function readCookie(name)
{
var matches = document.cookie.match('(^|; )'+name+'=([^;]*)');
if (matches) {
return decodeURIComponent(matches[2]);
}
return null;
}
var token = readCookie('laravel_session');

laravel5 set cookie on ajax call

When the user clicks add to cart I create an new cart and add the product to the cookie of the user. But how do I set the cookie on an ajax response. Im trying:
//set the values for the view make
$cartId = 'someval i set earlyer'
$cookie = Cookie::forever('cartid', $cartId);
$currentCart = Cart::findOrFail($cartId);
$items = CartItem::where('cart_id','=',$currentCart->id)->get();
//this function also check the $request on a valid cookie
$total = $this->calculateCartTotal($request);
return Response::json(View::make('front.cart.render',compact('items', 'total'))->withCookie($cookie)->render());
But the value is never set, I tryd refreshing the page but there is still no cookie for cartid. How can I set a cookie for an ajax reponse
Try this:
return Response::json(
View::make('front.cart.render',compact('items', 'total'))->render()
)->withCookie($cookie);
rendor belongs to View
withCookie belongs to Response
Check Response headers.
Set-Cookie:cartid=...

Why can't I just send rest calls to MVC3?

I'm trying to send requests to my MVC3 app, I've tried regular WebRequest, I'm trying it with RestSharp applying correct Authenticator, but it still returns the redirect result of login page?
What am i doing wrong?
upd: How should I do forms authentication with RestSharp? I guess it's possible somehow - just need to play around that cookie...
If you are getting redirected to a login page your mvc 3 app must be setup for forms authentication. Forms authentication will want a cookie sent with the request. If you are using the basic authenticator in RestSharp this will not work. I assume that you are using the MVC controller to provide a REST API that you are trying to call.
One option is to upgrade to MVC 4 and use the ASP.NET Web API to develop your REST API's. The authorization behavior is a little different in an ASP.NET Web API in that it will return an HTTP 401 error instead of doing a redirect. And you can customize the AuthorizationAttribute to pull the information out of the HTTP header for basic authentication and authorization.
Another option is if the action on the controller does not require authentication/authorization you can put the AllowAnonymousAttribute on the method.
To pass the Forms authentication you gotta get the cookie and stick it to RestSharp's cookie container. To get the cookie you can use just regular WebRequest.
private Cookie GetAuthCookie(string user, string pass)
{
var http = WebRequest.Create(_baseUrl+"Users/Login") as HttpWebRequest;
http.AllowAutoRedirect = false;
http.Method = "POST";
http.ContentType = "application/x-www-form-urlencoded";
http.CookieContainer = new CookieContainer();
var postData = "UserName=" + user + "&Password=" + pass + "&RememberMe=true&RememberMe=false&ReturnUrl=www.google.com";
byte[] dataBytes = System.Text.Encoding.UTF8.GetBytes(postData);
http.ContentLength = dataBytes.Length;
using (var postStream = http.GetRequestStream())
{
postStream.Write(dataBytes, 0, dataBytes.Length);
}
var httpResponse = http.GetResponse() as HttpWebResponse;
return httpResponse.Cookies[FormsAuthentication.FormsCookieName];
}

Resources