I've developed an app in laravel and sentry2 as ACL. Login occurs through SAML.
Whenever a user logs in from SAML is redirected to my app where I check server variables, and if credentials are correct I let him pass to the site with sentry.
My issue occurs when I try to log in with the same account in two different browsers. Looks like when I log in in the second browser the existing session in the other browser gets overrided.
I've found out this looking into sessions table:
http://pastebin.com/6iEnRkEs
Any ideas? Will appreciate your help on this very much.
Thanks a lot!
Pablo
EDIT:
The idea would be that the app work like gmail/fb that allows the user to be logged in both browsers at the same time.
It's correct the way it is.
Different browsers different sessions. This is a security feature/matter every single app should enforce.
If you log in a different browser how could Laravel tell if it's not a different person login in from a different computer in the same network? Log someone off in this case it's also the correct thing to do, because if some kind of exploit is happening, user will see something is wrong and, maybe, change his/her password.
Some (ie: banking) also do: different browser tabs, different sessions, but this is not the Laravel case.
Related
I'm writing an app that's supposed to run with MVC5 and using parse as a backend.
I'm using the new Identity feature of the MVC5 to login an user. I also tried to use this solution but I couldn't make it work.
What is happening is that when I login with the user A and then login with the user B in a different session (a incognito windows or a new browser) whenever I try to insert something related with a ParseUser object using the first user that was logged in I get an exception: UserCannotBeAlteredWithoutSessionError.
I'm not sure if I'm doing the implementation in a wrong way, or if it is a limitation of the Parse (I think it was designed to run using one user per device).
If you have a workaround for this situation please help me.
There is a good answer which may help: Parse Database Authorization - Security For User Objects.
So, it's a kind of Parse SDK limitation, when you can work with only one user per device (as ParseUser is cached locally). The only workaround that I can see is to perform SignOut/Login explicitly, when you need to do something from other user's context. There is no way to have two users work simultaneously from the same device.
We have a CI application where we used Ion-Auth as Authentication Library. We have used database for storing sessions.
So far everything works fine. Now, by default Ion Auth allows simultaneous logins for same user from different location. I want to prevent this. As per our client, only one login should be allowed.
Is it possible to achieve this, considering abandoned sessions (without pressing logout and closing browser) ?
If the issue in (1) above is complex to achieve, can I make a simple check if user is currently logged in./session is active.
The existing logged_in method does not take any input parameters. So I cant use this method.
I am assuming solution might be possible with already available library and I don't need to add extra fields/code to achieve this.
Thanks.
I was wondering if it ever would make sense to have two concurrent sessions in the same browser? There could be two types of cases with this:
1) A user opens a browser window and logs in as user A, starting session 1. Then he opens another browser window (in the same browser) where he logs in as user A, but starts a different session, session 2.
I know that this is often not possible in many browsers, as one session cookie is set for the entire browser. However, in some browsers, it is possible to have multiple sessions in that manner.
2) This is similar to 1, except that the second time the user logs in, he logs in as user B, starting session 2. So now you have a person logged in as two users in the same browser.
Finally, allowing these things doesn't seem like the best security practice and neither does it seem to be practical. What do others think?
First thing First as the your Assumption is wrong. First of all you have to understand that when Single website is accessed from browser have single session and its not possible to simultaneously run different session of same web Browser.
It seems you have wrongly understand the working of Private Browser. Private Session are not made not to share information cookies and data with other public session and vise versa also. As soon as you close the Private Session all the Cache, Cookie and other things are deleted for forever.
I have not seen any web browser supporting the Multiple session of browser.
But an alternative approach is available i.e you have to create different Web Browser Profiles which can help you as each Profile data is maintained separately and have no conflict with other sessions.
One possible scenario currently I am facing requires allowing multiple user sessions from the same browser and I have not been able to find a proper solution for it yet.
