I am running multiple MEAN applications using express-session on a single server under multiple ports. When I authenticate into application A, the established token for the other (application B) is modified. The authenticated user session for application B is then denied.
How do I configure all of my applications to persist and verify tokens independently? For example, on localhost, application A runs on port 80, and application B runs on port 90. I want a user to be able to authenticate and use application A without disrupting another user's Application B session.
Here is the code in my app.js file that should be relevant to my issue:
// Connect to database
mongoose.connect(config.mongo.uri, config.mongo.options);
var connection = mongoose.createConnection(config.mongo.uri, config.mongo.options);
var app = express();
// enable CORS
app.use(cors());
// enable cookieParser
app.use(cookieParser());
// enable session
app.use(session({
secret: config.secrets.session,
resave: false,
saveUninitialized: true,
name: 'uniqueSessionId',
store: new MongoStore(
{
mongooseConnection: connection
}
)
}));
Cookies (which are used to store the session identifier in) are shared across all ports on a given hostname, which is why your apps are interfering with each other.
The documentation of express-session suggests the following:
if you have multiple apps running on the same hostname (this is just the name, i.e. localhost or 127.0.0.1; different schemes and ports do not name a different hostname), then you need to separate the session cookies from each other. The simplest method is to simply set different names per app.
Related
I have multiple CI application on same server using same session userdata variable name.
In some controller on first CI app
$sess_data['username'] = $username;
$this->session->set_userdata('logged_app',$sess_data);
In some controller on another CI app but in same host server.
if (!isset($this->session->userdata['logged_app'])) { echo "success";}
Isn't this a security hole? What happen if the applications are in different host?
If they all use different domains even on the same host that shouldn't be a problem. If they share the same domain, then that's a problem because users will be logged in all your app on that server.
I was wondering that session management in cloud environments are available in many options for Microsoft azure/ Amazon Web Services / any private cloud. What I was looking that which is the best session management technique which will fit in all the cloud environments.
I have gone through many site but could not decide which is the most suitable in all cases. I read somewhere that Sticky sessions are also one of the option for session management. So looking for an answer which states that is Sticky sessions are different from cookie based session management?
If yes then how to use it?
Thanks
Ravi
Sticky session are likely to stay on same server when the first request comes and provided from same server for each request. Where as cookie based session are nothing but keeping the data on client machine in browser. can be served from any server which is available.
Yes Sticky Sessions are different than cookie based sessions.
As sticky sessions are nothing but handled by load balancers which handles to get sessions in request from client and passes it to the same server where the first request came to that server. E.g. While loading an website request goes to server A, then sessions get stored on server A, while next request comes from user the request sent to the same server i.e. Server A, irrespective of how many servers present in the farm.
Whereas cookie based sessions are stored on client machine, and it gets added with each new request. So it can be read and supported on any server in farm irrespective which server generated and stored session while first login.
I am trying to build a solution using the UCMA sdk but do not have access to the config store. Is it possible to use UCMA without it? I have a username/password I can use to log into the lync network and thought perhaps I could access things like that.
Yep, you can do this with a UserEndpoint. It doesn't require any replication with the config store (as long as you have a username and password which you've said you have).
I have a comparison between application & user endpoints here: http://blog.thoughtstuff.co.uk/2014/01/ucma-endpoints-choosing-between-application-and-user-endpoints/
and a worked example of using User Endpoints to send an IM here:http://blog.thoughtstuff.co.uk/2013/03/creating-ucma-applications-with-a-userapplication-instance-example-sending-ims/
UCMA applications can run in two different modes:
Untrusted (Client) Application.
In this mode you can't create "ApplicationEndpoint"'s but you can create "UserEndpoint"'s if you have the sip address and password for the user.
Trusted (Server) Application.
In this mode you can create "ApplicationEndpoint"'s and you can create impersonate any user with "UserEndpoint" without needing the user password.
There are two types of setups for Trusted Application's.
2.1. Auto Provisioned Trusted Application
This one is very easy to setup with code but very hard to setup to run on the machine. I don't really recommend this setup as the machine setup requirements are very high.
2.2. Manual Provisioned Trusted Application
This one has a lot more "setup" code but is easier to setup a machine to run on. I would recommend this setup as I find it far easier to setup overall.
Both types of Trusted Applications require you to setup the Trusted Application details within Lync before you can run them.
Which UCMA application setup you use is based on how you configure the CollaborationPlatform instance.
