is currentUser on parse specific to devise? When the user is logged in and cached as the currentUser, it is only for that device he is using that he will be automatically logged in, is that correct?
My app sets currentUser in appdelegate, so if a user A logged in on Device A, and he is still cached on parse server, would user B who launched my app on device B be logged in as user A?
1.
Yes, it's specific to device. It is only for that device that the user is logged in, so if User A opens the app on another device, they will have to log in again.
2.
If User A logs in on Device A, it will not affect User B on Device B. Ever.
When one of your users logs in, that session is only cached on that device, so yes, your first statement is correct. I am unsure about the second part because I don't know what you mean by "My app sets currentUser in app delegate". Can you post your code?
Your code to login a user should take from user input, their specific username and password combination. When you login a user, you shouldn't use constants, then the same user will be logged in on every device.
For every device that a user has logged in he will be automatically be logged in when launching the application.
Related
I am using
WTSEnumerateSessionsEx(WTS_CURRENT_SERVER_HANDLE, &level, 0, &pSessionInfo, &count);
to get session information. It will tell me all logged in users. If I use it on Windows 11 with another user logged in,
WTS User: DESKTOP-VVVVVVV\joew, session id: 1, state: 0, session name: Console
WTS User: AzureAD\JoeWillcoxso_garbage, session id: 17, state: 4
From the state, joew is the active user and JoeWillcoxso_garbage. It's not exactly that, but I'm protecting it...you get the idea.
The session info will give me the domain and username. When I login to Windows for an AzureAD with a non-standard credential provider, I use my AzureAD email address and the CP is smart enough to use AzureAD as the domain name. But, when the machine was joined to AzureAD, it created a local account for the email address as JoeWillcoxso_garbage. ( I write "created a local account", but in PowerShell if I do get-localuser *, that user does not show up in the list.)
I can use LsaEnumerateLogonSessions() and LsaGetLogonSessionData() to get session data from the local security authority. I can match things between the two calls (LsaGetLogonSessionData and WTSEnumerateSessionsEx) using session id and username. However, there is no way to get an email address. I can get a PSID in the session data, not sure if there is a way to turn that into an email address. On my local machine, I'm not attached to an AD. Just running as WORKGROUP.
For an AzureAD user, calling NetUserGetInfo() always fails for the AAD user even when running elevated. I haven't yet tried as NT_AUTHORITY account...
I'm looking for an API or maybe some way to query WMI to turn the AzureAD\JoeWillcoxso_garbage user name into joe#someaad.onmicrosoft.com email address. Or, maybe need a web API to hit login.windows.net. There are places in the registry where I can find the email address, but I don't think they are guaranteed to always be there.
Since a user may be logged in already (and on Windows 10/11 with fast switching), sometimes an unlock is not CPUS_UNLOCK_WORKSTATION but CPUS_LOGON. With fast switching, if I lock, come back 10 minutes later, and do an unlock, it's not an unlock but a logon (CPUS_LOGON) although it acts just like an unlock used to do.
For instance, at HKEY_USERS\THE_SID_OF_THE USER\Software\Microsoft\Office\Teams, HomeUserUpn has the email address. I can get the SID of the logged on users...so I could possible get the email to match up... but, that's assuming that key is there. I want something more bullet proof.
• You can surely get the email address from the UPN for the signed in user through the below powershell commands very easily as you must have remote script execution rights over the systems in your network.
a) Whoami /upn --> Displays the full email address of the logged in user
b) "$env:USERNAME#$env:USERDNSDOMAIN" --> Displays the full email address along with the DNS zone in which its entry is mapped to
c) $msAccountName = ([adsisearcher]"(samaccountname=$env:USERNAME)").FindOne().Properties.mail
$msAccountName --> Displays the email address from the online O365/Azure AD account
Thus, accordingly as per the above powershell commands, you can get the email address of the logged in session user for Azure AD. Also, if you want to use the WTS query function for this purpose, kindly refer to the below link for more details as it aptly describes the usage of WTS query commands for the said purpose: -
https://www.idrix.fr/Root/Samples/upn.cpp
I wanted something to use from Win32, hence the tag. What I did find is that from a process running as NT_System account, I could iterate all the LSA sessions.
I could use LSAEnumerateLogonSessions() to get a list of all the sessions.