We are using Yii framework. Currently we have two kinds of users i.e customers and admins. Both login from the same login form and use same session name and variables to store session information. Only based on type column in user table(customer or admin), the user is taken to appropriate views. In one of admin views(pages), there is an option for admin to log in as any of the users and propagate through the user's view in an iframe. The problem is that when the admin open two tabs and logs in as two different users, the session information of one overwrites the other and we start getting session related issues.
Can anyone suggest me a proper way to handle these kind of issues. I have searched a lot on trying to handle this with multiple sessions, but have not been able to find a proper solution yet.
There's nothing to "provide support for" here. One browser cannot hold more than one session, since it only holds one unique cookie per site, regardless of window. If a browser actually has a mode in which it supports holding two separate identical cookies per site, then it's the same as if the user logged on from another browser or another machine. That certainly should work; i.e. you should not try to subvert that behavior. A double session inside the same browser is then just a specific instance of this multi-session behavior, nothing special.
I developed web application based on CakePHP 1.3 platform. Application uses Auth component, so only authenticated users can use it.
But some of the users have problem that application log them out for some of the time. Problem is that I can not find out why they are getting logged out, since I don't face that problem. Also tried to be loged in application for few hours, and I do not have those problems at all.
Just to mention that sessions are defined to be saved as 'cake' and security level as low, in core.php file:
Configure::write('Session.save', 'cake');
Configure::write('Security.level', 'low');
Also, they do not change ther IP address.
Can you give me some thoughts where can be a problem?
UPDATE: I need some of your thoughts... Can be a problem be caused by some of jQuery functions, that they kill some of the sessions or cookie values? Biggest issue here is that I can not simulate problems users have, because it works fine on my side... and only thing is to guess where problem is.........
They get logged out if their session expires. Take a look here to increase the time on the session http://php-freelancer.in/2009/11/30/cakephp-session-timeout-or-change-session-length-in-cakephp/
Edit: If security isn't that much of an issue, consider using cookies to remember the login.
I'm developing my web app with Spring MVC 2.5.6 and I need some help for multiple user sessions in it. The header of my app shows the logged user.
In my computer, I open two browsers (no tabs):
In the first one, I log in my app with user1 and get into. In the header, user1 appears.
In the second, I log in with user2 and go on. In the header, user2 appears.
Then, I switch to the first browser, submit an operation to the controller and when the app is showed again, in the header user2 appears, and it's wrong because I logged in with user1.
So, my questions are:
SecurityContextHolder.getContext().getAuthentication().getName() may not be the right way to get the logged user with many users, because it's singleton (isn't it?). How could I do this?
This wrong situation is also happening with session object, so user1 data stored in the session object (managed with request.getSession().setAttribute(...) and request.getSession.getAttribute(...)) is override with user2 data.
In this StackOverflow question, Handling Session ID with Spring, it's suggested that session ID would be managed to separate data. Should I manage manually each user data with session ID internally in my application? How could I get the session ID?
In general terms, my problem is with dealing with multiple users/sessions.
Any help would be very appreciated. Thanks in advance.
Best regards
In my computer, I open two browsers (no tabs):
In the first one, I log in my app with user1 and get into. In the header, user1 appears.
In the second, I log in with user2 and go on. In the header, user2 appears.
Then, I switch to the first browser, submit an operation to the controller and when the app is showed again, in the header user2 appears, and it's wrong because I logged in with user1.
With session as normally implemented, this is normal behavior if the client is running two windows or tabs of the same browser on the same machine, as they share the session.
If you open the app in IE and Firefox, they will not share a session, and things will work properly.
I don't believe there's a way to get the browser to stop sharing session among windows, so if you need them to act independently, you'll need to essentially create your own session mechanism, likely by using hidden fields or some such hack rather than the cookies or url-rewriting the normal mechanism uses.
It would be better to just accept the situation. Let the user know when they open the second window and connect to your app that they are already logged in, and don't allow another login.