I am programming a Symfony2 web application and I have a backend bundle, in which the user is authenticated using an emergent window. What I need is that the session expires using a timeout or when I close de browser. Now it doesn't...
Any idea?
Related
I have developed a web application in Java Spring Boot. After login to the web application JSESSIONID is stored in browser cookies, now when I copy this cookie details from my current browser and create same cookie in some other browser then I'm able to login to the system without asking me for login.
Please let me know how can we prevent this Session hijacking threat. Is there anything I need to do at application level or anything on server level.
I was creating my own oauth2 server with SSO enabled for Google and Facebook. I found this example https://github.com/spring-guides/tut-spring-boot-oauth2 to be very useful and I was able to make my oauth2 server expandable after several tweaks.
For session storage, I used redis and everything seems to be working with the spring magics.
However I encountered a session problem when implementing logout. According to single sign on best practice, when a user logout from one client, all other clients with the same session from the auth server should also be logged out. So I added an endpoint for each client to invoke upon successful login to register it's name based on the user session from the auth server. However I noticed that each time I refresh the page on my client web app, I get a new session from the auth server. As a result, each time when I try to logout, the session associated with all registered clients will always become the old one.
I've been searching for solutions online but no luck yet. It would be greatly appreciated if someone could help me with this issue.
TL;DR version:
I implemented an oauth2 server with SSO enabled for Facebook with Spring Boot. After I successfully logged in with my Facebook account, I can see my client web app resources. Every time I refresh the page, I see a new session gets created from the oauth2 server and it gets stored in the redis storage and all the old sessions are kept in the storage as well.
UPDATE
It seems that all the new sessions are generated by anonymous users each time I refresh the page.
Ok after some digging, it turns out that anonymous user by Spring Boot is not much different from unauthenticated users, according to this doc https://docs.spring.io/spring-security/site/docs/current/reference/html/anonymous.html.
It makes sense that every time I refresh page a new session would generate. My problem was that I wasn't using the correct session ID when registering client app upon successful user authentication. Therefore I override "SavedRequestAwareAuthenticationSuccessHandler.java" file so that I can obtain client_id from the request parameter and then register the correct session ID obtained from the Authentication object to this client ID.
I have an enterprise application deployed on websphere 8.5.5.8, the application web side is composed of a single main page with multiple functionality tabs and every thing inside them uses ajax and iframes. Now, the issue is that I need to redirect the user to the login page immediately when the session expires. I tried to send ajax requests every second from my main page to the server to check for the session validity but the server treats that ajax requests url as secured resource causing the session to be refreshed and never expires. What are the possible work arounds for such scenario?
Yes, call to server will extend the session. As one of the solution, you could use javascript setTimeout method, initialize it to the session expiration time, and reset on your ajax business calls. If user will not do anything, then this timeout will invoke call to the logout page, which will invalidate the session and logout user.
Is it possible to synchronise liferay session with siteminder session ?
Scenario :
There are 2 applications say A & B which uses siteminder authentication.Both of the application shares same siteminder session. Application A is running liferay portlet and the application B is a servlet application.
User logs in to the Application A and navigate to Application B using SSO.
User works in Application B for some amount of time which keeps siteminder session from getting expired.But liferay session in application A is getting expired due to inactivity.
Is there any way to keep the session in liferay synch with the siteminder session? Any suggestions would be really helpful?
Set the below properties in portal-ext.properties file
Set the auto-extend mode to true to avoid having to ask the user whether to extend the session or not. Instead, it will be automatically extended. The purpose of this mode is to keep the session open as long as the user's browser is open with a portal page loaded.
session.timeout=30
session.timeout.auto.extend=true
This would not expire liferay session and if siteminder session expires and you access a resources which is protected by siteminder, you will be asked to login again.
i'm trying to login and logout users within the tomcat/blazeDS environment. I wrote a custom Java Login Proxy to handle the login which works. As i tried to logout user i.e. invalidate Sessions i realized that the Flash Application gets a new Session Id (new Session) for every call of the AMF channel. What happens is that if i try to invalidate a session its useless because the next call will be new and valid with the same user credentials again.
How can i logout a user from a Flex Application / Tomcat context then? I cant't find good examples without custom Authentication.
Thanks
Andreas
You would have to pass the session id from Flex to the Java backend and have the backend invalidate the session to log out the user.