I implemented a LogOut button which logouts user from webpage. Server is Oracle HTTP server.
When clicked on LogOut it executes below procedure
PROCEDURE log_me_off IS
BEGIN
-- Open the HTTP header
owa_util.mime_header('text/html', FALSE, NULL);
-- Send a cookie to logout
owa_cookie.send('WDB_GATEWAY_LOGOUT', 'YES', path=>'/');
-- Close the HTTP header
owa_util.http_header_close;
-- Generate the page
htp.p('
<head>
<script type = "text/javascript" >
history.pushState(null, null, ''xna_hpms_ui.log_me_off'');
window.addEventListener(''popstate'', function(event) {
history.pushState(null, null, ''xna_hpms_ui.log_me_off'');
});
</script>
</head>
You have been logged off from the WEBSITE');
htp.anchor( 'http://www.google.com', 'click here to login a');
htp.p('<BR>bye');
END;
END;
/
Document I referred: https://docs.oracle.com/cd/B13789_01/server.101/b12303/secure.htm
Problem:
In Chrome, when i click on the Log Off button it Log Outs the user and after that when user try to refresh or try to open webpage in new tab a prompt appears asking for the login credentials, if the user clicks Cancel and Refresh the tab he automatically gets logged in. While this behavior is not in IE.
When there are many tabs open and user clicks Log Off button he gets logout from the current page while when navigate to other tab if he clicks anywhere he again asked by webpage to enter credentials while if he clicks Cancel and Refreshes the page he again got logged on without entering credentials.
Kindly Help
I recommend using Custom OWA and your own cookie as a means of authenticating users. Set up the DAD to authorize the schema using custom_owa. Then create the custom_owa.authorize package/function in your schema.
The custom_owa.authorize function will be called before each page is accessed. If it returns true the request is granted. If false, the request is denied.
This give you complete control over who can access what. So what you do is set your own cookie when someone logs into your website. Then in custom_owa.authorize check the cookie and return true or false accordingly.
When someone logs off, destroy the cookie or expire it.
Related
How to prevent browser back to display login page after logged in in inertia js?
if you login to inertia demo CRM with this url :
Demo Inertia Js : https://demo.inertiajs.com/login
afetr loginning you can see login page by browser back again.
How can I solve it?
Thanks
If you have successfully logged in and you go back using history back, the only thing you are doing is previewing how the login page looked like. You aren't doing any request, just visiting your browser's history.
If you go back and refresh the page, you can see that you are now being redirected to the dashboard, which means that you did a request and the server detected you are logged in. As you are logged in, redirects you from /login (guest) to /dashboard (auth).
So in my opinion there is nothing to solve, you don't need to prevent browser back to display login page, you need a middleware to redirect you out from guest routes if you are logged in, that is it.
Docs:
History.back() - MDN docs
RedirectIfAuthenticated middleware - PingCRM
Reason login page is rendered even logged in is because login page rendering request is not sent to the server.
In the login form submission, you can put additional option to replace the page.
Browser back button will also replace the page and eventually, rendering request gets sent.
Inertia.post('/login', {
email: email,
password: password
}, {
replace: true
})
I'm facing some security issue
I have two jsp pages(login page and after login) and I'm exploring them on Chrome.
After I login, the browser moves the page.
Then, if I press the back button on browser tab, the browser moves back to login page. However, The session from my previous login is still valid.
So, I can explore entire web freely by just removing '/login' from my url
What I have to do is..
if the browser moves back to login page, I should invalidate previous session.
In your login page you can check if session is set or not always like below :
<% if(session.getAttribute("user")!=null){
response.sendRedirect("your profile page");//redirect to some page
}
%>
In above code,if user is not null ,then it will go to your profile-page ,put this code in your login.jsp to prevent user to login again ,also don't forget to set your Attribute i.e : user
The problem is after i logout, then press back button or go to user_control/login, then refresh, i wasn't redirected to the log in page but rather at the home page.
I unset and destroyed the session already.
One solution i found from the web is no cache. It works but it prompts for the resubmission of form and when i refresh i wasn't redirected to the login page but rather at the home page.
> controller: user_control
> function: login
> algorithm:
> 1. form validation set rules
> 2. get posts of username and password
> 3. check if the username is in the database and entered password is equal to the password in the database, if true go to 4. else go to signin page.
> 4. set session
> 5. load view home.php
I suspect, everytime i press the back button, the post request is still there, and when i refresh, it calls the user_control/login with the posts credentials of the form.
You need to restrict your home page or any other pages to only logged in users. Redirect others to the login page. Have a look at Ion Auth documents for an example of how this can be done.
I am having web based application in which user session has to be managed management.
In app.js I have used launch config as :
launch: function(){
Ext.create('myproject.view.LoginForm')
}
LoginForm : will show log in dialog and invoke login controller for communicating with server for authenticating the credentials provided by the user.
So when ever user refreshes the page Extjs is asking for log in that is because of I am not checking the session in here, How should be the session details stored in Extjs client and check to avoid prompting the log in unless user has log-out ? and How to manage user session ?
User identity and session information must be stored server side. Typically a cookie is set once the user authenticates successfully so as not to prompt the user again. This cookie is sent from the server and is stored in the browser automatically and sent back to the server for inspection on page refresh. Server should validate the cookie if OK allow user to proceed.
Per #existdissolve comments below
In your launch method, simply run a a session check before you create the login form. Whether this is cookie checking or a request directly to the server, the result of the session check can then trigger the creation of the login form, or whatever other logic you have for creating the rest of the application
Session Management can be done using
Inside login controller
// Storing user details in session / cookies
Ext.util.Cookies.set("key", value);
On logout button
// remove user details from cookies
Ext.util.Cookies.set("key", value);
In App.js
autoCreateViewport: false,
launch: function(){
var key= Ext.util.Cookies.get("key");
if (key=== undefined || key== 'null' || key== null || key.length <= 0){
// load login UI as user is not logged in
Ext.create('app.view.LoginForm');
}
else {
// load main UI as user is already logged in
Ext.create("app.view.Viewport");
}
}
I am using Asp.net MVC 3 in my project. I have a simple login page which takes username and password and after successful login, take me to the required page.
The problem is when I press back button from my browser and then press forward button again and again, it takes me again to the page without getting username and password from the user.
I don't know, may be it is the problem with sessions state. Because I didn't make any sessions and I don't how to make it.
Please anyone out there help me a bit to mitigate this problem.
Your session id is stored in a cookie, on successful authentication, the cookie gets stored on your machine, when you move forward in history, it doesn't get removed.
If you explicitly clear the cookie on each visit to the login page using:
Session.Abandon()
this will kill the authenticated session and create a new anonymous one, which shouldn't have access to the restricted page