I am testing my Asp.Net Core 3.1 web app for session cookie behaviors.
I created a very simple app with login functionality which works perfectly. After I log in, I can access a protected page (with [Authorize] attribute).
Then I tested the following scenarios.
After log in,
Chrome/Edge: Open a new tab to access the protected page - it works (no login screen appears)
Chrome/Edge: Open a new window (same instance) to access the protected page - it works (no login screen appears)
Chrome/Edge: Open a new instance to access the protected page - then it shows login screen, not authenticated
However, when I run using IE, all the above cases, the accepted as authenticated (no login screen appears)
What should I do to share the same session cookie for separate browser instances for Chrome and Edge?
Related
We have witnessed a scenario, where it is required to get the user authenticated by Microsoft and then request a callback url.
Login url
We have successfully mitigated the new login prompt window and trying to open Authentication url(got via new window object).
But it is now being visited as the url is continuously redirecting through multiple domains.
We have tried to use origin manually via this process, but when it will redirect to another (unknown)URL, the test will lead to a blank page.
Is it possible to visit an unknown URL and complete the authentication.
cy.origin('https://login.microsoftonline.com/', () => {
/// get email field and try to type
})
We have an issue with a asp.net core 3.1 MVC application. The application is using the built in asp.net Identity feature. The application is working well for existing users. If you hit any [Authorized] route, you are redirected to the login page as expected.
However, rather than have a registration process in our app, for new users, we onboard them via Stripe Checkout. Upon successful payment, stripe redirects to a specific route in our application /conversion/success/{sessionid} where sessionid is the Stripe session. This action is marked as [AllowAnonymous].
We then pull the necessary customer details from Stripe, create a user in our repository via UserManager<T>. We then call SignInManager<T>.SignInAsync() to sign in the new user, before redirecting the new user to the [Authorized] home page.
This process works perfectly when running locally on our test machines. Also, when running on our production server (Azure App Service) it also works perfectly when we hit the route manually through the browser.
However, when we actually run the process through Stripe, complete a payment and let Stripe redirect the customer, we get a strange behaviour.
The conversion route is hit, the user record is created, the sign in process completes but upon redirection to home page, the authentication middleware takes over, says it's not authenticated and redirects to the login page.
Just to compound matters further, if you then simply type in the home page route in the browser, the user is in fact logged in exactly as expected and the application works perfectly.
Using Fiddler to intercept the calls and look at headers, etc. we can't see why there would be a different behaviour when coming from Stripe as opposed to typing directly. We've even tried redirecting from a different website to our registration process and that works as expected too.
Any idea why we are seeing this behaviour?
---- Update ---
If, rather than redirect to home page at the end of the onboarding process, we simply show a simple View with an anchor link to home page, the user can then go to home page as expected.
Is it possible that you're rendering the page before authentication has been completed? Since UserManager uses a cookie to establish the user's session, authentication needs to complete before any response headers or body is set so that the Set-Cookie header can be sent in the response.
Based on what you described it sounds like the user is hitting the homepage after the redirect without having the authentication cookie. Where I'd start debugging this is by using your web inspector with "Preserve log" turned on and going through the Stripe Checkout process. Then, inspect the headers sent to the browser when you land on the redirect page & make sure the authentication cookie is set.
Between requests to Stripe and SignInAsync it seems possible that there might be a missing await, so the redirect is happening before the authentication context is updated. Hard to say more without seeing your code!
In a spring security application i am navigating to the login page and entering my credentials and getting logged in.Now again if i open a new tab in the same browser and navigate to the login url it shows me the login page.If I enter another users credentials and login my previous Jsession ID(ie: the one created in the previous tab) is getting overridden with the new jsession id.Upon refreshing the previous tab the session is overridden.
I want to implement that if a user is logged in already in the application, upon navigating to the url again in another tab on the same browser the homepage of the application should open.
Please advise as how I can accomplish that?
Since the server uses the cookie to map to the current session, you'd have to control how the browser sends cookies. Every time a request is sent to a website from a new tab, most browsers will send all the cookies it has for that domain. Since your server received the same session cookie, it will treat this request as being in the same session. There's no way it can tell the difference.
Therefore, as far as cookie-based web sessions go at least, you probably won't be able to force the creation of a new session upon opening a new tab.
I am trying to record a test script with JMeter for an internal website hosted on company intranet. I can record only till navigation of the login page, submitting username/password, and click on login button. The login page reloads all the time. Nothing else happens.
Steps to reproduce ->
1) I started the JMTeter HTTP Test script recorder
2) I changed the browser settings to point it to the proxy.
3) Navigated to login page, keyed in username/password, and clicked login
4) The login page reloads, nothing else happens.
I tried it on all the browser. It's same everywhere. I recorded testes on gmail and facebook successfully. I did not face any issue there for navigation. Please help me. Is it an issue with the server where the site is hosted?
What kind of login authentication that you used in your internal website? Is it the same authentication as gmail or facebook (using login form, then compare it to database)? Or is it Active Directory User (windows account) authentication (usually, there is browser popup to enter username and password).
You can try this:
Start the JMTeter HTTP Test script recorder
changed the browser settings to point it to the proxy
Navigate to login page, keyed in username/password, and clicked login. From this point, you will have sampler for login step
changed the browser settings to not using JMeter proxy
Navigate to login page, keyed in username/password, and clicked login. It should be working
changed the browser settings to point it to the proxy again
Do the rest recording normally to get the rest scenarios.
I hope that will help you.
I have several portlets in my application. If I open a url using window.open() method, the session id changes and causes an error in other portlets. If I don't open this url, everything works fine. But once this new window is opened, the session is cleared and the rest of the portlets throws an exception since some values are missing.
In the address bar of the browser I typed in javascript:alert(document.cookie); to see the JSESSIONID. It remains constant throughout the page and changes when I click the link that launches a new url in new window. I used IE8.
Any suggestions to maintain the session state in IE would be greatly appreciated.
What URL are you passing to window.open()? An easy way to get IE 8 to maintain the JSESSIONID in the popup would be to use a relative URL in the call to window.open() in the portlet markup. The critical thing is that the domain name remain exactly the same. Here's an example of a button with window.open() in the onclick event:
<button onclick="javascript:window.open('/wps/portal')">Home Page</button>
I'm using Websphere Portal, so '/wps/portal' just links to the home page.
Also, what do you intend to be the target of the popup window? A different portal page with the same session?
Update: Given that the target of the window.open() is an independent web application hosted on the same domain...
The portal server and the application server hosting the web application have independent sessions, but they both use a cookie called JSESSIONID by default. The first time you access the web application, the application server overwrites the portal's cookie, causing every subsequent request to the portal to have the wrong session id. When this happened to me, my solution was to configure the portal to name its session cookie something else (e.g. PORTALSESSIONID) so the two do not conflict.