Basic Untrusted (Client) Application:
var clientPlatformSettings = new ClientPlatformSettings("lync.front.end.server.address", SipTransportType.Tls)
var collaborationPlatform = new CollaborationPlatform(clientPlatformSettings);
...
await Task.Factory.FromAsync(collaborationPlatform.BeginStartup, collaborationPlatform.EndStartup, null);
Auto Provisioned Trusted Application:
var serverPlatformSettings = new ProvisionedApplicationPlatformSettings("lync.front.end.server.address", "trusted application id")
var collaborationPlatform = new CollaborationPlatform(serverPlatformSettings);
...
await Task.Factory.FromAsync(collaborationPlatform.BeginStartup, collaborationPlatform.EndStartup, null);
Manual Provisioned Trusted Application:
var certificate = CertificateHelper.GetLocalCertificate("trusted application pool qfdn");
var settings = new ServerPlatformSettings("lync.front.end.server.address", Dns.GetHostEntry("localhost").HostName, trusted_application_port, trusted_application_gruu, certificate);
...
await Task.Factory.FromAsync(collaborationPlatform.BeginStartup, collaborationPlatform.EndStartup, null);
There are a lot of missing details. Once you know what type of UCMA application you want to develop, you can search on the internet for specific examples of that type.
This is what I want to happen.
Current Setup: Two wars deployed in Websphere v8 (App1 and App2). Both have a login feature where users enter username and password to get in the app. This is not using LDAP or JAAS, its just plain query from the db to check if username and password is correct.
Problem: There had been a move to "combine" the two apps where authenticated users in App1 can now access App2 directly without logging in and having the same session. If user accesses a module in App2 without logging, user will be directed to login page of App1 to login.
Other factors:
App1 and App2 are in the same websphere instance in the same box and in the same cell.
Question:
Is it possible to implement SSO and shared session between App1 and App2 in websphere?
From what I read you are either performing the authentication on your own with App1 and App2, meaning without using WebSphere Security or you have both applications inside two different WebSphere Cells where no SSO is setup.
If it is option 1 I strongly recommend you to take a look at WebSphere Security and what the container provides you there.
Which brings me to option two cells without SSO
WebSphere Application server builds out by default a Cell wide SSO model. A cell means a collection of servers which are controlled together. By default WebSphere uses a token named LTPA_Token or since 6.1 LTPA_Token2. At the cell level the security is configuired which includes the SSO domain, which is in fact "just" the cookie domain. WebSphere persists the authentication state inside of the token as a cookie and the browser will submit this to the server matching to the cookie domain.
Having said that. If you have two cells you can exchange the security keys between these two and so they can both understand the security Token created by both of them. You need to ensure some additional information like realm, security domain, attached user repository.
As you mentioned App2 should send all users to App1 you probably need to define the End point to handle the Authentication within your web.xml and have it point direct to App2 or write a TAI (Trust Association Interceptor) on App2 to send all not authenticated requests to App1
In addition you could as well put an authentication proxy in front of the two applications which will only ensure the authentication state and establish the security state as the request is passed to the backend.
For reference
WebSphere Application Server Infocenter Topic
First this app works perfectly fine in a non-clustered environment.
The problem we have is when the ELB routes first to one server in a cluster during a session, then to a second server. The second server can't find the session. e.g.
An iOS app passes a login call to a Glassfish 4 server cluster (we're using oAuth/Facebook tokens, so no Glassish security realms).
The Amazon Elastic Load Balancer (ELB) sends to server 1.
Session is authenticated and user logged in and a session cookie passed back to the app.
Immediately the app sends another request which needs authentication (is this a valid session).
The ELB decides to send the request to server 2
In our authenticate servlet filter, server 2 can't find a session with the id passed in with the cookie
The servlet says the user is not authenticated and the call fails.
Our code is pretty typical for finding the session (if no session immediately return fail):
HttpSession session = req.getSession(false);
//psuedocode
if session == null then session not authenticated log and return
else session authenticated, log and return
If the second call gets routed to the same server as the login, the second call works fine. Whenever a call (be it the second, third, fourth, whatever) goes to the second server, authentication fails because it can't find the session on the second server.
I'm looking to see if anyone has encountered something like this and how you have resolved the issue. Is it better to use sticky sessions on the ELB, or is Apache web server using JK or AJP a better choice?
Two potential issues off the top of my head:
Have you specified <distributable/> in your web.xml?
Could be a multicast issue. EC2 does not support multicast, which is what GlassFish uses by default. Check out this stackoverflow thread that discusses the topic, including non-multicast clustering.