How can I implement this behavior in my website
I need to be logged inside my website to navigate through the website and if I open a new tab, I want to display the login page, also the user logged on the previous tab doesn't have to be logged on the new one.(treat all new tabs like independent session)
when the user is logged a security token is stored on my Session[token], if I open another tab, another user can be logged into the website with another token session.(this has to be don't in the same browser)
There are many ways to do that but each has some limitation. All ways required some short of custom development on client side and server side to manage the data.
Don't use cookie or traditional authentication mechanism as all has cookie per domain so it wan't help.
If you are using HTML5 then you can take advantage of sessionStorage and store different Id ( generate guid) and pass along with each request to identify. ( More secure you have to generate your own encrypted value)
For simple use you can use HiddenField on each tab and get value from Url.
If you are aware of ASP.net cookieless session then you can see that url has sessionid and you have to do something similar.
In MVC you can do such thing by creating custom route.
http://blog.gauffin.org/2012/02/get-a-unique-session-in-each-browser-tab/
Related
After Parse.com have introduced new revocable session that gets destroyed when a user logs out, is it possible to build a reliable login process using "magic links", ie. a user receives an email including a link, and gets logged in in a web browser after clicking that link?
Previously, sessions in Parse were long lived and implementing a magic link login process was a matter of providing the user with his/her session token and having the client call Parse.User.become(<sessionToken>).
This approach will fail with new revocable session if a user is not already signed in to the Parse server when generating and clicking a magic link, since there will not be any session to give the user that he/she can use in the call to Parse.User.become().
Any clarification if this is possible to accomplish this with the new more secure type of revocable sessions in Parse, or suggestions on how to achieve this, are welcome.
I have a website that authenticates users with the active directory. This website is made for internal company use and does not hold any sensitive information. The website is secured with SSL. When a user logs in, his/her username and password will be transmitted to the server through POST. I then store his/her username in a session cookie with a TTL of 1 day, refreshed by every single web action. From this point on, every webpage will check to see if this cookie with the username exists. If it does, it will allow users to access that certain page. Login out will just remove this cookie.
Would this way of authentication be acceptable? Is there a better way to handle user authentication? Is it necessary to use sessions instead and store session id's in cookies?
It does work out nicely to use Sessions, yes. I don't know what language you'd be using, but storing information in general locally is a good idea (this does not include sensitive and private information, ie. passwords).
Pages usually check your authentication (and its type) upon loading.
I've lost my touch with PHP, but for instance ASP.NET has a pretty neat (but complicated) Identity system where your login information would be stored in a separate Session, and destroyed upon logging off, but also stores information regarding its Type. This would later allow the developer to mark pages that would require a specific type of an Identity. For example:
[Authorize(Roles="admin")]
public ActionResult Index() {
// Your action information
}
Again, I'm rusty with PHP, but I imagine it's similar where you'd simply check the Sessions before the <html> tag, ie.
<?php
if(is_null($_SESSION["user-info"]["type"])
header("Location: index.php");
?>
<html>
...
Overall, the way you use sessions in each of the back-end web development languages could defer, but the overall usability is the same. You'd use Sessions to store User information, Store "basket" items, etc.
I am wanting to build an admin tool where I can "impersonate" users of my site, without having to lose my session as an admin.
I would like to be able to open an iframe that will view the website "as the user", without changing the state of the page that opened the iframe.
Is that possible? Is there a better way to do this?
It's possible, but there's a bit "but" :)
Just a couple options to start with:
Use URL-based session tokens (as Java Servlets do when you have cookies disabled)
Use different domains for "normal" site and admin interface
iframe itself won't help you much: it will always share its cookies with the browser. So in order to avoid that, you can use either of the above options—but that does not depend on the iframe.
What language? My answer is based on the assumption that PHP is your chosen language.
Firstly, I would say you have planned your application wrong if session impersonation is the only way you can view your site as another user while still keeping your admin login intact.
One way you could do it, and again this is assuming that you are using PHP as well as the default session management functions within and you do not have a custom session handler would be to load the iframe url with the ?PHPSESSID=sessionidhere parameter.
A better way to do this is to create your site and authenticate users via a user object of sorts and then add some sort of url parameter such as ?userbrowseid=123
Then when you load the page, your code will only check if the parameter exists if you are already logged in as an admin. The page would then overwrite your current user object with the user object of the user with the id 123. Steps should be taken to make sure your session cookies are not overwridden with the impersonated user object. As this would be in an iframe, your site will work as an admin and the iframe will be loaded as the user object.
I am building an ASP.NET MVC3 app using Forms Authentication and I'd like to log out all existing sessions for a user when that user logs in. I'm trying to prevent multiple people at different workstations from logging in and working under the same account.
Is there a standard way of handling this? Logging out the existing session is easy, but I haven't come across a way to check for other sessions by the same account and log them out.
I have a few ideas on how to hack this, but I'm curious if there's an established method for this using IIS or the FormsAuthentication API.
Because of the statelessness of the web, you can't "log out" a session until they make their next request (for instance, session might be maintained in a cookie, which can't be written on the client outside of the context of a request-response interaction).
There is still a solution, which assumes you are using session state, and preferably you have a common base controller for all of your controllers requiring "Authentication".
Upon successful login, generate a token (a guid perhaps) and store that with the session. Also write this to a application-wide store (database or application context for instance) keyed by the userid.
In the Base Controller (or otherwise you'd have to create an action filter) check the token in session against the token registered for the userid in the application-wide store. If they don't match, log out the user using the standard SignOut() call.
You could use the Membership.IsOnline property which is based on LastActivityDate:
A user is considered online if the
current date and time minus the
UserIsOnlineTimeWindow property value
is earlier than the LastActivityDate
for the user.
I'm trying to integrate a public message board service into an existing web site.
The handshaking between the apps goes like this:
1) File on my web site loads a flash file. The Flash reads a local variable that is the Session ID, or some other GUID unique to the user session.
2) Flash app connects with the remote service, passing the SessionID to the service.
3) The service issues a GET request back to the originating web site, asking for additional information about the user.
4) The originating web site (my site) validates that the session ID is for a valid session, and if yes, passes back the other requested information.
I'd like to be able to use the intrinsic ASP SessionID but I'm not sure how in Classic ASP to retrieve session variables for a specific ASP Session, ie, I want the value of Session("FirstName") where SessionID=1234 and not Session("FirstName") for any other session ID. I haven't been able to find any syntax that would allow me to do this.
The alternative is to create a new GUID for every session, but that's adding a lot of overhead.
Any ideas?
I'm not aware of any way to retrieve Session details for a particular instance or ID.
However, you could utilise the Application object to store the information you need using the Session.SessionID value:
Application(Session.SessionID & tag) = myTagValue
This way you are not creating a new GUID, but utilising the already existing one for session that both client and server are using in your example.