I have a URL "www.anothersite.com/login" in "www.mysite.com". When a visitor clicks the URL, it should go to "www.anothersite.com/login"'s login page and should automatically fill the "username" and "password" field which i give in backend script. Hence the user should just click "Login" button.
I tried using cURL, but no use. It just redirects to "www.anothersite.com/login" page but not filling credential fields and not even autofocussing the field.
Or If there's any joomla plugin to perform this action please post it.
What you are describing is Cross-Site scripting and is FORBIDDEN.
You can not run a script on a page you don't control because you could steal the user's username or password or other such bad things. All modern browsers prevent this from happening.
This is the most obvious application of cross site scripting. For more information on the clever and subtle ways in which attackers have historically tried to do such things, you should check out OWASP
The only other way I can think of supporting this functionality is if the site supported passing those parameters in a query string for the URL, but that would also be an extremely bad idea.
User's browsers can store this information if the user wishes to have things autofilled, and you should not be passing passwords back and forth after login. You certainly should not be storing user credentials in such a way that they can be retrieved in their original form after the user has logged in.
Joomla won't store cleartext passwords by default, and for good reason.
If the external site supports delegation, you might be able to use OpenID or oauth. There are plenty of examples of how to use those systems elsewhere on Stack Overflow, so you should read up on them.
Related
Recently I got person ask me why our website doesn't work without cookies. My explanation is we need to save tokens and some reference in cookie, So that later on we can use it to make requests and there is limit options that we can use to save data in browser. But he doesn't satisfied with my answer and I also think there is a few options that we can make it work instead of using cookies/localStorage/sessionStorage.
My question is why most of the website cannot work without cookies? Can we make the website works without any storage in the browser?
Using cookies allows your website to remember the user (e.g. last login, avoiding having to login again) and offer corresponding benefits to them and you (e.g. tracking usage/interest, advertising). If you don't want these benefits then of course you can deliver a website which doesn't use cookies. If the website needs a login they will have to login on every different page viewed.
I have a website that authenticates users with the active directory. This website is made for internal company use and does not hold any sensitive information. The website is secured with SSL. When a user logs in, his/her username and password will be transmitted to the server through POST. I then store his/her username in a session cookie with a TTL of 1 day, refreshed by every single web action. From this point on, every webpage will check to see if this cookie with the username exists. If it does, it will allow users to access that certain page. Login out will just remove this cookie.
Would this way of authentication be acceptable? Is there a better way to handle user authentication? Is it necessary to use sessions instead and store session id's in cookies?
It does work out nicely to use Sessions, yes. I don't know what language you'd be using, but storing information in general locally is a good idea (this does not include sensitive and private information, ie. passwords).
Pages usually check your authentication (and its type) upon loading.
I've lost my touch with PHP, but for instance ASP.NET has a pretty neat (but complicated) Identity system where your login information would be stored in a separate Session, and destroyed upon logging off, but also stores information regarding its Type. This would later allow the developer to mark pages that would require a specific type of an Identity. For example:
[Authorize(Roles="admin")]
public ActionResult Index() {
// Your action information
}
Again, I'm rusty with PHP, but I imagine it's similar where you'd simply check the Sessions before the <html> tag, ie.
<?php
if(is_null($_SESSION["user-info"]["type"])
header("Location: index.php");
?>
<html>
...
Overall, the way you use sessions in each of the back-end web development languages could defer, but the overall usability is the same. You'd use Sessions to store User information, Store "basket" items, etc.
Background story: We run a website with thousands of users and a handful of admins. Some of these admins don't need all-access to the website, so I want to restrict their access by giving them individual permissions.
My plan is to set a Session on user login with the users perimissions, if given any. However, I'm concerned that this might be an unsafe action.
Can a Session be manipulated by a user client side? In this case a regular user could gain access to the admin features if they knew the permission names and set a Session for themselves.
I found some related questions on Stackoverflow, but they didn't give give me enough information on the subject.
You are already providing the login for admins and users so save type of permission they have and give them rights to modify data according that..And as long as your session state is encrypted it is very hard to manipulate on client side.
If you have concern about security of your existing session and cookies here is link to make it secure.
Secure your Session
This is full Article how to make your session and cookies secure...
You can indeed store server variables such as the user-agent, the ip address and so forth (and even JavaScript variables), but they are only good for validating that the persistent cookie data matches the client's new connection. The ip address isn't a good idea except when you know that the client (like you only) isn't going to change on every page load (a la AOL).
Modern web browsers and 3rd party services like LastPass can store login credentials that only require a key press (and sometimes not even that) to send the data to the login form. Persistent cookies are only good for those people who refuse to use what's available otherwise. In the end, persistent, non-session cookies are not really required anymore.
There is no such thing as secure cookie UNLESS it's transmitted over SSL only. It can be mitigated some when using a persistent non-session cookie (like remember me), by doing exactly what you're doing, but not in the same way you're thinking of doing it.
I am making a bookmarklet, which calls a Google App Engine app. The GAE app uses login information, which I want to store in bookmarklet, so when user first clicks bookmarklet,it asks for login info, but from next time onwards it automatically supplies it.
The difficulty of a bookmarklet directly storing data is that it can only store data in cookie or in localStore, both of which "belong" to whatever page it is currently on. That means it won't work again the next time you use it on a different page, and it also means the page you are on can access the data, which is generally very bad for security.
There are two basic ways your situation is generally handled. The two main ways are:
1.) The application used keeps the user logged in with a cookie. The login information is not stored in the cookie; only a session ID is. This is like when you return to many popular websites, you don't have to log in again. Very often these types of bookmarklets open a small popup for the user which contains a page from the app. If the user is not logged in, the app prompts the user to login first. The bookmarklet in fact knows nothing about being signed in or not.
2.) Each bookmarklet is custom created for each person. So my bookmarklet would be different than yours. The difference is simply that mine will contain my login info in the code, and yours will contain your login information in the code. In fact we would each have to login to the app first before we can get our own personalized bookmarklet.
Generally, option 1 is better and easier and more secure.
If I understand it correctly,this Might help you. http://ajaxian.com/archives/whats-in-a-windowname
It allows for storing data in windowname in JS. Allowing for access of up-to 2 MB of data (A lot more than cookies can hold) and I believe can be used across tabs...
I'm working on a site that requires the user have a unique username to use all services on the site. They cannot self-change this username for community fairness.
We would like to allow users the simplicity of registering/logging in using their facebook accounts, but this username requirement is obviously a hurdle.
The only idea I have come up with is after the connect process, send the user to a final step page where they enter a username. The only downside to this is that the user has the ability to navigate away before entering a username, meaning we need to add further layers of checks to several site functions to ensure a user has a username, and prompt for one if not.
Any ideas on how to streamline this during the connect process? Any site examples of similar implementations where auxillary info is required to use some or all site features?
Have you looked at Facebook's registration plugin?
The Registration plugin allows users to easily sign up for your
website with their Facebook account. The plugin is a simple iframe
that you can drop into your page. When logged into Facebook, users see
a form that is pre-filled with their Facebook information where
appropriate.
https://developers.facebook.com/docs/plugins/registration/
The plugin also allows you to add custom fields so you could simply add your username field.
There are a load of advanced features including validation, here's an example in the Facebook documentation that includes the username field and checks to see if it's available
https://developers.facebook.com/docs/plugins/registration/advanced/#async