Once I had the sessions, for each session I could call LsaGetLogonSessionData() which would return a PSECURITY_LOGON_SESSION_DATA which importantly returns session ID, logon domain, logon name, and SID of the user. Looking at the logon domain, I could know if it was AzureAD because it would literally be AzureAD. Knowing it was AzureAD, I could then use the SID and do a registry lookup at key (not entire function):
CString s;
s.Format(L"SOFTWARE\\Microsoft\\IdentityStore\\Cache\\%s\\IdentityCache\\%s", lpwzSid, lpwzSid);
ATL::CRegKey regKey;
if (ERROR_SUCCESS == regKey.Open(HKEY_LOCAL_MACHINE, s, KEY_READ))
{
WCHAR szUserName[MAX_PATH] = { 0 };
ULONG ulChars = MAX_PATH;
if (ERROR_SUCCESS == regKey.QueryStringValue(L"UserName", szUserName, &ulChars) && ulChars > 0)
{
return CString(szUserName);
}
}
That almost works except for one little nit... sometimes the AzureAD user has logged out but still has an open LSA session. I have no idea how this happens, but I have observed it on Windows 11. IDK if this is for all AzureAD users, but I have noticed it can be the case for the account used to join the AzureAD domain. So, in that case, it is necessary to backcheck and use WTSEnumerateSessionsEx() and verify that there really is an open session.
How can i use LoadUserProfile for a user that is not logged in. This code is running within a service and needs to capture a user profile information, but that user may not be logged in when the service executes.
We have two different applications on Laravel framework, We want to redirect the logged-in user from one application to the other, when they click a link, without having to logged in again, on the other application.
Can someone guide/suggest something to make it working please?
Well, here is how, we get around the solution
Application A
1. we store the logged in user user id and password (hashed password) in session.
2. Create a link with that user id and password
3. When Logged in User click that link, post user id and password to Application B
on Application B
1. Create a new post route with 2 Parameters (User id and password)
2. In Controller function, Match the user submitted user id and hashed password with the user ID and Password in application B database.
3. If it is exactly same, Logged in user with
Auth::loginUsingId($UserID, true);
and redirect him/her to Logged in area, otherwise redirect him/her to Login Page.
Hope this helps some other person looking for the same.
There is a Windows app that requires admin rights and this is declared in its manifest. When a restricted user starts it she has to input admin credentials. It's OK and the application works well, but it can't obtain original user folders anymore (ShellAPI returns admin's ones).
Since the application is started under admin initially, there is no point where I can store original user's folder paths to use them later.
Is there a way to get initial restricted user credentials?
Regards,
Because of your manifest, your app is running as an admin user, not the currently logged in restricted user. As David Heffernan mentioned, you should redesign your app to not require the entire app to be run elevated. Delegate your admin tasks to a separate process that runs elevated when needed.
That being said, if you must run your entire app elevated, all is not lost, but you are going to have to do some extra work.
Start by getting the Session ID that your elevated app is running in. You can do that using WTSQuerySessionInformation() with WTS_CURRENT_SESSION, or ProcessIdToSessionId() with GetCurrentProcessId(), or open the current process's token with OpenProcessToken() and then use GetTokenInformation().
Once you have the Session ID, use EnumProcesses(), GetProcessImageFileName() (or equivalent), OpenProcessToken(), and GetTokenInformation() to find the instance of explorer.exe (or whatever the PC's registered shell app is, which you can find in the Registry) that is running in the same Session ID as your app.
When found, you have the user token for that process from OpenProcessToken(). Duplicate it using DuplicateTokenEx() to get its primary token, and then you can use that token with APIs like LoadUserProfile(), SHGetFolderPath() and SHGetKnownFolderPath() as needed.
Customer want to restrict duplicate login for the App, once user login from another phone, the session of previous phone should be invalidated.
but I can't find the API for worklight to do this, besides using push, another suggestions? thank you very much.
Worklight indeed does not provide any API for this type of scenario.
Here is what I am thinking as an example of what can be done:
Device #1 is an Asus, device #2 is an LG
As the user log-ins, you will store the device information in the Worklight database (using WL.Client.setUserPref)
When the user will try to log-in again from another device, you could pull the existing pref (using WL.Client.getUserPref) and compare the device types
If they are not the same, logout current userId and re-login
(Consult the user documentation for additional API methods around userpref)
This could be a way to ensure the user is logged only from one device.
You could also use the userId associated with the deviceId and update upon every login if (currentDeviceId != latestDeviceId) logout(); and so on...
Here I have posted a implementation mechanism which strikes in my mind.
Its still a suggestion.
Whenever a user tries to login an entry can be made in backend[DB/Webserice] which tells about the user/device information.
If the user info is existing already then you can prompt a dialog box to the user The account has been logged in already, if you continue to login the previous session would be logged out trigger a push notification to the previously logged in user device, if user continues.
Now a notification will be reached to previously logged in device. Here you can implement the logic to execute the WL.Client.logout(realm, options).
It would be great if someone post answer better than what I did.
And also let me know if my suggestion was helpful or not.